Invalid certificate in a domain using certbot


#1

Have two domains: oznet.cl and mail.oznet.cl, need make separated certificates.

Make certificates:
$ certbot certonly --standalone -d oznet.cl --debug
$ certbot certonly --standalone -d mail.oznet.cl --debug

The two certificates are created succefuly.

I implement this in httpd over centos 7 using virtual host, oznet.cl works fine but mail.oznet.cl does not works :frowning2:

The virtual host for each vhost:

<VirtualHost *:443>
    ServerAlias mail.oznet.cl
    SSLEngine On
    SSLCertificateFile /etc/letsencrypt/live/mail.oznet.cl/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/mail.oznet.cl/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/mail.oznet.cl/fullchain.pem
    ....

How to verify the generated certificates from files.pem and httpd? Howto verify if the problem is of the cert or web server?

Thanks.


#2

mail.oznet.cl is serving a self-signed certificate, not one from Let’s Encrypt. My best guess would be that there’s a second vhost in your configuration with different SSL* directives. Try grep -r "SSLCertificateFile" /etc/httpd/ to find that file.


#3
[root@oznet ~]# grep -r "mail.oznet.cl" /etc/httpd/
/etc/httpd/sites-available/cl.oznet.mail.conf:        ServerAlias mail.oznet.cl
/etc/httpd/sites-available/cl.oznet.mail.conf:        ServerAlias mail.oznet.cl
/etc/httpd/sites-available/cl.oznet.mail.conf:    SSLCertificateFile /etc/letsencrypt/live/mail.oznet.cl/cert.pem
/etc/httpd/sites-available/cl.oznet.mail.conf:    SSLCertificateKeyFile /etc/letsencrypt/live/mail.oznet.cl/privkey.pem
/etc/httpd/sites-available/cl.oznet.mail.conf:    SSLCertificateChainFile /etc/letsencrypt/live/mail.oznet.cl/fullchain.pem
[root@oznet ~]# ll /etc/httpd/sites-enabled/cl.oznet.mail.conf lrwxrwxrwx 1 root root 37 dic 19 11:52 /etc/httpd/sites-enabled/cl.oznet.mail.conf -> ../sites-available/cl.oznet.mail.conf
[root@oznet ~]# grep -r "etc/pki" /etc/httpd/
/etc/httpd/sites-available/000-default.conf:    SSLCertificateFile /etc/pki/tls/certs/ca.crt
/etc/httpd/sites-available/000-default.conf:    SSLCertificateKeyFile /etc/pki/tls/private/ca.key
[root@oznet ~]# ll /etc/letsencrypt/live/mail.oznet.cl/
total 0
lrwxrwxrwx 1 root root 37 dic 19 11:55 cert.pem -> ../../archive/mail.oznet.cl/cert1.pem
lrwxrwxrwx 1 root root 38 dic 19 11:55 chain.pem -> ../../archive/mail.oznet.cl/chain1.pem
lrwxrwxrwx 1 root root 42 dic 19 11:55 fullchain.pem -> ../../archive/mail.oznet.cl/fullchain1.pem
lrwxrwxrwx 1 root root 40 dic 19 11:55 privkey.pem -> ../../archive/mail.oznet.cl/privkey1.pem

In total have more than 10 virtual host with ssl using letsencript, your command have a long result for each vhost in server.


#4

Using grep -r "SSLCertificateFile" /etc/httpd/, look for values that don’t point to a certificate in /etc/letsencrypt. That will in all likelihood be the self-signed certificate apache decided to use for the mail subdomain.

This is assuming the files in /etc/letsencrypt were not somehow manually replaced by a self-signed certificate. You can quickly verify this using openssl x509 -in /etc/letsencrypt/live/mail.oznet.cl/cert.pem -noout -text | grep Issuer:
The output should be “Issuer: C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3”.


#5

I found the solution, my virtual host says: ServerAlias mail.oznet.cl but is Servername mail.oznet.cl. Its a Apache bug, works all virtual host but not execute the ssl path when the name of virtualhost is not correctely setting, it is a part of error tolerance of apache.

Thanks.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.