Firefox says site insecure - Chromium says it is secure?

Help
1

Domain : sherab.duckdns.org
Server version: Apache/2.4.57 (Debian)
Linux raspberrypi 6.1.0-rpi6-rpi-v8
I can login to a root shell on my machine yes
The version of my client is: certbot 2.7.4

Yesterday site was secure - today its not - certificate is still valid
Chromium says - site is secure - Firefox and Epiphany say it's not??

I ran this command:

root@raspberrypi:/etc/apache2/sites-available# tail -f /var/log/apache2/error.log
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
[Sat Nov 18 22:06:58.958181 2023] [ssl:warn] [pid 19069] AH01909: 127.0.1.1:443:0 server certificate does NOT include an ID which matches the server name
[Sat Nov 18 22:06:58.964879 2023] [mpm_prefork:notice] [pid 19069] AH00163: Apache/2.4.57 (Debian) OpenSSL/3.0.11 configured -- resuming normal operations
[Sat Nov 18 22:06:58.964929 2023] [core:notice] [pid 19069] AH00094: Command line: '/usr/sbin/apache2'
[Sat Nov 18 22:07:03.513065 2023] [mpm_prefork:notice] [pid 19069] AH00171: Graceful restart requested, doing restart
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
[Sat Nov 18 22:07:03.711471 2023] [ssl:warn] [pid 19069] AH01909: 127.0.1.1:443:0 server certificate does NOT include an ID which matches the server name
[Sat Nov 18 22:07:03.719156 2023] [mpm_prefork:notice] [pid 19069] AH00163: Apache/2.4.57 (Debian) OpenSSL/3.0.11 configured -- resuming normal operations
[Sat Nov 18 22:07:03.719209 2023] [core:notice] [pid 19069] AH00094: Command line: '/usr/sbin/apache2'
[Sat Nov 18 22:08:12.337949 2023] [authz_core:error] [pid 19257] [client 167.172.232.142:55554] AH01630: client denied by server configuration: /var/www/html/server-status

Here's my config file

<VirtualHost *:80>
        ServerName sherab.duckdns.org
        ProxyPass / http://localhost:5230/
        ProxyPassReverse / http://localhost:5230/

        ErrorLog ${APACHE_LOG_DIR}/sherab_error.log
        CustomLog ${APACHE_LOG_DIR}/sherab_access.log combined
</VirtualHost>
<VirtualHost *:443>
    ServerName sherab.duckdns.org

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/sherab.duckdns.org/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/sherab.duckdns.org/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/sherab.duckdns.org/chain.pem

    ProxyPass / http://localhost:5230/
    ProxyPassReverse / http://localhost:5230/

    ErrorLog ${APACHE_LOG_DIR}/sherab_error.log
    CustomLog ${APACHE_LOG_DIR}/sherab_access.log combined
</VirtualHost>

This is what certobt says:

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/sherab.duckdns.org.conf)
2

remove this line. you don't need it if you use fullchain.pem two lines above.

I think a few of the issues you see might be in your local caches. Your website looks fine. SSL Server Test: sherab.duckdns.org (Powered by Qualys SSL Labs)

4 Likes
3

Looks secure to me on Window 10 with Firefox 119.0.1 (64-bit)

image
image996×939 30.3 KB

1 Like
4

Hardenize Report: sherab.duckdns.org show there is no redirect from HTTP to HTTPS.

1 Like
5

Yeah, we knew that. :smiley:

3 Likes
6

@Bruce5051 and @9peppe
Thank you both - you're amazing
I cleared FF cache - and it still says not secure

do these two lines in /etc/apache2/sites-available/default-ssl.conf have any segnificance to the issue?

SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile   /etc/ssl/private/ssl-cert-snakeoil.key
1 Like
7

yeah, yesterday it workde though with this command
snap/bin/certbot certonly --standalone -d sherab.duckdns.org --redirect

8

Did you use the URL https://sherab.duckdns.org/ ?
If you used the URL http://sherab.duckdns.org/ it is insecure.

2 Likes
9

ok I am a proper idiot - I am sorry to have waisted your time!!!
I just typed shreab.duckdns.org - expecting it to be naturally https
dough..... :man_facepalming:

Thank you @Bruce5051 and @9peppe

4 Likes
10

It happens to a lot of us; do not worry. :slight_smile:
That's the reason to have

1 Like
11

did you try the certbot enhance command?

I am not sure it will work if certbot didn't install the certificate automatically (it should, maybe)

The alternative is adding a 301/308 redirect by yourself.

3 Likes
12

I used the --redirect

so to add something like this to my sherab.duckdns.org.conf ?

<VirtualHost *:80>
    ServerName example.com
    Redirect permanent / https://example.com/
</VirtualHost>
13

no, you have to keep the url. that redirects everything to the website home.

<VirtualHost *:80>
    RewriteEngine On
    RewriteCond %{REQUEST_URI} !^/\.well\-known/acme\-challenge/
    RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]
</VirtualHost>
5 Likes
14

That's fantastic.
Thank you for all your help

Good night

4 Likes
15

no it does preserve uri

https://httpd.apache.org/docs/2.4/mod/mod_alias.html#redirect

4 Likes
16

If I use the simpler Directive - will there be a problem when doing the renewal?

17

Uhm, strange. It is simpler, and it should be used if it works.

Not that I can think of.

3 Likes
18

It seems to work at the moment - I was about to go to sleep so I was thinking not to tempt fate with the more complex configuration...

19

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.