Lets encrypt certificate lists wrong issuer


#1

I have a letsencrypt certificate for server2.powernav.com. I created it using certbot as a stand alone certificate. I have the certificate working fine with postfix and with courier imap. No problems sending or receiving. I renewed it today using certbot renew but had to turn off apache to do it.
I have tried configuring an Apache virtual host to use this same certificate. I’m running centos 7 apache 2.4.6
The vhost conf file:
<VirtualHost 67.210.105.232:443>
ServerName server2.powernav.com
DocumentRoot /var/www/server2.powernav.com/public

<Directory /var/www/server2.powernav.com/public>
Options +Includes -Indexes -FollowSymLinks -MultiViews
AllowOverride All

CustomLog /var/log/httpd/powernav.com-access.log combined
ErrorLog /var/log/httpd/powernav.com-error.log
LogLevel warn

SSLEngine on
SSLCertificateChainFile /etc/letsencrypt/live/server2.powernav.com/fullchain.pem
SSLCertificateFile /etc/letsencrypt/live/server2.powernav.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/server2.powernav.com/privkey.pem

<FilesMatch “.(cgi|shtml|phtml|php)$”>
SSLOptions +StdEnvVars

Chrome says NET: Cert Authority Invalid When you look at the details by clicking on the error the issuer is server2.powernav.com Try this url https://www.ssllabs.com/ssltest/analyze.html?d=server2.powernav.com You get a name mismatch.

I can’t seem to figure out what is wrong.


#2

Hi,

do you restart your apache after the cert installiation

Can you execute this command and see if your domain vHost is in there?
apachectl -S / apache2ctl -S

Thank you


#3

Thanks for replying
I have restarted the httpd server after every change I have made. Centos 7 doesn’t have apache2ctl as a command. The server is stopped and started with systemctl start/stop/restart httpd. Don’t know how to get a list of vhosts but if you open the url https://server2.powernav.com in chrome or firefox you will see what I see.


#4

While a certificate for this domain was issued today, that is not the certificate being served by your web server. My guess is that some other part of your Apache config is pre-empting the configuration you posted. Could you post your full apache configs?


#5

I looked at the Chrome output of the three parts in the chain. They are identical to the cert.pem,chain.pem and the first part of the fullchain.pem. All of those files were issued today.
Where are you getting the information on the certificates supplied by the server? This is the only virtual server that is configured for https. The only other place that has a reference to a certificate is the ssl.conf file in the conf.d directory. That file refers to a default certificatte generated by the server when it was installed. I think the vhost file configuration overides that.

Thanks
Ernie


#6

Thanks for your help. I managed to solve the problem.
using this openssl s_client -showcerts -connect server2.powernav.com:443

I received a list of certs. openssl could not verify the first certificate.
You were right it was not the cert issued today. Instead its the certificate generated when the server was installed.
The problem arises because the virtual server name is the same as the server’s hostname (server2.powernav.com). Apache serves the self generated certificate.

To overcome this I changed the ssl.conf file in /etc/httpd/conf.d/ssl.conf to
use the letsencrypt crt and the privkey.pem and the chain.pem.
Things worked fine after that.
Thanks again
Ernie


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.