Hi All!
Domain in question is: gallery.clubyachats.com
Server version: Apache/2.4.29 (Linux/SUSE)
OS is: openSUSE Tumbleweed (rolling release) x86_64 GNU/Linux
My hosting provider is: SELF HOSTED
I can login to a root shell on my machine… YES
I’m NOT using a control panel to manage my site, No
I have successfully installed several certificates for my domains that are now getting close to thier expiration date(s).
All certificates are rated A+ at ssllabs.com EXCEPT gallery.clubyachats.com for which I have only recently requested certificates via certbot. (I left the cert and configuration in place, but removed the automatic redirect )
https://www.ssllabs.com/ssltest/analyze.html?d=gallery.clubyachats.com&latest.
For some reason gallery’s cert has a trust issue… “Issuer: CN = Fake LE Intermediate X1”
The following information should be helpful for any one willing to help me troubleshoot whatever issue(s) exist.
I ran this command:
certbot --apache --agree-tos --hsts --staple-ocsp --must-staple -d gallery.clubyachats.com
And recieved this interactive output:
Saving debug log to
Plugins selected: Authenticator apache, Installer apache
Cert not yet due for renewal/var/log/certbot/letsencrypt.log
You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/certbot/renewal/gallery.clubyachats.com.conf)
What would you like to do?
-------------------------------------------------------------------------------
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for gallery.clubyachats.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate for gallery.clubyachats.com to VirtualHost /etc/apache2/vhosts.d/0.gallery.clubyachats.com-le-ssl.conf
Adding Strict-Transport-Security header to ssl vhost in /etc/apache2/vhosts.d/0.gallery.clubyachats.com-le-ssl.conf
Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting vhost in /etc/apache2/vhosts.d/0.gallery.clubyachats.com.conf to ssl vhost in /etc/apache2/vhosts.d/0.gallery.clubyachats.com-le-ssl.conf
OCSP Stapling was enabled on SSL Vhost: /etc/apache2/vhosts.d/0.gallery.clubyachats.com-le-ssl.conf.
Your existing certificate has been successfully renewed, and the new certificate
has been installed.
The new certificate covers the following domains:
https://gallery.clubyachats.com
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=gallery.clubyachats.com
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/certbot/live/gallery.clubyachats.com/fullchain.pem
Your key file has been saved at:
/etc/certbot/live/gallery.clubyachats.com/privkey.pem
Your cert will expire on 2018-06-11. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the “certonly” option. To non-interactively renew all of
your certificates, run “certbot renew”
===============================================================================
OpenSSL gives this output:
openssl x509 -in /etc/certbot/live/gallery.clubyachats.com/cert.pem -text | grep Issuer
Issuer: CN = Fake LE Intermediate X1
CA Issuers - URI:http://cert.stg-int-x1.letsencrypt.org/
openssl x509 -in /etc/certbot/live/gallery.clubyachats.com/chain.pem -text | grep Issuer
Issuer: CN = Fake LE Root X1
CA Issuers - URI:http://cert.stg-root-x1.letsencrypt.org/
===============================================================================
This is a GREAT learning experience.
Thanks in Advance!
Rip