How to SSL installation for new subdomain

It looks fine.

I can give you encouragement, I can’t assume responsibilities for you.

thanks for your support sir
certificate renewed bit given below error


The certificate will expire in 89 days. Remind me

The hostname (qa-api.juvlon.com) is correctly listed in the certificate.

The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. The fastest way to fix this problem is to contact your SSL provider.

\ 128x128 Common name: qa-api.juvlon.com
SANs: qa-api.juvlon.com
Valid from April 3, 2020 to July 2, 2020
Serial Number: 033261fb9504f5d28594116058a1057d6242
Signature Algorithm: sha256WithRSAEncryption
Issuer: Let’s Encrypt Authority X3

did you use fullchain.pem?

it usually works, but you might need to use this instead:

SSLCertificateFile /etc/letsencrypt/live/qa-api.juvlon.com/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/qa-api.juvlon.com/chain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/qa-api.juvlon.com/privkey.pem

fullchain.pem used

if i used below given error to reload apache

SSLCertificateFile /etc/letsencrypt/live/qa-api.juvlon.com/cert.pem

Strange, very strange, check your apache config for other ssl-related settings

grep -ri ssl /etc/httpd

i had replace this 3 files in ssl.conf now showing ssl activates but when i use in browser its showing not secure.

below is grep file

Binary file /etc/httpd/conf/.httpd.conf.swo matches
Binary file /etc/httpd/conf/.httpd.conf.swp matches
/etc/httpd/conf/httpd.conf:<IfModule !mod_ssl.c>
/etc/httpd/conf/httpd.conf:LoadModule ssl_module modules/mod_ssl.so
/etc/httpd/conf/httpd.conf:# (e.g. :80) if mod_ssl is being used, due to the nature of the
/etc/httpd/conf/httpd.conf:# SSL protocol.
/etc/httpd/conf/httpd.conf:#Include /etc/letsencrypt/options-ssl-apache.conf
/etc/httpd/conf/httpd.conf:#SSLCertificateFile /etc/letsencrypt/live/lnkjuv4.com/cert.pem
/etc/httpd/conf/httpd.conf:#SSLCertificateKeyFile /etc/letsencrypt/live/lnkjuv4.com/privkey.pem
/etc/httpd/conf/httpd.conf:#SSLCertificateChainFile /etc/letsencrypt/live/lnkjuv4.com/chain.pem
/etc/httpd/conf/httpd.conf:SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
/etc/httpd/conf.d/ssl.conf:# This is the Apache server configuration file providing SSL support.
/etc/httpd/conf.d/ssl.conf:# directives see URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html
/etc/httpd/conf.d/ssl.conf:# When we also provide SSL we have to listen to the
/etc/httpd/conf.d/ssl.conf:<IfModule !mod_ssl.c>
/etc/httpd/conf.d/ssl.conf:LoadModule ssl_module modules/mod_ssl.so
/etc/httpd/conf.d/ssl.conf:## SSL Global Context
/etc/httpd/conf.d/ssl.conf:## All SSL configuration in this context applies both to
/etc/httpd/conf.d/ssl.conf:## the main server and all SSL-enabled virtual hosts.
/etc/httpd/conf.d/ssl.conf:SSLPassPhraseDialog builtin
/etc/httpd/conf.d/ssl.conf:# Configure the SSL Session Cache: First the mechanism
/etc/httpd/conf.d/ssl.conf:SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
/etc/httpd/conf.d/ssl.conf:SSLSessionCacheTimeout 300
/etc/httpd/conf.d/ssl.conf:# SSL engine uses internally for inter-process synchronization.
/etc/httpd/conf.d/ssl.conf:SSLMutex default
/etc/httpd/conf.d/ssl.conf:# SSL library. The seed data should be of good random quality.
/etc/httpd/conf.d/ssl.conf:# block. So, if available, use this one instead. Read the mod_ssl User
/etc/httpd/conf.d/ssl.conf:SSLRandomSeed startup file:/dev/urandom 256
/etc/httpd/conf.d/ssl.conf:SSLRandomSeed connect builtin
/etc/httpd/conf.d/ssl.conf:#SSLRandomSeed startup file:/dev/random 512
/etc/httpd/conf.d/ssl.conf:#SSLRandomSeed connect file:/dev/random 512
/etc/httpd/conf.d/ssl.conf:#SSLRandomSeed connect file:/dev/urandom 512
/etc/httpd/conf.d/ssl.conf:# Use “SSLCryptoDevice” to enable any supported hardware
/etc/httpd/conf.d/ssl.conf:# accelerators. Use “openssl engine -v” to list supported
/etc/httpd/conf.d/ssl.conf:SSLCryptoDevice builtin
/etc/httpd/conf.d/ssl.conf:#SSLCryptoDevice ubsec
/etc/httpd/conf.d/ssl.conf:## SSL Virtual Host Context
/etc/httpd/conf.d/ssl.conf:# Use separate log files for the SSL virtual host; note that LogLevel
/etc/httpd/conf.d/ssl.conf:ErrorLog logs/ssl_error_log
/etc/httpd/conf.d/ssl.conf:TransferLog logs/ssl_access_log
/etc/httpd/conf.d/ssl.conf:# SSL Engine Switch:
/etc/httpd/conf.d/ssl.conf:# Enable/Disable SSL for this virtual host.
/etc/httpd/conf.d/ssl.conf:SSLEngine on
/etc/httpd/conf.d/ssl.conf:# SSL Protocol support:
/etc/httpd/conf.d/ssl.conf:# connect. Disable SSLv2 access by default:
/etc/httpd/conf.d/ssl.conf:#SSLProtocol all -SSLv2
/etc/httpd/conf.d/ssl.conf:SSLProtocol ALL -SSLV2 -SSLv3 -TLSv1 +TLSv1.1 +TLSv1.2
/etc/httpd/conf.d/ssl.conf:# SSL Cipher Suite:
/etc/httpd/conf.d/ssl.conf:# See the mod_ssl documentation for a complete list.
/etc/httpd/conf.d/ssl.conf:#SSLCipherSuite DEFAULT:!EXP:!SSLv2:!DES:!IDEA:!SEED:+3DES
/etc/httpd/conf.d/ssl.conf:SSLCipherSuite “EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4”
/etc/httpd/conf.d/ssl.conf:# Point SSLCertificateFile at a PEM encoded certificate. If
/etc/httpd/conf.d/ssl.conf:#SSLCertificateFile /etc/letsencrypt/live/qa-api.juvlon.com/fullchain.pem
/etc/httpd/conf.d/ssl.conf:#SSLCertificateKeyFile /etc/letsencrypt/live/qa-api.juvlon.com/privkey.pem
/etc/httpd/conf.d/ssl.conf:# Point SSLCertificateChainFile at a file containing the
/etc/httpd/conf.d/ssl.conf:# the referenced file can be the same as SSLCertificateFile
/etc/httpd/conf.d/ssl.conf:#SSLCertificateFile /etc/letsencrypt/live/qa-api.juvlon.com/cert.pem
/etc/httpd/conf.d/ssl.conf:SSLCertificateFile /etc/letsencrypt/live/qa-api.juvlon.com/cert.pem
/etc/httpd/conf.d/ssl.conf:SSLCertificateChainFile /etc/letsencrypt/live/qa-api.juvlon.com/chain.pem
/etc/httpd/conf.d/ssl.conf:SSLCertificateKeyFile /etc/letsencrypt/live/qa-api.juvlon.com/privkey.pem
/etc/httpd/conf.d/ssl.conf:#SSLVerifyClient require
/etc/httpd/conf.d/ssl.conf:#SSLVerifyDepth 10
/etc/httpd/conf.d/ssl.conf:# With SSLRequire you can do per-directory access control based
/etc/httpd/conf.d/ssl.conf:# mixture between C and Perl. See the mod_ssl documentation
/etc/httpd/conf.d/ssl.conf:#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/
/etc/httpd/conf.d/ssl.conf:# and %{SSL_CLIENT_S_DN_O} eq “Snake Oil, Ltd.”
/etc/httpd/conf.d/ssl.conf:# and %{SSL_CLIENT_S_DN_OU} in {“Staff”, “CA”, “Dev”}
/etc/httpd/conf.d/ssl.conf:# SSL Engine Options:
/etc/httpd/conf.d/ssl.conf:# Set various options for the SSL engine.
/etc/httpd/conf.d/ssl.conf:# This exports two additional environment variables: SSL_CLIENT_CERT and
/etc/httpd/conf.d/ssl.conf:# SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
/etc/httpd/conf.d/ssl.conf:# This exports the standard SSL/TLS related `SSL_*’ environment variables.
/etc/httpd/conf.d/ssl.conf:# This denies access when “SSLRequireSSL” or “SSLRequire” applied even
/etc/httpd/conf.d/ssl.conf:# This enables optimized SSL connection renegotiation handling when SSL
/etc/httpd/conf.d/ssl.conf:#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
/etc/httpd/conf.d/ssl.conf: SSLOptions +StdEnvVars
/etc/httpd/conf.d/ssl.conf: SSLOptions +StdEnvVars
/etc/httpd/conf.d/ssl.conf:# SSL Protocol Adjustments:
/etc/httpd/conf.d/ssl.conf:# The safe and default but still SSL/TLS standard compliant shutdown
/etc/httpd/conf.d/ssl.conf:# approach is that mod_ssl sends the close notify alert but doesn’t wait for
/etc/httpd/conf.d/ssl.conf:# o ssl-unclean-shutdown:
/etc/httpd/conf.d/ssl.conf:# SSL close notify alert is send or allowed to received. This violates
/etc/httpd/conf.d/ssl.conf:# the SSL/TLS standard but is needed for some brain-dead browsers. Use
/etc/httpd/conf.d/ssl.conf:# mod_ssl sends the close notify alert.
/etc/httpd/conf.d/ssl.conf:# o ssl-accurate-shutdown:
/etc/httpd/conf.d/ssl.conf:# SSL close notify alert is send and mod_ssl waits for the close notify
/etc/httpd/conf.d/ssl.conf:# alert of the client. This is 100% SSL/TLS standard compliant, but in
/etc/httpd/conf.d/ssl.conf:# this only for browsers where you know that their SSL implementation
/etc/httpd/conf.d/ssl.conf: nokeepalive ssl-unclean-shutdown
/etc/httpd/conf.d/ssl.conf:# The home of a custom SSL log file. Use this when you want a
/etc/httpd/conf.d/ssl.conf:# compact non-error SSL logfile on a virtual host basis.
/etc/httpd/conf.d/ssl.conf:CustomLog logs/ssl_request_log
/etc/httpd/conf.d/ssl.conf: “%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x “%r” %b”
You have mail in /var/spool/mail/root

may be now its secure i had used https://qa-api.juvlon.com

your certificate chain is fine now. check autorenewal (certbot renew --dry-run runs with no error and you have a crontab line for it) and you’re fine.

[root@qa-atm conf.d]# certbot renew --dry-run
-bash: certbot: command not found

as I said… commands can change names

sir sorry to say you but do not understand exact

letsencrypt-auto renew --dry-run is it ok??

it’s ok. if it runs with no errors you are halfway ok.

then you need to add a crontab line. see on the certbot website how.

thanks for your help

2 posts were split to a new topic: Help setting up certificate for wordpress

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.