Let's Encrypt certificate not be used on Apache running on CentOS 7

Hi,

I’ve read lots of other support requests on issues with Let’s Encrypt installing incorrectly on CentOS but not sure how to resolve the issue. I think the issue is somehow related to virtual hosts.

Here is the contents on of my /etc/httpd/file:

NameVirtualHost *:80

<VirtualHost *:80>
ServerAdmin email removed
ServerName example.com
ServerAlias example.com
DocumentRoot /var/www/html/example.com/public_html/
ErrorLog /var/www/html/example.com/logs/error.log
CustomLog /var/www/html/example.com/logs/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

My domain is: example.com

I ran this command: sudo certbot --apache -d example.com

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to
cancel): email_removed@reducing_spam.com
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org


Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v02.api.letsencrypt.org/directory


(A)gree/©ancel: A


Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let’s Encrypt project and the non-profit
organization that develops Certbot? We’d like to send you email about our work
encrypting the web, EFF news, campaigns, and ways to support digital freedom.


(Y)es/(N)o: N
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for example.com
Waiting for verification…
Cleaning up challenges
Created an SSL vhost at /etc/httpd/conf.d/vhost-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf.d/vhost-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.


1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Redirecting vhost in /etc/httpd/conf.d/vhost.conf to ssl vhost in /etc/httpd/conf.d/vhost-le-ssl.conf


Congratulations! You have successfully enabled https://example.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=example.com


IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/example.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/example.com/privkey.pem
    Your cert will expire on 2019-11-21. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

My web server is (include version): Apache/2.4.6 (CentOS)

The operating system my web server runs on is (include version): Centos 7 64 bit

My hosting provider, if applicable, is: VPS

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.36.0

Hi @mrankin

you have created a new certificate

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2019-08-23 2019-11-21 masteroi.com - 1 entries duplicate nr. 1

So that part works. But you don’t use it, instead, there is a self signed certificate ( https://check-your-website.server-daten.de/?q=masteroi.com ):

E=root@masteroi.com, CN=masteroi.com, 
OU=SomeOrganizationalUnit, O=SomeOrganization, L=SomeCity, 
S=SomeState, C=--
	22.08.2019
	21.08.2020
expires in 363 days	

Looks like Certbot doesn’t understand your configuration.

What says

apachectl -S (or, if it doesnt work)
httpd -S

That’s

wrong. ServerAlias with the same domain name as ServerName is duplicated.

You have a www DNS entry. Perhaps change your ServerAlias to www.masteroi.com and create a certificate with both domain names. Same with your port 443 vHost.

I’ve updated my vhost.conf as follows;
NameVirtualHost *:80

<VirtualHost *:80>
ServerAdmin removed@nothere.com
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/html/example.com/public_html/
ErrorLog /var/www/html/example.com/logs/error.log
CustomLog /var/www/html/example.com/logs/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

Have run this command as requested: sudo certbot --apache -d www.example.com
Output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.example.com
Waiting for verification…
Cleaning up challenges
Created an SSL vhost at /etc/httpd/conf.d/vhost-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf.d/vhost-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.


1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Enhancement redirect was already set.


Congratulations! You have successfully enabled https://www.example.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=www.example.com


IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/www.example.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/www.example.com/privkey.pem
    Your cert will expire on 2019-11-21. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”

  • Some rewrite rules copied from /etc/httpd/conf.d/vhost.conf were
    disabled in the vhost for your HTTPS site located at
    /etc/httpd/conf.d/vhost-le-ssl.conf because they have the potential
    to create redirection loops.

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

Where is the port 443 vHost? Should I just copy and paste the same detail in the vhost.conf file and use port 443 instead like this?

<VirtualHost *:80>
ServerAdmin email removed
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/html/example.com/public_html/
ErrorLog /var/www/html/example.com/logs/error.log
CustomLog /var/www/html/example.com/logs/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

<VirtualHost *:443>
ServerAdmin email removed
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/html/example.com/public_html/
ErrorLog /var/www/html/example.com/logs/error.log
CustomLog /var/www/html/example.com/logs/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

I’ve restarted Apache after making the serveralias change but it has made no difference.

You need both domain names:

-d masteroi.com -d www.masteroi.com

What says

httpd -S

If Certbot doesn’t understand your configuration, the wrong vHost is used -> wrong certificate.

[root@example conf.d]# sudo certbot -d example.com -d www.example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org


You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/example.com.conf)

It contains these names: example.com

You requested these names for the new certificate: example.com,
www.example.com.

Do you want to expand and replace this existing certificate with the new
certificate?


(E)xpand/©ancel: e
Renewing an existing certificate
Deploying Certificate to VirtualHost /etc/httpd/conf.d/vhost-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/conf.d/vhost-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.


1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Failed redirect for example.com
Unable to set enhancement redirect for example.com
Unable to find corresponding HTTP vhost; Unable to create one as intended addresses conflict; Current configuration does not support automated redirection

IMPORTANT NOTES:

  • We were unable to set up enhancement redirect for your server,
    however, we successfully installed your certificate.
  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/example.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/example.com/privkey.pem
    Your cert will expire on 2019-11-21. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”

httpd -S
AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/httpd/conf.d/vhost.conf:1
VirtualHost configuration:
*:443 is a NameVirtualHost
default server example.com (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost example.com (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost example.com (/etc/httpd/conf.d/vhost-le-ssl.conf:2)
alias example.com
port 443 namevhost example.com (/etc/httpd/conf.d/vhost-le-ssl.conf:16)
alias www.example.com
*:80 example.com (/etc/httpd/conf.d/vhost.conf:3)
ServerRoot: “/etc/httpd”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/etc/httpd/logs/error_log”
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default
Mutex mpm-accept: using_defaults
PidFile: “/run/httpd/httpd.pid”
Define: _RH_HAS_HTTPPROTOCOLOPTIONS
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“apache” id=48
Group: name=“apache” id=48

Restarted httpd.service after reinstalling certificate but no change, still using self signed certificate.

There

you see the mess.

Every combination of port and domain name must be unique. There is only a test site visible.

So remove all port 443 vHosts.

Your port 80 need both domain names. Then reinstall the existing certificate (don’t create a new, you may hit the limit).

No I don’t see the mess. I would have to fully understand it and have experience to see that there is a mess.

I can’t find any instance of “namevhost” in any of those files:

[root@masteroi conf.d]# cat /etc/httpd/conf.d/ssl.conf | grep namevhost
[root@masteroi conf.d]# cat /etc/httpd/conf.d/vhost-le-ssl.conf |grep namevhost
[root@masteroi conf.d]#

[root@example conf.d]# cat /etc/httpd/conf.d/ssl.conf |grep master
[root@example conf.d]# cat /etc/httpd/conf.d/ssl.conf |grep master
[root@example conf.d]# cat /etc/httpd/conf.d/vhost-le-ssl.conf |grep master
ServerAdmin removed@example
ServerName example.com
ServerAlias example.com
DocumentRoot /var/www/html/example.com/public_html/
ErrorLog /var/www/html/example.com/logs/error.log
CustomLog /var/www/html/example.com/logs/access.log combined
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
ServerAdmin email removed
ServerName example.com
ServerAlias www.example.com
DocumentRoot /var/www/html/example.com/public_html/
ErrorLog /var/www/html/example.com/logs/error.log
CustomLog /var/www/html/example.com/logs/access.log combined

RewriteCond %{SERVER_NAME} =example.com

SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem

Seems nothing in the first two files for example.com

I’m thinking it’s an issue with how CentOS handles/works with Let’s Encrypt as I’ve seen lots of threads about these types of issues.

Should I rebuild the server with Debian 7 64 bit due to incompatibilities?

Issue resolved by following guide written here - https://linuxize.com/post/secure-apache-with-let-s-encrypt-on-centos-7/

Would recommend anyone installing Let’s Encrypt on CentOS 7 to ONLY use that guide!

Please read

You have three different combinations 443 + masteroi.com. Only one is allowed.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.