A SSL test complained about a self-signed cert also in the chain. The web page recommended I edit the chain file and remove a cert. I did, but I think I deleted the wrong cert.

It’s CentOS6 running Apache2 serving 6 pages. The problem page, precip.gsfc.nasa.gov, is also the hostname associated with the IP address. All other pages are fine.

Can I regenerate the deleted cert? Would it be better to just get a new cert? If so, how do I prevent the self-signed cert from being included in the chain?
Thanks,
tj

If it was only the cert you deleted - you can download it at https://crt.sh/?d=78590414

Thank you, Andy. I reinstalled the cert. Unfortunately, I still have
issues not related to Let’s Encrypt. I just don’t know enough …

Regards,
Ted Jackson - Sysadm, Code 612
ADNET @ NASA/GSFC
“We must all hang together, or assuredly we shall all hang
separately.” Ben Franklin

Screenshot from 2017-01-26 08:30:51.png1920×1080 252 KB

It looks as if you have an additional cert included in your apache config ( There are 3 certs, when there should only be 2 ).

What does your apache config look like for the port443 section for this domain ?

Here’s the whole file:

Owner = Matt Schwaller

     <VirtualHost 129.164.142.74:80>
     ServerName precip.gsfc.nasa.gov
     ServerAdmin webmaster@agnes.gsfc.nasa.gov
     Redirect permanent / https://precip.gsfc.nasa.gov/

     # Added IfModule for security by tjj 03/03/2008
     # changed to below for security by tjj 04/28/2009
         RewriteEngine on
         RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
         RewriteRule .* - [F]
     DocumentRoot /usr/meso/www/precip

     ErrorLog /var/log/httpd/precip.elog
     TransferLog /var/log/httpd/precip.alog
     </VirtualHost>

     # for https
     <VirtualHost 129.164.142.74:443>
     ServerName precip.gsfc.nasa.gov
     ServerAdmin webmaster@agnes.gsfc.nasa.gov

     # Added IfModule for security by tjj 03/03/2008
     # changed to below for security by tjj 04/28/2009
         RewriteEngine on
         RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
         RewriteRule .* - [F]
     SSLEngine on
     SSLProtocol all -SSLv2 -SSLv3
     SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-SHA
     SSLCertificateFile /etc/letsencrypt/live/precip.gsfc.nasa.gov-0001/cert.pem
     SSLCertificateKeyFile /etc/letsencrypt/live/precip.gsfc.nasa.gov-0001/privkey.pem
     SSLCertificateChainFile /etc/letsencrypt/live/precip.gsfc.nasa.gov-0001/fullchain.pem

     Header add  Strict-Transport-Security max-age=31536000

     ErrorLog /var/log/httpd/precip.elog
     TransferLog /var/log/httpd/precip.alog
     </VirtualHost>

What version of apache are you running ? (the config file format changed recently, hence I want to give the right advice for teh version you have).

Can you run

openssl x509 -in /etc/letsencrypt/live/precip.gsfc.nasa.gov-0001/cert.pem -noout -text

And check that's the one issued by Let's Encrypt and currently valid

If you use certbot, there are an option --force-renewal

See https://certbot.eff.org/docs/using.html#re-running-certbot

because a quick look at vhost config seems OK. I don’t think certbot add a personnal certificate any where. But here : looking at the screen : seems not the LE key ?

The system is running Apache 2 on CentOS 6.8.

The ssl check says the cert is current:
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3
Validity
Not Before: Jan 19 16:39:00 2017 GMT
Not After : Apr 19 16:39:00 2017 GMT

I captured everything with a “script” command and can send the output
file if you wish.

Apache 2… 2.2? 2.4? 2.4.7? 2.4.9?

Running “apachectl -v” produces this output:
Server version: Apache/2.2.15 (Unix)
Server built: Nov 18 2016 23:48:55

But the installed package is listed as
httpd-2.2.15-55.el6.centos.2.x86_64

Hope that helps.
Ted

In 2.2.15 it should be chain.pem rather than fullchain.pem

Andy,

I made the change as indicated. The SSL Test is still picking up the
self-signed cert first and fails. I included a screen shot.

With apologetic thanks,
Ted

Screenshot from 2017-01-27 16:13:11.png1920×1080 231 KB

Did you previously manually edit one of the files within /etc/letsencrypt to add or import some non-Let’s Encrypt cert to it? The Certbot software should not have added that cert to any of those files on its own.

Another idea ;).

I don’t know how it’s managed the ssl test, but maybe it request the IP rdns and ask here a SSL ?

Maybe you have another virtual host before the LE virtual host : 1st server found in apache for a request : 1st server return.

In answer to Seth Schoen’s question, No. However, I moved a file
named “le-redirect-precip.gsfc.nasa.gov.conf” to /var/tmp.
============Seth’s Question==============================
Did you previously manually edit one of the files within
/etc/letsencrypt to add or import some non-Let’s Encrypt cert to it?
The Certbot software should not have added that cert to any of those
files on its own.

Could you maybe grep -r SSLCertificate /etc/apache2 to see if there could be any conflicting declarations anywhere?

The host is running CentOS 6.8. The directory name is /etc/httpd
instead of /etc/apache2. I captured the “grep” command and have
included the entire script output below. I have included the (current)
ssl.conf file.

I purchased the “Red Hat Enterprise Linux 6 Administration” book and am
about to read the section on “Configuring the Apache Web Server”. I’m
sure I’ll learn something… I sure hope it’s enough.

Ted Jackson

=========================== SSL_Certificates.txt ===========================
Script started on Fri 03 Feb 2017 08:22:30 AM EST
e]0;tjackson@gs612-meso:/etc/httpd/webpages.dae[?1034h[root@gs612-meso webpages.d]# grep -r SSLCertificate /etc/apache2e[Ke[Ke[Ke[Ke[Ke[Ke[Khttpd
/etc/httpd/webpages.d/goes.active: SSLCertificateFile /etc/letsencrypt/live/goes.gsfc.nasa.gov/cert.pem
/etc/httpd/webpages.d/goes.active: SSLCertificateKeyFile /etc/letsencrypt/live/goes.gsfc.nasa.gov/privkey.pem
/etc/httpd/webpages.d/goes.active: SSLCertificateChainFile /etc/letsencrypt/live/goes.gsfc.nasa.gov/fullchain.pem
/etc/httpd/webpages.d/glow.active: SSLCertificateFile /etc/letsencrypt/live/glow.gsfc.nasa.gov/cert.pem
/etc/httpd/webpages.d/glow.active: SSLCertificateKeyFile /etc/letsencrypt/live/glow.gsfc.nasa.gov/privkey.pem
/etc/httpd/webpages.d/glow.active: SSLCertificateChainFile /etc/letsencrypt/live/glow.gsfc.nasa.gov/fullchain.pem
/etc/httpd/webpages.d/tennisclub.active: SSLCertificateFile /etc/letsencrypt/live/tennisclub.gsfc.nasa.gov/cert.pem
/etc/httpd/webpages.d/tennisclub.active: SSLCertificateKeyFile /etc/letsencrypt/live/tennisclub.gsfc.nasa.gov/privkey.pem
/etc/httpd/webpages.d/tennisclub.active: SSLCertificateChainFile /etc/letsencrypt/live/tennisclub.gsfc.nasa.gov/fullchain.pem
/etc/httpd/webpages.d/precip.active: SSLCertificateFile /etc/letsencrypt/live/precip.gsfc.nasa.gov-0001/cert.pem
/etc/httpd/webpages.d/precip.active: SSLCertificateKeyFile /etc/letsencrypt/live/precip.gsfc.nasa.gov-0001/privkey.pem
/etc/httpd/webpages.d/precip.active: SSLCertificateChainFile /etc/letsencrypt/live/precip.gsfc.nasa.gov-0001/chain.pem
/etc/httpd/webpages.d/har.active: SSLCertificateFile /etc/letsencrypt/live/har.gsfc.nasa.gov/cert.pem
/etc/httpd/webpages.d/har.active: SSLCertificateKeyFile /etc/letsencrypt/live/har.gsfc.nasa.gov/privkey.pem
/etc/httpd/webpages.d/har.active: SSLCertificateChainFile /etc/letsencrypt/live/har.gsfc.nasa.gov/fullchain.pem
/etc/httpd/webpages.d/twilite.active: SSLCertificateFile /etc/letsencrypt/live/twilite.gsfc.nasa.gov/cert.pem
/etc/httpd/webpages.d/twilite.active: SSLCertificateKeyFile /etc/letsencrypt/live/twilite.gsfc.nasa.gov/privkey.pem
/etc/httpd/webpages.d/twilite.active: SSLCertificateChainFile /etc/letsencrypt/live/twilite.gsfc.nasa.gov/fullchain.pem
/etc/httpd/conf.d/ssl.conf:# Point SSLCertificateFile at a PEM encoded certificate. If
/etc/httpd/conf.d/ssl.conf:# SSLCertificateFile /etc/pki/tls/certs/localhost.crt
/etc/httpd/conf.d/ssl.conf:SSLCertificateFile /etc/pki/tls/certs/ca.crt
/etc/httpd/conf.d/ssl.conf:# SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
/etc/httpd/conf.d/ssl.conf:SSLCertificateKeyFile /etc/pki/tls/private/ca.key
/etc/httpd/conf.d/ssl.conf:# Point SSLCertificateChainFile at a file containing the
/etc/httpd/conf.d/ssl.conf:# the referenced file can be the same as SSLCertificateFile
/etc/httpd/conf.d/ssl.conf:#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
/etc/httpd/conf.d/ssl.conf:#SSLCertificateChainFile /etc/letsencrypt/live/precip.gsfc.nasa.gov-0001/chain.pem
/etc/httpd/inactive/thar.inactive: SSLCertificateFile /etc/letsencrypt/live/har.gsfc.nasa.gov/cert.pem
/etc/httpd/inactive/thar.inactive: SSLCertificateKeyFile /etc/letsencrypt/live/har.gsfc.nasa.gov/privkey.pem
/etc/httpd/inactive/thar.inactive: SSLCertificateChainFile /etc/letsencrypt/live/har.gsfc.nasa.gov/fullchain.pem
e]0;tjackson@gs612-meso:/etc/httpd/webpages.da[root@gs612-meso webpages.d]# exit

Script done on Fri 03 Feb 2017 08:22:47 AM EST
====================== end SSL_Certificates.txt ===========================
=========================== ssl.conf ===========================

I'd suggest having a look at

/etc/httpd/conf.d/ssl.conf:SSLCertificateFile /etc/pki/tls/certs/ca.crt
/etc/httpd/conf.d/ssl.conf:SSLCertificateKeyFile /etc/pki/tls/private/ca.key

and check under what conditions they are included ( or comment them out and reload apache)

I commented them both out and now, even though the “apachectl -t” says
"Syntax ok", httpd does not start at all. As expected, the result of
the SSL test is:

Can you paste that file ( on pastebin.com or somewhere) or just change the links to LE certs rather than the /etc/pki/tls/certs/ certs ( so that it will run - and at least confirm if that is the sourse )