Invalid certificate, need to install an intermediate certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: dev.commissions.leg.state.mn.us

I ran this command: certbot --apache -d dev.commissions.leg.state.mn.us -d dev.gis.lcc.mn.gov

It produced this output: It appears to work correctly, it generated these files -
lrwxrwxrwx 1 root root 55 Jun 28 09:52 cert.pem -> ../../archive/dev.commissions.leg.state.mn.us/cert1.pem
lrwxrwxrwx 1 root root 56 Jun 28 09:52 chain.pem -> ../../archive/dev.commissions.leg.state.mn.us/chain1.pem
lrwxrwxrwx 1 root root 60 Jun 28 09:52 fullchain.pem -> ../../archive/dev.commissions.leg.state.mn.us/fullchain1.pem
lrwxrwxrwx 1 root root 58 Jun 28 09:52 privkey.pem -> ../../archive/dev.commissions.leg.state.mn.us/privkey1.pem

The dev.gis.lcc.mn.gov works correctly, it's an alias to the the dev.commissions.leg.state.mn.us domain.

My web server is (include version): Apache 2.4.53

The operating system my web server runs on is (include version): RHEL 9.1

My hosting provider, if applicable, is: state government

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.6

The issued on date shows April 18, 2023. I've been struggling with this issue so deleted all the certificates and created new ones on June 28, 2023. Certbot certificates shows this:

Certificate Name: dev.commissions.leg.state.mn.us
Serial Number: 31f0d4ca258910b64cc135ba2b383f96843
Key Type: ECDSA
Domains: dev.commissions.leg.state.mn.us dev.gis.lcc.mn.gov
Expiry Date: 2023-09-26 13:52:15+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/dev.commissions.leg.state.mn.us/fullchain.pem
Private Key Path: /etc/letsencrypt/live/dev.commissions.leg.state.mn.us/privkey.pem

I've restarted Apache multiple times, even rebooted the server. I'm hoping by updating the issued date it will work correctly.

Hello @lmm61, welcome to the Let's Encrypt community.

Yes the domain dev.gis.lcc.mn.gov looks good

• https://decoder.link/sslchecker/dev.gis.lcc.mn.gov/443
• SSL Server Test: dev.gis.lcc.mn.gov (Powered by Qualys SSL Labs)

However the domain dev.commissions.leg.state.mn.us is using a self-signed certificate

• https://decoder.link/sslchecker/dev.commissions.leg.state.mn.us/443
• SSL Server Test: dev.commissions.leg.state.mn.us (Powered by Qualys SSL Labs)

Likely a configuration issue with Apache.
Here details on Apache can be found in documentation and forums:

• Documentation: Apache HTTP Server - The Apache HTTP Server Project
• Apache HTTP Server Support - The Apache HTTP Server Project
• https://www.apachelounge.com/

Thanks Bruce. I'm not sure how that explains the date discrepancy. The original certificate was created on April 18, 2023 but has since been deleted. The new certificates are dated yesterday (June 28, 2023).

Here's what the Apache config looks like:

<VirtualHost *:443>
     DocumentRoot /home/web
     ServerName dev.commissions.leg.state.mn.us
     ServerAlias dev.commissions.leg.state.mn.us
     Redirect permanent / https://dev.commissions.leg.state.mn.us
     RewriteEngine on

     SSLCertificateFile /etc/letsencrypt/live/dev.commissions.leg.state.mn.us/fullchain.pem
     SSLCertificateKeyFile /etc/letsencrypt/live/dev.commissions.leg.state.mn.us/privkey.pem
     Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>

Two things:

• Your ServerAlias is the same as ServerName, which is kinda (very) unnecessary
• Secondly you've generated a redirect loop in this virtualhost: it's already the port 443 HTTPS VirtualHost and it's redirecting to the same hostname as itself with the https:// protocol: i.e.: to itself

The fact we don't actually GET a redirect loop suggests to me that your Apache configuration has TWO VirtualHost sections for dev.commissions.leg.state.mn.us: one with the self signed certificate, but without the redirect and a second one with Let's Encrypt certs configured, but which should fail with a redirect loop to itself.

Please show the output of the command: sudo apachectl -t -D DUMP_VHOSTS

Thank you, here you go:

httpd -t -D DUMP_VHOSTS
[Thu Jun 29 12:00:53.510335 2023] [so:warn] [pid 20786:tid 20786] AH01574: module fcgid_module is already loaded, skipping
VirtualHost configuration:
*:80 is a NameVirtualHost
default server dev.commissions.leg.state.mn.us (/etc/httpd/conf/httpd.conf:404)
port 80 namevhost dev.commissions.leg.state.mn.us (/etc/httpd/conf/httpd.conf:404)
alias dev.commissions.leg.state.mn.us
port 80 namevhost dev.gis.lcc.mn.gov (/etc/httpd/conf/httpd.conf:409)
alias dev.gis.lcc.mn.gov
*:443 is a NameVirtualHost
default server dev.commissions.leg.state.mn.us (/etc/httpd/conf.d/ssl.conf:40)
port 443 namevhost dev.commissions.leg.state.mn.us (/etc/httpd/conf.d/ssl.conf:40)
port 443 namevhost dev.commissions.leg.state.mn.us (/etc/httpd/conf/httpd.conf:392)
alias dev.commissions.leg.state.mn.us
port 443 namevhost dev.gis.lcc.mn.gov (/etc/httpd/conf/httpd.conf:415)

And thirdly:

• RewriteEngine on

It's turned on and never used - remove that line.

But as noted, this isn't the vhost config that is being served to the public.

Two files with same name:port
This is well-known defect in Apache - it allows for such without any warning.

Here are lists of issued certificates

• crt.sh | dev.gis.lcc.mn.gov
• crt.sh | dev.commissions.leg.state.mn.us

I originally created two different certificates for each of the domains and then was trying to force renewals after some tinkering, hoping to resolve the problem. I came across a discussion saying multiple domains should be in one certificate. That was when I deleted the certificates and created a new one, yesterday. This isn't reflected in the crt.sh page.

Please show the conflicting file:

Listen 443 https

SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog

SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300

SSLCryptoDevice builtin

<VirtualHost _default_:443>

ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

SSLEngine on

SSLHonorCipherOrder on

SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM

SSLCertificateFile /etc/pki/tls/certs/localhost.crt

SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

What's the hostname of that server? I.e., the output of the command hostname.

OK. you can't remove that file.
You need to change the ServerName in the main host config file.
One should never call the host server by a name it will be serving content from.

Yes, it is dev.commissions.leg.state.mn.us, will rename it.

Sweet, that took care of it. Thank you!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.