Lets Encrypt Certificates not working for base / root / top domain

I'm facing the following problems
1- Lets encrypt certificates working for sub domain but not for base / root domain.
2- Certificates are not trusted

My domains are: Bae domain teachersbook.pk, Sub domain www.teachersbook.pk

SSL Report base domain and SSL Report sub domain

https://crt.sh/?q=teachersbook.pk Report

https://check-your-website.server-daten.de/?q=teachersbook.pk

I ran this command: sudo certbot --apache -d teachersbook.pk -d www.teachersbook.pk

It produced this output: I've follow the process and certificates was successfully installed

My web server is (include version): Server version: Apache/2.4.37 (centos)

The operating system my web server runs on is (include version): centos 8

My hosting provider, if applicable, is: CentOS Linux release 8.4.2105

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.18.0

Hi @justmasif, welcome to the LE community forum :slight_smile:

Let's start to unravel this problem with the output of:
sudo apachectl -t -D DUMP_VHOSTS

2 Likes

thanks, sir

the output of the said command is

Passing arguments to httpd using apachectl is no longer supported.
You can only start/stop/restart httpd using this script.
If you want to pass extra arguments to httpd, edit the
/etc/sysconfig/httpd config file.

hmm...
Try:
sudo httpd -t -D DUMP_VHOSTS

VirtualHost configuration:
*:443 is a NameVirtualHost
default server teachersbook.pk (/etc/httpd/conf.d/ssl.conf:40)
port 443 namevhost teachersbook.pk (/etc/httpd/conf.d/ssl.conf:40)
port 443 namevhost teachersbook.pk (/etc/httpd/conf.d/teachersbook.pk-le-ssl.conf:2)
alias www.teachersbook.pk
*:80 teachersbook.pk (/etc/httpd/conf.d/teachersbook.pk.conf:11)

I see a couple of problems there:

  1. There is a name:port overlap for teachersbook.pk:443 between these files:
    /etc/httpd/conf.d/ssl.conf
    /etc/httpd/conf.d/teachersbook.pk-le-ssl.conf
  2. The HTTP vhost config seems to lack the "www" alias (in file:)
    /etc/httpd/conf.d/teachersbook.pk.conf

For #1, I would try changing the ServerName directive in the ssl.conf file to anything else
[like: ServerName localhost]
For #2, I would add a line with ServerAlias www.teachersbook.pk in the file teachersbook.pk.conf immediately after line with ServerName teachersbook.pk
Like:
ServerName teachersbook.pk
ServerAlias www.teachersbook.pk

and then restart Apache

i didn't find ServerName in ssl.conf file
should i add in it?

ServerAlias www.teachersbook.pk
is already existed in /etc/httpd/conf.d/teachersbook.pk.conf file

Then it is using the default ServerName likely provided within the main config.
I would just add the line in there (to ssl.conf).
Something like:
ServerName localhost

1 Like

sorry for late reply . my server gone away, i don't think so it's due to little change in ssl.conf
I was trying to troubleshoot it

Try to undo your changes.

hi,

today I've successfully recovered my website and also apply your said changes in
1- ssl.conf file
also try to change some change in
2- teachersbook.pk-le-ssl.conf
but nor working.. in both files I've commented remarks where I've made change.

code in ssl.conf is below

Listen 443 https

SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog

SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300

SSLCryptoDevice builtin
#SSLCryptoDevice ubsec

<VirtualHost _default_:443>

# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"
#ServerName teachersbook.pk:443		//	also tried this not working
#ServerName localhost		// here I've changed not working

ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

#SSLProtocol all -SSLv3
#SSLProxyProtocol all -SSLv3

SSLHonorCipherOrder on

SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM

SSLCertificateFile /etc/pki/tls/certs/localhost.crt

SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

#SSLVerifyClient require
#SSLVerifyDepth  10

#<Location />
#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>

#   SSL Engine Options:
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"</code>

</VirtualHost>

code in /etc/httpd/conf.d/teachersbook.pk.conf

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName teachersbook.pk		// here I've changed ServerName localhost not working
    ServerAlias www.teachersbook.pk
    ServerAdmin test@gmail.com
    DocumentRoot /var/www/teachersbook.pk/

    ErrorLog /var/log/httpd/teachersbook.pk-error.log
    CustomLog /var/log/httpd/teachersbook.pk-access.log combined

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/teachersbook.pk/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/teachersbook.pk/privkey.pem
</VirtualHost>
</IfModule>

3rd file teachersbook.conf code is here

<Directory /var/www/teachersbook.pk/>
	#Options -Indexes +FollowSymLinks
	#AllowOverride All
	Require all granted
	RewriteEngine On
	RewriteCond %{REQUEST_FILENAME} !-f
	RewriteCond %{REQUEST_FILENAME} !-d
	RewriteRule ^(.*)$ index.php?/$1 [L]

</Directory>
<VirtualHost *:80>
    ServerName teachersbook.pk
    ServerAlias www.teachersbook.pk
    ServerAdmin test@gmail.com
    DocumentRoot /var/www/teachersbook.pk/

    ErrorLog /var/log/httpd/teachersbook.pk-error.log
    CustomLog /var/log/httpd/teachersbook.pk-access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =teachersbook.pk [OR]
RewriteCond %{SERVER_NAME} =www.teachersbook.pk
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

Please put that line back in.

That was never in the instructions.

This file:
/etc/httpd/conf.d/teachersbook.pk-le-ssl.conf
needs this line:

Then restart Apache.

1 Like

thanks a lot sir, it's working . :slight_smile:

1 Like

thanks a lot sir, it's working . :slight_smile:

1 Like

sir, I've forgot about 2nd part of my question

2- Certificates are not trusted

I don't understand.
Which URL shows certificate not trusted?

curl -I https://teachersbook.pk
HTTP/1.1 200 OK

curl -I https://www.teachersbook.pk
HTTP/1.1 200 OK

https://www.ssllabs.com/ssltest/analyze.html?d=teachersbook.pk

After trying that again:

[that was just old information]

1 Like

thanks, you are right, maybe after refreshing it's working fine ....

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.