Invalid Cert for www. Domain


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://www.gr0wthdr1vers.com/

I ran this command: ./certbot-auto --apache

It produced this output:

My web server is (include version): Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

https://gr0wthdr1vers.com WORKS
https://www.gr0wthdr1vers.com INVALID

Alternate names in the cert are listed as: gr0wthdr1vers.com www.gr0wthdr1vers.com


#2

Hi @matto408

the www version doesn’t have a DNS entry, an A- or AAAA-record is required (checked with https://check-your-website.server-daten.de/?q=gr0wthdr1vers.com ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
gr0wthdr1vers.com A 172.99.75.122 yes 1 0
AAAA yes
www.gr0wthdr1vers.com Name Error yes 1

So first step: Create a new A-record with the same ip address as your non-www version.

Second step: Add the www as ServerAlias to your existing vHost.

Third step: Create a certificate with both domain names:

./certbot-auto --apache -d gr0wthdr1vers.com -d www.gr0wthdr1vers.com

PS: It’s curious, you don’t have a dns entry, so it’s impossible to use the www version. But your certificate has both domain names:

CN=gr0wthdr1vers.com
	26.02.2019
	27.05.2019
expires in 90 days	gr0wthdr1vers.com, www.gr0wthdr1vers.com - 2 entries

#3

Thanks for the quick reply!

I’ve added the extra A Name and it looks like it propagated.
I double checked that the ServerAlias is set as ServerAlias www.gr0wthdr1vers.com

I re-ran the certbot-auto command and still no luck.

I tried both 1: Attempt to reinstall this existing certificate. and 2: Renew & replace the cert


#4

I see, you have rechecked your domain.

Yep, that’s good:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
gr0wthdr1vers.com A 172.99.75.122 yes 1 0
AAAA yes
www.gr0wthdr1vers.com A 172.99.75.122 yes 1 0
AAAA yes

Your non-www uses the certificate with both domain names.

Your www uses a self signed certificate:

E=root@gr0wthdr1verrs, CN=gr0wthdr1verrs, OU=SomeOrganizationalUnit, O=SomeOrganization, L=SomeCity, S=SomeState, C=--
	15.02.2019
	15.02.2020
expires in 354 days

So it looks that the standard / default vHost is used. Share your vHost configuration.


#5
<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName gr0wthdr1vers.com
    ServerAlias www.gr0wthdr1vers.com
    DocumentRoot /var/www/html
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/gr0wthdr1vers.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/gr0wthdr1vers.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/gr0wthdr1vers.com/chain.pem
</VirtualHost>
</IfModule>
<IfModule mod_ssl.c>
<VirtualHost *:80>
    ServerName gr0wthdr1vers.com
    ServerAlias www.gr0wthdr1vers.com
    DocumentRoot /var/www/html
#RewriteEngine on
#RewriteCond %{SERVER_NAME} =www.gr0wthdr1vers.com [OR]
#RewriteCond %{SERVER_NAME} =gr0wthdr1vers.com
#RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
</IfModule>

generated by bot ^^^

Original:

<VirtualHost *:80>
    ServerName gr0wthdr1vers.com
    ServerAlias www.gr0wthdr1vers.com
    DocumentRoot /var/www/html
RewriteEngine on
RewriteCond %{SERVER_NAME} =gr0wthdr1vers.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

#6

Your config looks ok.

But is there a standard definition in your main config file? (SSL)

And is there a ServerName / ServerAlias?


#7

Hm, I’m actually not sure what that it. The second Snippet above (Original) is in the main config file. Would you mind posting an example of what I should look for? Thanks for being so helpful so far!


#8

You must have a second SSL-definition with

SSLCertificateFile /etc/letsencrypt/live/gr0wthdr1vers.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/gr0wthdr1vers.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/gr0wthdr1vers.com/chain.pem

but with other files of the self signed certificate. That is used instead of this vHost.


#9

Isn’t that the first snippet from /etc/httpd/conf/httpd-le-ssl.conf?

<VirtualHost *:443>
    ServerName gr0wthdr1vers.com
    ServerAlias www.gr0wthdr1vers.com
    DocumentRoot /var/www/html
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/gr0wthdr1vers.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/gr0wthdr1vers.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/gr0wthdr1vers.com/chain.pem
</VirtualHost>

Which seems to be included at the bottom of httpd.conf as

Include /etc/httpd/conf/httpd-le-ssl.conf


#10

The same keywords, but other values:

SSLCertificateFile selfsigned.cert.pem
SSLCertificateKeyFile selfsigned.cert.privkey.pem
SSLCertificateChainFile selfsigned.cert.chain.pem

There must be somewhere such a definition with other values as file names.


#11

Perfect, yes you were right. I found those values pointing at default local configurations in /etc/httpd/conf.d/ssl.conf

I set the values there to point to the new Cert files and worked like a charm. Thanks for all the help @JuergenAuer


#12

Yep, rechecked your domain. Now there is only one certificate used:

CN=gr0wthdr1vers.com
	26.02.2019
	27.05.2019
expires in 89 days	gr0wthdr1vers.com, www.gr0wthdr1vers.com - 2 entries

With both domain names, both are ok.

But it’s curious:

Looks like your two connections are using different settings:

The non-www:

DiffieHellman | 2048 | Aes128 | 128 | Sha256

The www:

ECDH Ephermal | 384 | Aes256 | 256 | Sha1


#13

We have learned that this can be a problem on CentOS because the Include order allows the default ssl.conf to override other virtual hosts (depending on their alphabetical positioning!).

There are various ways to fix this and a future version of Certbot will try to be cleverer about it.


closed #14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.