How to diagnose invalid certificate?

So, I’ve generated an installed a certificate as before, but now I am only on SSL when I navigate the WWW version of my site. This is a problem for me since we are using third-part SSO and the re-direct route is set to the non-www version of our domain name. As far as I can tell the certificate should be valid, but is not recognized as such. Certificate appears valid and is accepted by Cpanel

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: phisigmarho.org

I ran this command: sudo certbot certonly --manual -d phisigmarho.org --preferred-challenges http

It produced this output: IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/phisigmarho.org/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/phisigmarho.org/privkey.pem
    Your cert will expire on 2019-10-09. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”
  • If you like Certbot, please consider supporting our work by:
    -----BEGIN CERTIFICATE-----
    MIIFVzCCBD+gAwIBAgISA2y+fKJ416W03Hwm65cf450SMA0GCSqGSIb3DQEBCwUA
    MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
    ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTA3MTExMTIxNDFaFw0x
    OTEwMDkxMTIxNDFaMBoxGDAWBgNVBAMTD3BoaXNpZ21hcmhvLm9yZzCCASIwDQYJ
    KoZIhvcNAQEBBQADggEPADCCAQoCggEBAOVlval0pPL5esWUJLxIixoaEVfGVveH
    o7TJKh+P/8lCjysv/wJx1H+tgjveUdUKoDLhESQDKvv/+pg1drCynLJpv12ROsIC
    oFxbaWnbBpIznBiL0k6uZSsq2yIw7Yiuc9X7aFki+H//N6OcOS7NjsREsu8gGhGL
    j6lnlYv4KIwvnyN0CIaUsZojgE5dQX9nePCLHtpofdfOmrmx8pP/lrUJLq645QVA
    j9V2jIU3aQVV+j9Eav8gqkUWld3EbyqycN1xbFdZoMeYooJv7ci3MU+HDoo+wbJK
    KIzzMhJLTl/+/X6bSZsIWYJIASc8tWqyO7botEIilSiu3mNxc+6TMd0CAwEAAaOC
    AmUwggJhMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
    BQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUmWNlY5niXkOrwgaDw6LCRFyg
    vzUwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUHAQEE
    YzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQu
    b3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5cHQu
    b3JnLzAaBgNVHREEEzARgg9waGlzaWdtYXJoby5vcmcwTAYDVR0gBEUwQzAIBgZn
    gQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5s
    ZXRzZW5jcnlwdC5vcmcwggEFBgorBgEEAdZ5AgQCBIH2BIHzAPEAdwB0ftqDMa0z
    EJEhnM4lT0Jwwr/9XkIgCMY3NXnmEHvMVgAAAWvg+2l2AAAEAwBIMEYCIQDqwJbM
    jcQpGE1lw4GP4gZLDRuNhbd7Yd4/2WrA8h8viQIhAJZxAhqTn03EPKAjCthRij5/
    DaFMr+Etnn+J1n5P0mX3AHYAKTxRllTIOWW6qlD8WAfUt2+/WHopctykwwz05UVH
    9HgAAAFr4PtrhwAABAMARzBFAiAY4ZucaWJGHz/4ZNqB/mms0FuFlXvdVCVGahl2
    zPsyBgIhAP1sjlH+TJJ7beboer478hHbw39BwLOjAoZ61xXzNRgDMA0GCSqGSIb3
    DQEBCwUAA4IBAQBhO+Ru9T8gp7O0Re9DICqpl4yzHD2bWFaei+wx89vLkHjVscLB
    rQBwafqh8oahTBRxcOep6nyoFEY5lmguiJMjAKWAevqBLxpW7IBS0BL+jekkLv8q
    oMYYQ4JzYpqxcpC4L8LhTzfiltrBaQmg9CWxCeovX7BmhpaZuHC87AGMnnHtCbTQ
    OUzC1rqHYYjcjsWzrMPJV3fgdxw9+ry7EDzeAWxahCTQWsg7lI3ARLr5EtFfo2++
    CmFad1aAG+wlJ3Tij2YEOr2oKE3xx1oQlcb7Xa0MACfayQnOvH1eldas5gV+NSBk
    /f9zEamft4iwiscrBaWGz/5lt4edC0lDQl79
    -----END CERTIFICATE-----

My web server is (include version): Apache 2

The operating system my web server runs on is (include version): Redhat

My hosting provider, if applicable, is: Midphase Hosting

I can login to a root shell on my machine (yes or no, or I don’t know): yes, but not enabled

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): yes Cpanel

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):certbot 0.31.0

You need to use fullchain.pem , cert.pem only has leaf certificate, so it can’t verified by itself because intermediate certificate is missing.

so, the full contents of the fullchain file? That output is from the fullchain.pem file, but it’s just the first certificate in their. Cpanel pulled info from there so I assumed it was valid…

Hi @nizz0k

then create one certificate with both domain names:

sudo certbot certonly --manual -d phisigmarho.org -d www.phisigmarho.org --preferred-challenges http

and use that instead.

PS: But you have already created two certificates with both domain names ( https://check-your-website.server-daten.de/?q=phisigmarho.org ):

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2019-07-11 2019-10-09 phisigmarho.org - 1 entries duplicate nr. 1
Let’s Encrypt Authority X3 2019-07-11 2019-10-09 phisigmarho.org, www.phisigmarho.org - 2 entries duplicate nr. 2
Let’s Encrypt Authority X3 2019-07-11 2019-10-09 phisigmarho.org, www.phisigmarho.org - 2 entries duplicate nr. 1
Let’s Encrypt Authority X3 2019-07-11 2019-10-09 www.phisigmarho.org - 1 entries duplicate nr. 1
Let’s Encrypt Authority X3 2019-06-03 2019-09-01 www.phisigmarho.org - 1 entries

What says

certbot certificates

Use the correct certificate, not the wrong.

PPS: But if you use cPanel, you shouldn’t use Certbot manual. That’s always a bad idea.

1 Like

Hi @JuergenAuer, thanks for your response. I assumed I had to use the manual certbot since I can’t install software on the shared host and the host has their own pay-for certs that they want to provide. The docs don’t really clarify (or I missed it) what to do in a case like that, so I did the best I could. The issue was actually that I didn’t follow through and install the certificate on the server, the cert itself was valid just not properly installed. So, this was all noobishness on my part.

2 Likes

@nizz0k,

We’re all noobs. :slight_smile:

1 Like