Invalid certificate with Ubuntu 12.04 LTS (and No-IP with registered domain)

erick · May 17, 2016, 1:02am

Hi you all guys! I’m starting to work on a web radio, and I’m stuck. Which files or system variables consults the letsencrypt/certbot script? and, where can they be localized? I’m trying to get a valid certificate with no luck.

I own a domain, www.acusmatica.org.mx, for a new project that I’m working on (alpha stage). I’m managing the domain with No-IP, and I’m trying to get a certificate, but something isn’t workin well.

I’m using Ubuntu 12.04 LTS.

These are my files:

#cat /etc/hosts:
127.0.0.1 localhost.localdomain localhost
127.0.1.1 homoacusmatico.acusmatica.org.mx homoacusmatico

The following lines are desirable for IPv6 capable hosts

::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

#cat /etc/hostname:
homoacusmatico

(FQDN:
#hostname -f
homoacusmatico.acusmatica.org.mx

#uname -a
Linux homoacusmatico 3.13.0-32-generic #57~precise1-Ubuntu SMP Tue Jul 15 03:51:20 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
)

(Next if for VirtualHost *:80)

cat acusmatica-vhost.conf

<VirtualHost *:80>
ServerName acusmatica.org.mx
ServerAlias www.acusmatica.org.mx

  ServerAdmin ericko7@yahoo.com

  ErrorLog ${APACHE_LOG_DIR}/error.log
  CustomLog ${APACHE_LOG_DIR}/access.log combined

DocumentRoot /var/www/

  SetEnv APPLICATION_ENV "production"

(Next is for VirtualHost *:443)

cat airtime-vhost.conf

<VirtualHost *:443>
SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
Header always set Strict-Transport-Security “max-age=31536000”

  ServerName acusmatica.org.mx
  ServerAlias www.acusmatica.org.mx

  ServerAdmin ericko7@yahoo.com

  DocumentRoot /usr/share/airtime/public
  DirectoryIndex index.php

  <Directory /usr/share/airtime/public>
          Options -Indexes FollowSymLinks MultiViews
          AllowOverride all
          Order allow,deny
          Allow from all
  </Directory>

cat default-le-ssl.conf

ServerAdmin webmaster@localhost

DocumentRoot /var/www
<Directory />
	Options FollowSymLinks
	AllowOverride None
</Directory>
<Directory /var/www/>
	Options Indexes FollowSymLinks MultiViews
	AllowOverride None
	Order allow,deny
	allow from all
</Directory>

ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory "/usr/lib/cgi-bin">
	AllowOverride None
	Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
	Order allow,deny
	Allow from all
</Directory>

ErrorLog ${APACHE_LOG_DIR}/error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn

CustomLog ${APACHE_LOG_DIR}/access.log combined

Alias /doc/ "/usr/share/doc/"
<Directory "/usr/share/doc/">
    Options Indexes MultiViews FollowSymLinks
    AllowOverride None
    Order deny,allow
    Deny from all
    Allow from 127.0.0.0/255.0.0.0 ::1/128
</Directory>

SSLCertificateFile /etc/letsencrypt/live/acusmatica.org.mx/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/acusmatica.org.mx/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
ServerName acusmatica.org.mx
ServerAlias www.acusmatica.org.mx
SSLCertificateChainFile /etc/letsencrypt/live/acusmatica.org.mx/chain.pem

They’re enabled:

ls sites-enabled/ -l

total 0
lrwxrwxrwx 1 root root 40 may 11 21:04 acusmatica-vhost.conf -> …/sites-available/acusmatica-vhost.conf
lrwxrwxrwx 1 root root 37 may 10 20:07 airtime-vhost.conf -> …/sites-available/airtime-vhost.conf
lrwxrwxrwx 1 root root 48 may 10 23:32 default-le-ssl.conf -> /etc/apache2/sites-available/default-le-ssl.conf

I’ve no multiple vhost in my vhost files. Only one per file.

Don’t know what’s wrong

Thanks in advance!

schoen · May 17, 2016, 1:33am

Could you explain what isn't working well? What kind of output do you get when you run certbot, and what command did you use when you ran it?

erick · May 17, 2016, 3:40am

Thanks for your time Schoen. Last week I used:

./letsencrypt-auto --apache -d www.acusmatica.org.mx -d acusmatica.org.mx

And today I used:

./certbot-auto --apache --break-my-certs --test-cert --staging

In both cases, the script runs fine, with no problem. But the first time I got a cert that only included “acusmatica” name, and not the FQDN. When I tested, at Qualys SSL Labs, the results says Common name Mismatch. I thought that perhaps my installation was broken, then I reinstalled the server. After I tryed with certbot today, again I got a name mismatch, but now my cert says “ubuntu”.

So, I really can’t figure it out what could it be.

Thanks!

davep · May 17, 2016, 10:27am

I don’t know if this will help you, but it helped someone else yesterday https://community.letsencrypt.org/t/certbot-on-raspbian-illegal-instruction/15813/2?u=davep

I get offered the www. as well as the naked domain with a similar ServerName and ServerAlias setup to yours.

erick · May 17, 2016, 4:36pm

Thank you davep! I tested it, but that doesn’t work either. I still get a cert named “Ubuntu”

schoen · May 17, 2016, 6:23pm

I'm not quite sure what you meant by "only included 'acusmatica' name, and not the FQDN" or "my cert says 'ubuntu'". Are you viewing the subjects of these certs with openssl x509 -in cert.pem -text -noout or something? Are the certs issued by Let's Encrypt? What exact names that they cover?

erick · May 17, 2016, 6:54pm

Sorry for the confusion.

In the common name (nombre comun), my cert says “Ubuntu”, instead of the Fully Qualified Domain Name (FQDN, “www.acusmatica.org.mx”, nor “acusmatica.org.mx”). I’m watching the cert content through Google Chrome browser. Both attempts were made via LetsEncrypt (last week with letsencrypt-auto, and this week with certbot-auto). This is how it looks:

schoen · May 17, 2016, 7:39pm

That’s not a Let’s Encrypt cert at all. It’s a self-signed certificate (and it was created on May 8). Are you using some other tools related to TLS setup?

erick · May 17, 2016, 7:45pm

No, and thanks schoen! that’s a very good point. Remember that I made a full reinstall from zero. Perhaps the certificate has not been sent ? how can I check that my new certificate is been used by my https server ?

schoen · May 17, 2016, 10:01pm

I’m just looking at your

  SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
  SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

for the other domain – if you look at that cert with openssl x509 -in /etc/ssl/certs/ssl-cert-snakeoil.pem -text -noout, are they for “ubuntu”?

erick · May 17, 2016, 10:23pm

Yes, for “ubuntu”:

Certificate:
Data:
Version: 1 (0x0)
Serial Number: 9910887308138365389 (0x898a8b7f2283c1cd)
Signature Algorithm: sha1WithRSAEncryption
Issuer: CN=ubuntu
Validity
Not Before: May 9 04:39:51 2016 GMT
Not After : May 7 04:39:51 2026 GMT
Subject: CN=ubuntu
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ae:75:c5:22:b1:b4:0e:80:a9:12:22:74:af:69:
e8:66:ba:e1:65:72:a5:b2:b1:c6:d3:fd:be:2a:14:
a9:35:dc:f9:2b:55:86:f0:d8:eb:d9:5d:2e:73:2d:
9a:e0:77:0b:f4:59:86:72:0e:e3:f7:5a:f5:1b:c1:
ce:8c:1b:35:d9:d5:96:66:7c:96:93:4e:d9:d6:54:
30:8f:8a:f0:6e:e8:43:10:a9:b5:b2:5f:ab:d8:56:
cb:6c:d8:ea:24:65:6b:f7:ba:fc:c4:19:f2:bd:16:
43:11:2b:5f:26:66:48:d9:9d:b6:2e:30:e8:30:67:
ed:73:3e:bb:a7:a2:a6:2b:e4:bf:60:f7:45:e8:fd:
ea:4f:a5:07:a7:51:6d:28:44:3b:76:77:a3:b1:d2:
fa:a0:a1:2b:14:0f:ed:2e:91:11:12:fe:1a:be:2a:
d7:10:e2:90:1a:ef:bc:db:08:59:56:6f:78:f4:23:
6c:07:d3:30:b1:28:ba:2b:2e:c8:aa:1a:7b:33:fe:
fc:7e:5f:5a:ec:1b:98:a8:f8:b8:cd:f8:08:d0:6e:
a5:07:7d:8a:6c:54:d6:df:72:db:26:0a:8f:6c:2c:
6a:36:a5:36:5b:2a:f3:16:46:14:26:07:11:d2:74:
59:22:e0:75:cb:a0:5f:71:4b:c3:b7:76:32:0e:bb:
0a:d9
Exponent: 65537 (0x10001)
Signature Algorithm: sha1WithRSAEncryption
5a:2b:0d:1f:7b:e6:c1:0c:1e:4f:47:fa:ae:90:6f:64:27:f6:
6f:9a:31:89:fc:0c:7c:29:02:8b:a3:21:90:d6:46:eb:a7:3e:
76:fb:16:f7:d0:0f:8d:2d:f5:55:9f:74:7c:5f:21:d7:c0:4b:
6d:4a:01:ff:2a:52:ec:b1:73:b0:71:17:96:e1:be:89:f3:fa:
73:e7:55:07:c1:78:79:27:06:ce:9d:4a:1f:f9:a2:cc:77:23:
85:43:a6:57:cb:c7:53:6f:43:c7:0c:b1:8a:bc:80:98:4f:32:
bc:4d:f3:d0:74:fb:06:e1:fc:73:85:8f:f1:9d:ca:e8:6f:49:
04:a1:7a:85:d1:05:25:e7:69:2e:02:be:40:75:0f:80:af:35:
91:69:a0:eb:81:0f:86:bc:10:21:07:c9:86:09:5d:0d:74:b7:
32:26:5b:b9:be:29:ec:3a:fc:c8:06:08:ec:57:06:55:76:32:
8e:e4:cf:ee:45:80:b4:01:bf:ab:59:ba:1e:02:4a:0a:ad:b5:
1e:13:b4:cf:63:cd:b4:a7:f2:1c:8f:7d:1d:d9:0a:d2:dc:23:
8e:5d:c4:55:61:d7:07:98:f4:2f:fc:47:92:16:42:6a:2c:46:
2d:4b:57:09:db:d3:00:60:6e:a4:9c:1e:f4:74:59:21:41:66:
fc:76:0a:2e

schoen · May 17, 2016, 10:39pm

OK, the problem that I see is that airtime-vhost.conf is configured for your acusmatica names, but is using the self-signed cert that came with your OS or web server (the ssl-cert-snakeoil.pem). I don’t know why you have a duplicate virtual host configuration that is serving the same names, but you need to eliminate airtime-vhost.conf or make it no longer refer to the acusmatica names. (Notice that you have two different vhost files that both say

ServerName acusmatica.org.mx
ServerAlias www.acusmatica.org.mx

while assigning otherwise different configurations to it.)

erick · May 18, 2016, 12:56am

That make senses to me, and was so obvious, that I didn’t figure it out (my bad). Now, I’m going to test it. By the moment, Qualyss SSL Labs indicates that my site gets a “B”, and the cert looks fine.

Thank you!!!

system · June 17, 2016, 12:56am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.