How to cancel one of the certificates

Wow, thats very important. Thank you for link.
Common name is not correct, thats true. Where this "common name" field come from??

2 Likes

it was the domain name used to get the certificate

4 Likes

when I create cert in rapis ssl I put begravningstjanst.se. Order in rapis ssl said it is common name begravningstjanst.se. I even need to prove that domain name is valid in rapid ssl site.
so probably its related to apache config... but how?? (if not I will see the issue in rapid ssl admin page)

1 Like

Most common issues are probably:

  • Incorrect file used in directives;
  • Not reloading services after making changes to configuration.
4 Likes

I checked the certificate and common name on the certificate is fine.

Oh, I found out that when I change config for ssl from <VirtualHost *:80> into <VirtualHost *:443> it starts said valid common name

This sounds so wrong on so many levels.

4 Likes

I agree with Osiris that sounds very wrong. Besides, your site is still sending wrong certs.

This SSL Decoder test site shows you send two certificates. One is a "leaf" for Let's Encrypt and one for DigiCert. This is not valid. Some browsers may make a lucky guess and say it is good but you should correct this.

Your Apache certificate config is wrong. If you want help please show the results of this command.

apachectl -t -D DUMP_VHOSTS
4 Likes

the Result contains default server timecut.se plus only config for ssl port 443 namevhost begravningstjanst.se and port 443 namevhost www.begravningstjanst.se.
I did not find any additional entries :frowning:
is it possible that acme.sh has added entries to the config?

Please show the entire results. That is only the first step to fixing your config.

3 Likes

can we talk on prv? I dont want to show it to public.

maybe discord/skype/email?

Not with me. I am a volunteer working for free on my own time. I don't want to be your personal assistant. If you show info in this forum the entire team of volunteers can help.

4 Likes

If you want to keep your info private there are some paid consultants who might be more helpful. schoen and webprofusion are both frequent contributors in this forum.

4 Likes

I understand, of course I understand that time is money and I will gladly pay for individual help if it comes into play. Thank you, I will try that.

2 Likes

Currently when you check domain checker,
I have error
depth=0 CN = begravningstjanst.se
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = begravningstjanst.se
verify error:num=21:unable to verify the first certificate
verify return:1
CONNECTED(00000003)
OCSP response: no response sent

and result of apachectl -t -D DUMP_VHOSTS looks like:
VirtualHost configuration:
wildcard NameVirtualHosts and default servers:
*:443 is a NameVirtualHost
default server timecut.se (/etc/httpd/conf/httpd-ssl_www.timecut.se.conf:1)
port 443 namevhost timecut.se (/etc/httpd/conf/httpd-ssl_www.timecut.se.conf:1)
port 443 namevhost www.timecut.se (/etc/httpd/conf/httpd-ssl_www.timecut.se.conf:23)
port 443 namevhost begravningstjanst.se (/etc/httpd/conf/httpd-ssl_www.begravningstjanst.se.conf:1)
port 443 namevhost www.begravningstjanst.se (/etc/httpd/conf/httpd-ssl_www.begravningstjanst.se.conf:23)

Why individual server sections?
Can we have a look at that file?

And... should I ask: Where did the *:80 hosts go?

3 Likes
  1 <VirtualHost *:443>
  2       ServerAdmin fake@email.com
  3       ServerName begravningstjanst.se
  4 
  5       Redirect permanent / https://www.begravningstjanst.se/
  6         SSLEngine on
  7         SSLProtocol             -all +TLSv1.1 +TLSv1.2 -SSLv2 -SSLv3
  8         SSLHonorCipherOrder     on
  9         SSLCipherSuite       EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP    :!DSS:!RC4:!DHE
 10 
 11         #Server Certificate File:
 12         SSLCertificateFile "/etc/httpd/conf/cic_key/www.begravningstjanst.se/begravningstjanst_se.crt"
 13 
 14         #Server Private Key:
 15         SSLCertificateKeyFile "/etc/httpd/conf/cic_key/www.begravningstjanst.se/begravningstjanst.se.key"
 16 
 17         #Server Certificate Chain:
 18         SSLCertificateChainFile "/etc/httpd/conf/cic_key/www.begravningstjanst.se/DigiCertCA.crt"
 19 
 20 </VirtualHost>
 21 
 22 #Virtual Host Directive starts
 23 <VirtualHost *:443>
 24       ServerAdmin fake@email.com
 25       ServerName www.begravningstjanst.se
 26 
 27       ErrorLog logs/begravningstjanst.se.error.log
 28       CustomLog logs/begravningstjanst.se.access.log common
 30 DocumentRoot /var/www/html/begravningstjanst.se/public_html
 31 
 32 #SSL Engine Switch:
 33 SSLEngine on
 34 SSLProtocol             -all +TLSv1.1 +TLSv1.2 -SSLv2 -SSLv3
 35 SSLHonorCipherOrder     on
 36 SSLCipherSuite       EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!R    C4:!DHE
 37         #Server Certificate File:
 38         SSLCertificateFile "/etc/httpd/conf/cic_key/www.begravningstjanst.se/begravningstjanst_se.crt"
 39 
 40         #Server Private Key:
 41         SSLCertificateKeyFile "/etc/httpd/conf/cic_key/www.begravningstjanst.se/begravningstjanst.se.key"
 42 
 43         #Server Certificate Chain:
 44         SSLCertificateChainFile "/etc/httpd/conf/cic_key/www.begravningstjanst.se/DigiCertCA.crt"
 45 </VirtualHost>

Ok, I found the solution. The problem were with version of openssl and algorithm used by acme.sh.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.