Connection not secure on CentOS 6


#1

Hello,
I’ve been trying to set up an SSL certificate for my website with Certbot but for some reason I keep getting prompted to the connection not secured screen before accessing the site and there’s a little warning icon at the url address that indicates it as well.

I ran certbot-auto --apache and was prompted to enter my domain, so I used imperium-roleplay.tk and www.imperium-roleplay.tk
It seems to have worked(eventually I got a Congratulations message) and I can see the certs in certbot-auto certificates.

This is what I get by testing the SSL via whynopadlocks:
Self Signed Certificate

Your SSL certificate appears to be self signed.
Browsers will display an error whenever someone attempts to visit your site.

Domain Matching

Your SSL certificate does not match your domain name!
Protected Domains:

  • No Domains Listed

I’m a real noob when it comes to certificates so I’d love some help :slight_smile:
(I’m using CentOS 6)


#2

Hi @xCaptainNutz

you have created two certificates

https://crt.sh/?q=imperium-roleplay.tk (two pre- and two leaf certificates).

Did you restart your server?


#3

@JuergenAuer
Do you mean a reboot or are you talking about restarting the apache service(I restarted the apache, not the whole server).

Sorry for the noobish question but by pre- you refer to the www. prefix?
I assume I needed to create 1 for each? Thing is when I used certbot-auto certificates it seems like there was only one, I probably messed something up when I tried fixing it…


#4

Restarting (or reloading) is enough.

One certificate produces two entries - a pre-certificate and a leaf certificate. You can ignore the pre-certificates.

But now I see:

This https://crt.sh/?id=1027038629 is your correct certificate. Because it has two domain names:

X509v3 Subject Alternative Name:
DNS:imperium-roleplay.tk
DNS:www.imperium-roleplay.tk

Your other https://crt.sh/?id=1027061089 - has only one domain name:

X509v3 Subject Alternative Name:
DNS:imperium-roleplay.tk

So you can’t use this certificate with www.


#5

@JuergenAuer Assuming I delete the 2nd certificate, will the problem be fixed? Because when I try accessing the site via https://imperium-roleplay.tk it still shows as if it’s not secure.

How do I delete the cert?

Edit: I deleted the cert but on that site you provided me with it seems like there are still 4 certs…
Here’s the output of certbot-auto certificates:

[root@vps625821 ~]# ./certbot-auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: imperium-roleplay.tk
Domains: imperium-roleplay.tk www.imperium-roleplay.tk
Expiry Date: 2019-03-13 17:54:00+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/imperium-roleplay.tk/fullchain.pem
Private Key Path: /etc/letsencrypt/live/imperium-roleplay.tk/privkey.pem



#6

Hi,

Could you try to check your Apache virtual hosts and see what certificate the Apache is using for your SSL host?

Thank you!


#7

@stevenzhu
Hmm where can I see that?

and I tried deleting all of my certificates and installing new ones by using certbox-auto delete and for some reason when I try to create new ones I get this error:

Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.

I’m so confused right now :confused:

EDIT:

Got this output when I used apachectl -t -D DUMP_VHOSTS

VirtualHost configuration:
wildcard NameVirtualHosts and default servers:
*:443 is a NameVirtualHost
default server www.imperium-roleplay.tk (/etc/httpd/conf.d/ssl.conf:74)
port 443 namevhost www.imperium-roleplay.tk (/etc/httpd/conf.d/ssl.conf:74)
Syntax OK


#8

To deal with this particular problem, you can create /etc/httpd/conf.d/default.conf with the contents:

<VirtualHost *:80>
  ServerName imperium-roleplay.tk
  ServerAlias www.imperium-roleplay.tk
  Redirect permanent / https://www.imperium-roleplay.tk/
</VirtualHost>

and try run Certbot again.


#9

Thank you.
I managed to install the certificates back but the website still shows as if they’re unsecure(There are only 2 certificates now, as there should)…

What could be the problem? What am I missing here?


#10

Could you run this again please:

apachectl -t -D DUMP_VHOSTS

What I think is happening is that there is probably a duplication of HTTPS VirtualHosts for www.imperium-roleplay.tk (one in ssl.conf, and one in a file that Certbot creates).


#11

@_az
This is the output:
VirtualHost configuration:
wildcard NameVirtualHosts and default servers:
*:80 imperium-roleplay.tk (/etc/httpd/conf.d/default.conf:1)
*:443 is a NameVirtualHost
default server www.imperium-roleplay.tk (/etc/httpd/conf.d/ssl.conf:74)
port 443 namevhost www.imperium-roleplay.tk (/etc/httpd/conf.d/ssl.conf:74)
Syntax OK


#12

That surprises me. I’m not sure wtf is happening on your server.

How about this:

grep -REi "(sslcertificatefile|sslcertificatekeyfile)" /etc/httpd/

#13

Binary file /etc/httpd/modules/mod_ssl.so matches
/etc/httpd/conf.d/ssl.conf:# Point SSLCertificateFile at a PEM encoded certificate. If
/etc/httpd/conf.d/ssl.conf:SSLCertificateFile /etc/pki/tls/certs/localhost.crt
/etc/httpd/conf.d/ssl.conf:SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
/etc/httpd/conf.d/ssl.conf:# the referenced file can be the same as SSLCertificateFile
/etc/httpd/conf.d/ssl.conf.1:# Point SSLCertificateFile at a PEM encoded certificate. If
/etc/httpd/conf.d/ssl.conf.1:SSLCertificateFile /etc/pki/tls/certs/localhost.crt
/etc/httpd/conf.d/ssl.conf.1:SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
/etc/httpd/conf.d/ssl.conf.1:# the referenced file can be the same as SSLCertificateFile
/etc/httpd/conf.d/default-le-ssl.conf:SSLCertificateFile /etc/letsencrypt/live/imperium-roleplay.tk/cert.pem
/etc/httpd/conf.d/default-le-ssl.conf:SSLCertificateKeyFile /etc/letsencrypt/live/imperium-roleplay.tk/privkey.pem


#14

:man_shrugging: I’m not sure what to make of it. Maybe it’s all weird because you’re running on an old version of Apache (2.2) ? Maybe @bmw can advise on what’s happening?

You could potentially just:

  • Replace /etc/pki/tls/certs/localhost.crt -> /etc/letsencrypt/live/imperium-roleplay.tk/cert.pem
  • Replace /etc/pki/tls/private/localhost.key -> /etc/letsencrypt/live/imperium-roleplay.tk/privkey.pem
  • Add SSLCertificateChainFile /etc/letsencrypt/live/imperium-roleplay.tk/chain.pem to your ssl.conf VirtualHost

and call it a day, and auto-renew should just work.

But it’s probably not the ideal way for Certbot to be used.


#15

Problem is not with the auto renew. It’s that the website displays as not secure and also prompts for Chrome’s bad idea page before accessing the site.


#16

I understand, but this would fix that problem too.


#17

It’s always a bad idea to delete active and valide certificates. There is a rate limit. So if you delete certificates, you may wait one week.

And CT - logs are append-only, you can’t delete entries there.


#18

So I should simply replace the localhost key files with imperium-roleplay’s?


#19

Sorry, I meant to replace the references in your config files (as shown in the grep results).


#20

Assuming I replace the references as @_az said, within a week the certificate should work properly and the site will be shown as secure ?

Is there a way to override the wait time ?