To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
Hello,
The certificate is generated thank you very much Osiris, however to install it I created a new virtualhost by copying the one that exists by default “default-ssl” and I modified it like this:
yes, It’s not green, It’s yellow, I checked that site and I don’t understand this:
SSL verification issue (Possibly mis-matched URL or bad intermediate cert.). Details:
ERROR: certificate common name ‘FortiWEB’ doesn’t match requested host name ‘elearning.univ-bejaia.dz’
When I run this command certbot-auto certificates I get the followings:
Found the following certs:
Certificate Name: elearning.univ-bejaia.dz
Domains: elearning.univ-bejaia.dz
Expiry Date: 2017-06-26 10:34:00+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/elearning.univ-bejaia.dz/fullchain.pem
Private Key Path: /etc/letsencrypt/live/elearning.univ-bejaia.dz/privkey.pem
Why certificate common name ‘FortiWEB’ ?
I didn’t use fullchain.pem because my apache web server is < 2.4.8 (found in the documentation)
You said you created a new virtualhost in default-ssl.conf. Perhaps the newly created virtualhost isn't correct or there is another HTTPS virtualhost in another enabled configuration file.
It definitely does need to be in the appropriate virtual host. Another thing to check, just because Fortinet is a firewall manufacturer, is that there is no firewall that forbids or tries to intercept incoming HTTPS connections to this host.
I tried the site https://whynopadlock.com with another web site wich is hosted in another server and doesn’t use a certificate (neither from let’s encrypt nor from another CA) only the default self-signed certificate in debian. The result is that It shows me exactly the same error, which means that the virtualhost I created is not taken into account. It looks like it is the default debian self-signed certificate that is used, while I didn’t activate the default-ssl file (it isn’t in the site-enabled directory), and the virtualhost I created is enabled (it exists in the sites-enabled directory) and I created it from the default file (default-ssl).
In the sites-enabled directory, there is no other virtualhost with port 443, only the one I created witch is a copy of the default-ss file to which I made some
modifications
for the firewall as I said before, the network manager showed me the configuration of the firewall and I have seen the line: WAN to elearning.univ-bejaia.dz with both http and https enabled
I will try to understand why my virtualhost is not taken into account
The owner of 193.194.94.10 has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.
Learn more…
193.194.94.10 uses an invalid security certificate.
The certificate is not trusted because it is self-signed.
The certificate is only valid for FortiWEB
Error code: SEC_ERROR_UNKNOWN_ISSUER
I don’t know why when I use https://www.whynopadlock.com/ It says Certificate Issuer: Fortinet Inc normally it’s let’s encrypt the issuer
I think it shows the Fortiweb certificate rather than the server certificate (LE)
I haven’'t yet asked the DNS manager to modify the http by https in the IP address and domain name mapping because
I’m waiting for the certificate to work, maybe that’s why when I use the https://www.whynopadlock.com/
site it doesn’t recognize https://elearning.univ-bejaia.dz
DNS doesn’t have a relation with the difference between HTTP or HTTPS. A hostname resolves to a certain IP address. The browser then connects to that IP address, either to TCP port 80 (HTTP) or TCP port 443 (HTTPS). DNS doesn’t have a role in the latter.
@Osiris is right. If you want to confirm that the certificate works properly before the DNS records are updated to point at your server, you could try editing your own computer’s hosts file or equivalent, which allows you to make a custom domain name mapping that’s only used by software running on your computer, and not seen by other computers, overriding what DNS is currently telling your computer. Then you can see what things will look like once the DNS records have been updated.
The certificate is generated by Let’s Encrypt, it’s ok but it’s not recognized by the browser. In my opinion the problem comes from the certificate itself, because in Intranet we don’t pass through the firewall
By Internet, when I enter the public IP address of the server, I get this:
The browser says that it is a self-signed certificate it’s as if the certificate is not certified by a CA. That’s why the certificate is not recognized by the browser
When I click the “Add Exception” buttom to see the details of the certificate, I get this :
I think it is the certificate of our firewall. I think that the problem comes from the certificate itself, so, I will try to regenerate the certificate
No, that is because you've entered an IP address in the address bar (and not a hostname) and that IP address isn't present in the certificate. As long as you don't enter a hostname present in the certificate, a browser will complain. That's the whole idea of HTTPS
Right, Let’s Encrypt certificates are never expected to be accepted if presented to a client that accessed the site directly by IP address, instead of using a domain name. The certificates only certify the association between DNS names and cryptographic keys, not between IP addresses and cryptographic keys. Thus, if you’re not using the DNS names, the certificate doesn’t offer information that the client can confirm matches the identity of the host it’s connecting to.
This might sometimes be different with some certificates from some other CAs, but our certificates’ behavior in this regard is definitely the more common behavior overall!
The DNS manager showed the DNS configuration and I saw this line
Elearning IN A x.x.x.x (my local IP address)
The DNS was already pointing to the server long before I was using Let’s Encrypt, I misunderstood, I thought we should configure the https in the
DNS, the DNS manager told me that the DNS has nothing to do with the https
Do I need to add the Let’s Encrypt certificate to the Fortiweb ?
That totally depends on the actual function of the Fortiweb firewall. Does it play an active role in terminating connections? Or is it used as a passive firewall, just letting stuff through to the one server behind it and blocking unwanted connections? Or is it also used as a load balancer between multiple webservers?
The fact a webbrowser will end up on your "E - Learning" site when accepting the Fortiweb certificate indicates, outside of the certificate issue, the Fortiweb is properly configured.. Just not for TLS.
Edit:
Ah, the FortiWeb supports "SSL offloading":
Blazing Fast SSL Offloading
FortiWeb is able to process up to tens of thousands of web transactions by providing hardware accelerated SSL offloading in most models. With near real-time decryption and encryption using ASIC-based chipsets, FortiWeb can easily detect threats that target secure applications.
That's probably the reason it presents the FortiWeb certificate. Unfortunately, I can't find a comprehensive manual for the FortiWeb, so you're on your own for that I'm afraid.
