I have enabled Letsencrypt, but still getting invalid certificate


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: joenobel.com, www.joenobel.com, http://www.joenobel.com, https://www.joenobel.com

I ran this command: I tried to access my website as https://www.joenobel.com in various browsers, FF, Chromium, Brave

It produced this output:


This site cannot be loaded due to a certificate error
NET::ERR-CERT-AUTHORITY-INVALID …

My web server is (include version): Apache, not sure of version

The operating system my web server runs on is (include version): Centos, not sure of version

My hosting provider, if applicable, is: Eapps

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): yes, ISP manager, not sure of version.


#2

The site certificate shown is for: JoeNobel.com [and a self-signed 1 year cert]
You connected to: www.JoeNobel.com [which does not match your cert and should always fail as the cert is untrusted]

SSL Labs shows a cert with a completely different set of names:
https://www.ssllabs.com/ssltest/analyze.html?d=joenobel.com

Who controls your IP (68.169.54.161) ?

10 certs were issued for your domain about 10 days ago:
https://crt.sh/?q=joenobel.com


#3

The self-signed cert attempts to include a SAN in the subject:

SANs are not entered there- they have a separate field.
That looks like this:


#4

I do, I control all those sites. I have set up certs for each of them.


#5

Sooo, when a visitor is given the url of joenobel.com they are out of luck? Ought they not be able to form the URL any which way they please?
How do I set these certs up to just work?


#6

First, start by answering these question [with as much relevant detail]:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


#7

You need to include both joenobel.com and www.joenobel.com as names that are covered by your Let’s Encrypt certificate. Then browsers will not show an error regardless of which form was used to access the site.

What I think is confusing @rg305 in terms of giving you further advice is that you didn’t really tell us how you obtained that certificate, for example whether you got it from inside your control panel, or using a Let’s Encrypt client application, or a third-party web site, or some other method. (To make it work, you’ll need to reissue the certificate including the other name, but we can’t easily suggest how to do that until we know what kind of tools you used to request the original certificate.)


#8

Sorry for so long to return to this problem. I am using the control panel – ISP Manager.
On the main SSL Certificates panel
first 3 entries are joenobel.com_le2 (In use)
joenobel.com_le1 (Not used)
joenobel.com (Not used)

Clicking into joenobel.com_le2 line, I have this:


On this, I have name: joenobel.com, alternative name: www.joenobel.com

I apologize if my question is too amateur. I admit I really don’t know where I’m going wrong.


#9

Hi @joenobel

your certificate looks good. But you don’t use it.

There should be a menu “managing certificates” or something else.

Where you are able to say:

“This domain should use that certificate”.


#10

Now you use your certificate.

But you have mixed content warnings. Use Chrome / FireFox, Ctrl + Shift + I to open the console

http://www.eapps.com/images/logos/eapps_hosted_border.gif

Change these links to https.


#11

Thank you @JuergenAuer,
I just corrected issue. I could not find a manage certificates, however, I removed and re-created the certificate for joenobel.com. Now it works correctly. I then took your advice and changed all the http links to https, they were all available in https.


#12

Yep, now it’s completely green. But later you should add a preferred version (www or non-www) and redirects http -> https. So users and search engines have one version via https.