/fullchain.pem' does not exist or is empty

Help
1

My web server is (include version): apache 2

The operating system my web server runs on is (include version): Ubuntu 22.04

My hosting provider, if applicable, is: no

I can login to a root shell on my machine (yes or no, or I don't know): no

I'm using a control panel to manage my site (no,

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0
got this:
apachectl -S
AH00526: Syntax error on line 33 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/ekoninfochecker.efri.uniri.hr/fullchain.pem' does not exist or is empty
Action '-S' failed.

sudo certbot certificates shows
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: ekoninfochecker.efri.uniri.hr
Serial Number: 4c6920a96979091d360c1c8ff71546f3396
Key Type: ECDSA
Domains: ekoninfochecker.efri.uniri.hr
Expiry Date: 2024-08-01 18:01:33+00:00 (VALID: 87 days)
Certificate Path: /etc/letsencrypt/live/ekoninfochecker.efri.uniri.hr/fullchain.pem
Private Key Path: /etc/letsencrypt/live/ekoninfochecker.efri.uniri.hr/privkey.pem

SSL Checker gives ok, SSL Certificate Checker - Diagnostic Tool | DigiCert.com gives ok,
Check SSL Certificate - GeoCerts gives ok

Chrome: Your connection is not private

Attackers might be trying to steal your information from 31.147.206.21 (for example, passwords, messages, or credit cards). Learn more

NET::ERR_CERT_COMMON_NAME_INVALID

Common Name (CN) ekoninfochecker.efri.uniri.hr
Organization (O)
Organizational Unit (OU)
Common Name (CN) R3
Organization (O) Let's Encrypt
Organizational Unit (OU)
Issued On Friday, May 3, 2024 at 8:01:34 PM
Expires On Thursday, August 1, 2024 at 8:01:33 PM
Certificate 623282b720c2f7d0937e7e6c204cbeb174b365ee1915995353d52d9137d5f9e6
Public Key cce991425d535f8413382d06dfc937290cd113c5051328dcb265147757522df8
2

Hello @dcisic, welcome to the Let's Encrypt community. :slightly_smiling_face:

I am not sure what I am sharing directly applies,
but the site https://ekoninfochecker.efri.uniri.hr (a Doman Name)
is being redirected to (https://31.147.206.21/ (an IP Address)

Let’s Encrypt offers Domain Validation (DV) certificates; an NOT IP Addresses presently.

$ curl -i https://ekoninfochecker.efri.uniri.hr
HTTP/1.1 301 Moved Permanently
Date: Sun, 05 May 2024 20:08:57 GMT
Server: Apache/2.4.52 (Ubuntu)
X-Redirect-By: WordPress
Location: https://31.147.206.21/
Content-Length: 0
Content-Type: text/html; charset=UTF-8
2 Likes
3

@dcisic also Show the output of

  • sudo apachectl -t -D DUMP_VHOSTS

and also

  • sudo ls -l /etc/letsencrypt/live/ekoninfochecker.efri.uniri.hr/
2 Likes
4

VirtualHost configuration:
*:443 is a NameVirtualHost
default server ekoninfochecker.efri.uniri.hr (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
port 443 namevhost ekoninfochecker.efri.uniri.hr (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
port 443 namevhost ekoninfo.hrzoo (/etc/apache2/sites-enabled/default-ssl.conf:2)
port 443 namevhost ekoninfochecker.efri.uniri.hr (/etc/apache2/sites-enabled/ekoninfochecker.efri.uniri.hr.conf:1)
*:80 ekoninfochecker.efri.uniri.hr (/etc/apache2/sites-enabled/ekoninfochecker.efri.uniri.hr.conf:10)

-rw-r--r-- 1 root root 692 Apr 14 07:25 README
lrwxrwxrwx 1 root root 53 May 3 19:01 cert.pem -> ../../archive/ekoninfochecker.efri.uniri.hr/cert2.pem
lrwxrwxrwx 1 root root 54 May 3 19:01 chain.pem -> ../../archive/ekoninfochecker.efri.uniri.hr/chain2.pem
lrwxrwxrwx 1 root root 58 May 3 19:01 fullchain.pem -> ../../archive/ekoninfochecker.efri.uniri.hr/fullchain2.pem
lrwxrwxrwx 1 root root 56 May 3 19:01 privkey.pem -> ../../archive/ekoninfochecker.efri.uniri.hr/privkey2.pem

5

And now sudo ls -l /etc/letsencrypt/archive/ekoninfochecker.efri.uniri.hr/

1 Like
6

ekon@ekoninfo:/etc/apache2/sites-available$ sudo ls -l /etc/letsencrypt/archive/ekoninfochecker.efri.uniri.hr/
total 32
-rw-r--r-- 1 root root 1801 Apr 14 07:25 cert1.pem
-rw-r--r-- 1 root root 1529 May 3 19:01 cert2.pem
-rw-r--r-- 1 root root 1826 Apr 14 07:25 chain1.pem
-rw-r--r-- 1 root root 1826 May 3 19:01 chain2.pem
-rw-r--r-- 1 root root 3627 Apr 14 07:25 fullchain1.pem
-rw-r--r-- 1 root root 3355 May 3 19:01 fullchain2.pem
-rw------- 1 root root 1704 Apr 14 07:25 privkey1.pem
-rw------- 1 root root 241 May 3 19:01 privkey2.pem

7

@dcisic,

Was that run as root or via sudo?

This is only the public certificates and intermediates CA chain, so this is all safe to share.
Please show the output of

  • sudo cat /etc/letsencrypt/live/ekoninfochecker.efri.uniri.hr/fullchain.pem
1 Like
8

ekon@ekoninfo:/etc/apache2/sites-available$ sudo cat /etc/letsencrypt/live/ekoninfochecker.efri.uniri.hr/fullchain.pem

-----BEGIN CERTIFICATE-----
MIIEPDCCAySgAwIBAgISBMaSCpaXkJHTYMHI/3FUbzOWMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yNDA1MDMxODAxMzRaFw0yNDA4MDExODAxMzNaMCgxJjAkBgNVBAMT
HWVrb25pbmZvY2hlY2tlci5lZnJpLnVuaXJpLmhyMFkwEwYHKoZIzj0CAQYIKoZI
zj0DAQcDQgAELhZSundFTOD7tM8oFQ/CXHK/tD7GXgaY4qb73WAaYWJmNdnUUQwb
i/tC08XYEiGYOWQxrstvNEgL65zAtyu5haOCAh8wggIbMA4GA1UdDwEB/wQEAwIH
gDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAd
BgNVHQ4EFgQULd4PNWv8hQGKZTxUBZogTaYz2S4wHwYDVR0jBBgwFoAUFC6zF7dY
VsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRw
Oi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNy
Lm9yZy8wKAYDVR0RBCEwH4IdZWtvbmluZm9jaGVja2VyLmVmcmkudW5pcmkuaHIw
EwYDVR0gBAwwCjAIBgZngQwBAgEwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgA/
F0tP1yJHWJQdZRyEvg0S7ZA3fx+FauvBvyiF7PhkbgAAAY8/1U3HAAAEAwBHMEUC
IQChFhEaXAJkiDMXvkmS784LSGiPN22Trm9A/5t1AaJdGgIgF7ASjMnZuuBW+AK6
gRwEwHho4bsJwKhtuFUnVWbxNnkAdgDuzdBk1dsazsVct520zROiModGfLzs3sNR
SFlGcR+1mwAAAY8/1U3LAAAEAwBHMEUCIDHjVlbOHhkHG+rAK63SX49Qq0qphT9y
grf9WlwzINn9AiEAua4JyHo7WUB/PsjWKRe9Xwtjjwb6A1Tgg0UBl3L/V78wDQYJ
KoZIhvcNAQELBQADggEBAFIDhD4pw5Fi8ZDwBTpgXTx0NjGWRT8+ZFYWlTi1kCLa
vh1FW7b1eSEgUZ3ZsCk0HcLAxM0sFReewW3a+qT3CFUlt2ag5Rc3iC5lAeUinMh2
pqpjT4Md6RSQLlxD3NFmsVtLrOo9Eq+cdNtC6ieVIobAHzHGK+fPGzXLGDdId4HV
OVSXW8qpqFAiR24Q/0qSzl4URnXgrJWSWw0i1sjKGZ87w9NkudevzXdgw11xBMD2
smKlZXYF+FbyqhFaWoRLzaLq0JcIgcjtrApP1pcXP1TG9oW92uSBPUVjVN08y7l6
Lpmi0QscH8BFxoDz1wzohqtQQwEpY5QISDXQVt4GfCk=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
9

sudo now : sudo apachectl -S
VirtualHost configuration:
*:443 is a NameVirtualHost
default server ekoninfochecker.efri.uniri.hr (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
port 443 namevhost ekoninfochecker.efri.uniri.hr (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
port 443 namevhost ekoninfochecker.efri.uniri.hr (/etc/apache2/sites-enabled/default-ssl.conf:2)
port 443 namevhost ekoninfochecker.efri.uniri.hr (/etc/apache2/sites-enabled/ekoninfochecker.efri.uniri.hr.conf:1)
*:80 ekoninfochecker.efri.uniri.hr (/etc/apache2/sites-enabled/ekoninfochecker.efri.uniri.hr.conf:10)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

but still in Chrome certificate is not valid

10

@dcisic

So we have demonstrated

that this is not true.

Here details on Apache can be found in documentation and forums:

And at this point, kindly wait for more knowledgeable Let's Encrypt community volunteers to assist. :slight_smile:

1 Like
11

Yep I see that too; for this reason

image
image1043×793 18.8 KB

1 Like
12

@dcisic I suggest changing the redirect here

$ curl -i https://ekoninfochecker.efri.uniri.hr
HTTP/1.1 301 Moved Permanently
Date: Sun, 05 May 2024 22:10:17 GMT
Server: Apache/2.4.52 (Ubuntu)
X-Redirect-By: WordPress
Location: https://31.147.206.21/
Content-Length: 0
Content-Type: text/html; charset=UTF-8

The Location: https://31.147.206.21/ to use the domain name of the server at the IPv4 Address 31.147.206.21 instead of that IPv4 Address.

1 Like
13

@dcisic actually that redirect seems to only be doing harm since the
IP Address of ekoninfochecker.efri.uniri.hr is 31.147.206.21

At this point I suggest just removing the redirect.

$ nslookup ekoninfochecker.efri.uniri.hr
Server:         127.0.0.53
Address:        127.0.0.53#53

Non-authoritative answer:
Name:   ekoninfochecker.efri.uniri.hr
Address: 31.147.206.21
1 Like
14

After you change the redirect to use a domain name instead of an IP address you need to fix your VirtualHost layout. You have 3 VirtualHosts defined for the same domain name and port. You can only have 1. Apache does not issue an error but only one of them will ever be active.

5 Likes
15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.