I am using Certbot-auto option to enable SSL for my sites, however getting error. Please find the below details for the same. Request you to help me on the same:
My domain is: wbcstest02.com
I ran this command: sudo ./certbot-auto --apache certonly -d wbcstest02.com -d www.wbcstest02.com
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you’re using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
My web server is (include version): Server version: Apache/2.2.22 (Ubuntu)
The operating system my web server runs on is (include version):
Distributor ID: Ubuntu
Description: Ubuntu 12.04.5 LTS
Release: 12.04
Codename: precise
I can login to a root shell on my machine (yes or no, or I don’t know): Yes
$dig +trace @8.8.8.8wbcstest02.com (Giving the correct output)
Need help to resolve the issue.
A connection to port 443 shows a couple of things that may be part of the problem:
SNI seems to fail, as the cert returned is the same with or without SNI.
This may indicate that the vhost config for wbcstest02.com is not bound to port 443.
[RE-EDIT] The server has no cipher preference order and allows for cipher DHE ciphers. But DHE is configured with a DH temp key of only 1024 bits; and LE may be trying to connect with a DHE cipher but is unable/unwilling to connect with such a small key.
See: SSLLabs test results
DHE is tricky to implement properly and there is no way to negotiate the DH temp key size.
If ECDHE is supported, it should be preferred via:
ProtocolsHonorOrder On
SSLCipherSuite
openssl s_client -connect wbcstest02.com:443 -servername wbcstest02.com
CONNECTED(000000FC)
depth=0 C = US, ST = Texas, L = Carrolton, O = Thomson Reuters (Tax and Accounting) Inc, CN = secure.dev-webbuildercs.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = US, ST = Texas, L = Carrolton, O = Thomson Reuters (Tax and Accounting) Inc, CN = secure.dev-webbuildercs.com
verify error:num=21:unable to verify the first certificate
verify return:1
Server did acknowledge servername extension.
—
Certificate chain
0 s:/C=US/ST=Texas/L=Carrolton/O=Thomson Reuters (Tax and Accounting) Inc/CN=secure.dev-webbuildercs.com
i:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
1 s:/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G2
i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
—
Server certificate
-----BEGIN CERTIFICATE-----
MIIHAjCCBeqgAwIBAgIQCmPjyq21Yw/XVx4ruHLtqzANBgkqhkiG9w0BAQsFADBE
…
0wecUoiiG2SFPOKX4czS9yhj182lbfQQJ+76pRcERXLwGLsR+LrikxapPCFzoKLY
sYj/RRdXj2wbePWLJOro5EE3F7eLog==
-----END CERTIFICATE-----
subject=/C=US/ST=Texas/L=Carrolton/O=Thomson Reuters (Tax and Accounting) Inc/CN=secure.dev-webbuildercs.com
issuer=/C=US/O=GeoTrust Inc./CN=GeoTrust SSL CA - G3
—
No client certificate CA names sent
Peer signing digest: SHA512 Server Temp Key: DH, 1024 bits
—
SSL handshake has read 3817 bytes and written 389 bytes
Verification error: unable to verify the first certificate
—
New, TLSv1.2, Cipher is DHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-GCM-SHA384
…
Did you run the same command and it worked?
I don't see anything as having changed... Port 443 still shows the wrong cert for "secure.dev-webbuildercs.com".
Yes, ran the same command and its provided the certs file in .pem format. Please suggest if I have to run different command, to avoid the error. Also is it possible to avoid the scanning of Apache vhost configuration, I mean to say after providing -d option still its asking for option to choose from the list.
wbcsdev-sc@or-dev-01:/etc/certbot$ sudo ./certbot-auto --apache certonly -d wbcstest01.com -d www.wbcstest01.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for wbcstest01.com
tls-sni-01 challenge for www.wbcstest01.com
We were unable to find a vhost with a ServerName or Address of wbcstest01.com.
Which virtual host would you like to choose?
(note: conf files with multiple vhosts are not yet supported)
You might want to remove the “certonly” as that will not update the vhost config file.
But as it doesn’t yet know which vhost config file has the “wbctest01.com” servername/alias, it may still need to learn that (at least once).
Try sudo ./certbot-auto certificates
see if you actually have any certificates.
If you do, then try: sudo ./certbot-auto
(this will try to renew all known certs)
Yes it is showing the certificate as mentioned below. We would like to modify the apache configuration manually as we will not be able to restart the apache until we get the confirmation on restart. We are looking at certificate download then we modify the apache configuration manually then restart apache on confirmation. Please suggest. Please find the output of sudo ./certbot-auto certificates:
OK, so you have the certs you need.
Now the question becomes Can certbot-auto run with certonly?
So that certbot doesn’t make any changes in the vhost configs.