Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com ), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: https://www.gr0wthdr1vers.com/
I ran this command: ./certbot-auto --apache
It produced this output:
My web server is (include version): Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0
https://gr0wthdr1vers.com WORKShttps://www.gr0wthdr1vers.com INVALID
Alternate names in the cert are listed as: gr0wthdr1vers.com www.gr0wthdr1vers.com
Hi @matto408
the www version doesn't have a DNS entry, an A- or AAAA-record is required (checked with https://check-your-website.server-daten.de/?q=gr0wthdr1vers.com ):
So first step: Create a new A-record with the same ip address as your non-www version.
Second step: Add the www as ServerAlias to your existing vHost.
Third step: Create a certificate with both domain names:
./certbot-auto --apache -d gr0wthdr1vers.com -d www.gr0wthdr1vers.com
PS: It's curious, you don't have a dns entry, so it's impossible to use the www version. But your certificate has both domain names:
CN=gr0wthdr1vers.com
26.02.2019
27.05.2019
expires in 90 days gr0wthdr1vers.com, www.gr0wthdr1vers.com - 2 entries
Thanks for the quick reply!
I’ve added the extra A Name and it looks like it propagated.ServerAlias www.gr0wthdr1vers.com
I re-ran the certbot-auto command and still no luck.
I tried both 1: Attempt to reinstall this existing certificate. and 2: Renew & replace the cert
I see, you have rechecked your domain.
Yep, that's good:
Your non-www uses the certificate with both domain names.
Your www uses a self signed certificate:
E=root@gr0wthdr1verrs, CN=gr0wthdr1verrs, OU=SomeOrganizationalUnit, O=SomeOrganization, L=SomeCity, S=SomeState, C=--
15.02.2019
15.02.2020
expires in 354 days
So it looks that the standard / default vHost is used. Share your vHost configuration.
<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName gr0wthdr1vers.com
ServerAlias www.gr0wthdr1vers.com
DocumentRoot /var/www/html
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/gr0wthdr1vers.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/gr0wthdr1vers.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/gr0wthdr1vers.com/chain.pem
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
<VirtualHost *:80>
ServerName gr0wthdr1vers.com
ServerAlias www.gr0wthdr1vers.com
DocumentRoot /var/www/html
#RewriteEngine on
#RewriteCond %{SERVER_NAME} =www.gr0wthdr1vers.com [OR]
#RewriteCond %{SERVER_NAME} =gr0wthdr1vers.com
#RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
</IfModule>
generated by bot ^^^
Original:
<VirtualHost *:80>
ServerName gr0wthdr1vers.com
ServerAlias www.gr0wthdr1vers.com
DocumentRoot /var/www/html
RewriteEngine on
RewriteCond %{SERVER_NAME} =gr0wthdr1vers.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
Your config looks ok.
But is there a standard definition in your main config file? (SSL)
And is there a ServerName / ServerAlias?
Hm, I’m actually not sure what that it. The second Snippet above (Original) is in the main config file. Would you mind posting an example of what I should look for? Thanks for being so helpful so far!
You must have a second SSL-definition with
SSLCertificateFile /etc/letsencrypt/live/gr0wthdr1vers.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/gr0wthdr1vers.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/gr0wthdr1vers.com/chain.pem
but with other files of the self signed certificate. That is used instead of this vHost.
Isn’t that the first snippet from /etc/httpd/conf/httpd-le-ssl.conf?
<VirtualHost *:443>
ServerName gr0wthdr1vers.com
ServerAlias www.gr0wthdr1vers.com
DocumentRoot /var/www/html
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/gr0wthdr1vers.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/gr0wthdr1vers.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/gr0wthdr1vers.com/chain.pem
</VirtualHost>
Which seems to be included at the bottom of httpd.conf as
Include /etc/httpd/conf/httpd-le-ssl.conf
The same keywords, but other values:
SSLCertificateFile selfsigned.cert.pem
SSLCertificateKeyFile selfsigned.cert.privkey.pem
SSLCertificateChainFile selfsigned.cert.chain.pem
There must be somewhere such a definition with other values as file names.
Perfect, yes you were right. I found those values pointing at default local configurations in /etc/httpd/conf.d/ssl.conf
I set the values there to point to the new Cert files and worked like a charm. Thanks for all the help @JuergenAuer
1 Like
Yep, rechecked your domain. Now there is only one certificate used:
CN=gr0wthdr1vers.com
26.02.2019
27.05.2019
expires in 89 days gr0wthdr1vers.com, www.gr0wthdr1vers.com - 2 entries
With both domain names, both are ok.
But it's curious:
Looks like your two connections are using different settings:
The non-www:
DiffieHellman | 2048 | Aes128 | 128 | Sha256
The www:
ECDH Ephermal | 384 | Aes256 | 256 | Sha1
schoen
February 27, 2019, 10:40pm
13
We have learned that this can be a problem on CentOS because the Include order allows the default ssl.conf to override other virtual hosts (depending on their alphabetical positioning!).
There are various ways to fix this and a future version of Certbot will try to be cleverer about it.
1 Like
system
March 29, 2019, 10:40pm
14
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.