Error after changing the certificate


#1

Hello, I have my page working already with an xpress ssl certificate, All I did was buy a wildcard certificate, downloaded it’s files and replaced the ones from the xpress one for this ones. Any idea why does this happen? Thanks in advance

My domain is: docuswat.swat.us.com

I ran this command: systemctl httpd restart

It produced this output: [Thu Oct 11 14:08:50.294363 2018] [ssl:error] [pid 28615] AH02217: ssl_stapling_init_cert: can’t retrieve issuer certificate! [subject: emailAddress=support.tce@swat.com.mx,CN=SWAT-KAN-DOCU01,O=SWAT Consulting Services,L=Default City,C=CR / issuer: emailAddress=support.tce@swat.com.mx,CN=SWAT-KAN-DOCU01,O=SWAT Consulting Services,L=Default City,C=CR / serial: 9B723B50D40F55A2 / notbefore: Aug 16 20:26:29 2018 GMT / notafter: Aug 16 20:26:29 2019 GMT]
[Thu Oct 11 14:08:50.294373 2018] [ssl:error] [pid 28615] AH02235: Unable to configure server certificate for stapling

My web server is (include version): apache/2.4.6

The operating system my web server runs on is (include version): cent0s 7-5.1804

My hosting provider, if applicable, is: Network Solutions

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

Hi,

Could you please double check if you installed the corrected certificate?

The stapling error reported a (seemingly) self-signed certificate.

More information:
The wildcard certificate from network solution OV CA is issued on Oct 10 2018, whereas the certificate apache is rejecting is issued on Aug 16 2018.

Also, do you know that let’s encrypt offers free wildcard certificate?

Thank you


#3

Hello, thank you for the reply,
Didn’t know about the free wildcard certificates from here, thanks for sharing, I’ll tell that to my boss for sure, but continuing with my actual issue, I think I might be losing something then, all I changed was the vhosts config to have the new certificate files referenced but this server ssl was previously configured by a colleague who is not here anymore.


#4

Hi,

Could you please try to run this command to check the virtual host configurations?
apachectl -S

Since the above command will only prints a virtual host overview, you might need to dive into each section of virtual host to check which one used that self-signed certificate. (Which is the error since apache is trying to do stapling and a self-signed certificate… Doesn’t seems to have the issue certificate in trust store)

Thank you


#5

After running the command you are telling me I get this output:

[Thu Oct 11 16:46:29.396784 2018] [so:warn] [pid 28902] AH01574: module rewrite_module is already loaded, skipping
VirtualHost configuration:
*:8084 SWAT-KAN-DOCU01.swat.local (/etc/httpd/conf/httpd.conf:148)
*:8083 SWAT-KAN-DOCU01.swat.local (/etc/httpd/conf/httpd.conf:157)
*:443 is a NameVirtualHost
default server kanboard.swat.local (/etc/httpd/conf/httpd.conf:100)
port 443 namevhost kanboard.swat.local (/etc/httpd/conf/httpd.conf:100)
alias kanboard
port 443 namevhost docuswat.swat.local (/etc/httpd/conf/httpd.conf:115)
alias docuswat
port 443 namevhost swatsupport.swat.local (/etc/httpd/conf/httpd.conf:132)
alias swatsupport
port 443 namevhost kanboard.swat.us.com (/etc/httpd/conf/httpd.conf:169)
port 443 namevhost docuswat.swat.us.com (/etc/httpd/conf/httpd.conf:184)
port 443 namevhost support.swat.us.com (/etc/httpd/conf/httpd.conf:199)
port 443 namevhost swatsupport.swat.local (/etc/httpd/conf/httpd.conf:230)
port 443 namevhost SWAT-KAN-DOCU01.swat.local (/etc/httpd/conf.d/ssl.conf:56)
ServerRoot: “/etc/httpd”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/etc/httpd/logs/error_log”
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
PidFile: “/run/httpd/httpd.pid”
Define: _RH_HAS_HTTPPROTOCOLOPTIONS
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“apache” id=48
Group: name=“apache” id=48

The thing is, at first there was this self-signed certificate installed, then I tried using an xpress certificate and it worked but gave the warning for not being a wildcard one, so I acquired this other but don’t remember the exact steps I used for changing it. So not sure if should only change the vhosts configuration or something else more?


#6

Hi,

Sorry for the late reply.

Could you please share us line 184 ~ 198 of the file /etc/httpd/conf/httpd.conf ?

Please take a careful look at the wildcard certificate path (entered in that file) since you might have point it to the self-signed certificate.

Thank you


#7

Hello, after having help of a friend, we noticed that the only problem left now is that the key I have does not match this certificate, so my question is the following: Do you know if I can create a new key for the certificate?


#8

Nevermind, we found the key and everything works well now, thank you very much for all the help brinded, I appreciate it


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.