Hi,
When i am trying to open my domain in mozilla firefox for some version we are getting error saying that, This connection is not private.
Could you please help to get resolve this error.
1 Like
Hi @Prathyusha
share your domain name and the FireFox - version you use.
1 Like
thanks for quick response
www.merritos.com
firefox version 60.1
1 Like
Checking your domain there are two problems visible - https://check-your-website.server-daten.de/?q=merritos.com
First, your certificate has only one domain name:
CN=merritos.com
20.11.2019
18.02.2020
expires in 53 days merritos.com - 1 entry
So your www version is insecure. If a user uses the www version -> error message.
If a user uses the non-www version -> no problem. But that's not a browser problem, it's a certificate problem -> create one certificate with both domain names.
Second, your chain is incomplete.
So your server doesn't send the intermediate certificate. Should look like
Looks like your unknown client didn't installed the certificate correct.
2 Likes
could you please help me with the command to install certificates with both the domains with both the domains and also to get the mails alert before its going to expireâŠ
Thank you so much for your support
1 Like
You have a certificate. So a lot of informations are missing.
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I donât know):
Iâm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if youâre using Certbot):
2 Likes
Please find the details below, and let me know if any thing neededâŠthank you
My domain is: www.merritos.com, www.merritos.in
I ran this command: certbot certonly --manual -d *.merritos.in -d merritos.in --preferred-challenges dns
and for .com
certbot certonly --manual -d *.merritos.com -d merritos.com --preferred-challenges dns
It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/merritos.in-0002.conf)It contains these names: merritos.inYou requested these names for the new certificate: *.merritos.in, merritos.in.Do you want to expand and replace this existing certificate with the new
certificate?
(E)xpand/©ancel: E
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for merritos.in
dns-01 challenge for merritos.in- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If youâre running certbot in manual mode on a machine that is not
your server, please ensure youâre okay with that.Are you OK with your IP being logged?
(Y)es/(N)o: Y- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.merritos.in with the following value:odZaQ0492iLZeYWC1JEkGGmZQM-y-u4lwnW0mhetTUoBefore continuing, verify the record is deployed.
Press Enter to Continue- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.merritos.in with the following value:2r5Wp_sJFi86C2cmEVA6lqiq8Y2_MjXk0NfVf2BapLkBefore continuing, verify the record is deployed.
Press Enter to Continue
Waiting for verificationâŠ
Resetting dropped connection: acme-v02.api.letsencrypt.org
Cleaning up challengesIMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/merritos.in-0002/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/merritos.in-0002/privkey.pem
Your cert will expire on 2020-02 -18. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew all of your certificates, run
âcertbot renewâ - If you like Certbot, please consider supporting our work by: Donating to ISRG / Letâs Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
for .in and .com same
My web server is (include version): firefox with 60 it is showing error, but when I updated my browser it is working good.
The operating system my web server runs on is (include version): linux
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I donât know):yes
Iâm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if youâre using Certbot): certbot 0.27.1
If you use certonly, the certificate isn't installed. Minimal you have to restart your server.
And --manual means manual. If you don't do that, the certificate will expire again.
The certificate creation has worked.
Please: What's your webserver? Firefox isn't a webserver.
1 Like
It is also possible that the web server is currently configured to use merritos.in/fullchain.pem rather than merritos.in-0002/fullchain.pem. Certbot's behavior here often confuses users; the -0001 and -0002 certs are created when you have a previous Certbot-managed certificate that includes some name that the newly-requested certificate doesn't.
If the new certificate is the one that you want, you might have to update your server configuration to point at this one. That's what @JuergenAuer is referring to with
This can also be confusing for some users because non-wildcard certificates obtained with --nginx or --apache were often automatically installed into the web server configuration by Certbot, whereas wildcard certificate obtained with --manual weren't. Nonetheless, the web server configuration would need to be edited in order to make use of the new wildcard certificate if it's saved under a different location than the previous certificate.
2 Likes
we are using node as web server
How did you configure your web server to use your original Letâs Encrypt certificate?
by using redbird npm we configured lets encrypt.
Did you have to do something in particular in Redbird or in its configuration in order to get it to use the certificate?
We are using the below code⊠please check and review
var redbird = require(âredbirdâ)({
port: 80,
secure: false,
ssl: {
port: 443,
key: ââŠ/certs/default.keyâ,
cert: ââŠ/certs/default.crtâ,
}
});
redbird.register(âmerritos.comâ, âhttps://merritos.in:5000â, {
ssl: {
key: â/etc/letsencrypt/live/merritos.com-0005/privkey.pemâ,
cert: â/etc/letsencrypt/live/merritos.com-0005/cert.pemâ,
}
});
redbird.register(âwww.merritos.comâ, âhttps://merritos.in:5000â, {
ssl: {
key: â/etc/letsencrypt/live/merritos.com-0005/privkey.pemâ,
cert: â/etc/letsencrypt/live/merritos.com-0005/cert.pemâ,
}
});
Thanks for sharing that. It is possible that youâll need to change merritos.com-0005 to merritos.com-0002.
You should be able to find out by checking the certificate coverage with the command certbot certificates.
2 Likes
These are the certificates we are having presently, 0002 is our old certificate
cd /etc/letsencrypt/live
ls -ltr
total 16
drwxr-xr-x 2 root root 4096 Nov 20 06:23 merritos.com-0004
drwxr-xr-x 2 root root 4096 Nov 20 06:53 merritos.in-0005
drwxr-xr-x 2 root root 4096 Nov 20 08:15 merritos.in-0006
drwxr-xr-x 2 root root 4096 Nov 20 09:15 merritos.com-0005
If you run certbot certificates, youâll find out which names are covered by the most recent version of each of those certificates.
1 Like
Please find the o/p
[root@li1636-240 /]# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/merritos.in-0001.conf produced an unexpected error: expected /etc/letsencrypt/live/merritos.in-0001/cert.pem to be a symlink. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/merritos.com-0002.conf produced an unexpected error: expected /etc/letsencrypt/live/merritos.com-0002/cert.pem to be a symlink. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/merritos.in-0004.conf produced an unexpected error: expected /etc/letsencrypt/live/merritos.in-0004/cert.pem to be a symlink. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/merritos.com-0003.conf produced an unexpected error: expected /etc/letsencrypt/live/merritos.com-0003/cert.pem to be a symlink. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/merritos.in-0003.conf produced an unexpected error: expected /etc/letsencrypt/live/merritos.in-0003/cert.pem to be a symlink. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/merritos.com.conf produced an unexpected error: expected /etc/letsencrypt/live/merritos.com/cert.pem to be a symlink. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/merritos.in.conf produced an unexpected error: expected /etc/letsencrypt/live/merritos.in/cert.pem to be a symlink. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/merritos.in-0002.conf produced an unexpected error: expected /etc/letsencrypt/live/merritos.in-0002/cert.pem to be a symlink. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/merritos.com-0001.conf produced an unexpected error: expected /etc/letsencrypt/live/merritos.com-0001/cert.pem to be a symlink. Skipping.
Found the following certs:
Certificate Name: merritos.in-0005
Domains: *.merritos.in
Expiry Date: 2020-02-18 05:53:55+00:00 (VALID: 46 days)
Certificate Path: /etc/letsencrypt/live/merritos.in-0005/fullchain.pem
Private Key Path: /etc/letsencrypt/live/merritos.in-0005/privkey.pem
Certificate Name: merritos.in-0006
Domains: merritos.in
Expiry Date: 2020-02-18 07:15:51+00:00 (VALID: 46 days)
Certificate Path: /etc/letsencrypt/live/merritos.in-0006/fullchain.pem
Private Key Path: /etc/letsencrypt/live/merritos.in-0006/privkey.pem
Certificate Name: merritos.com-0005
Domains: merritos.com
Expiry Date: 2020-02-18 08:14:59+00:00 (VALID: 46 days)
Certificate Path: /etc/letsencrypt/live/merritos.com-0005/fullchain.pem
Private Key Path: /etc/letsencrypt/live/merritos.com-0005/privkey.pem
Certificate Name: merritos.com-0004
Domains: *.merritos.com
Expiry Date: 2020-02-18 05:23:42+00:00 (VALID: 46 days)
Certificate Path: /etc/letsencrypt/live/merritos.com-0004/fullchain.pem
Private Key Path: /etc/letsencrypt/live/merritos.com-0004/privkey.pem
The following renewal configurations were invalid:
/etc/letsencrypt/renewal/merritos.in-0001.conf
/etc/letsencrypt/renewal/merritos.com-0002.conf
/etc/letsencrypt/renewal/merritos.in-0004.conf
/etc/letsencrypt/renewal/merritos.com-0003.conf
/etc/letsencrypt/renewal/merritos.in-0003.conf
/etc/letsencrypt/renewal/merritos.com.conf
/etc/letsencrypt/renewal/merritos.in.conf
/etc/letsencrypt/renewal/merritos.in-0002.conf
/etc/letsencrypt/renewal/merritos.com-0001.conf
1 Like
You have created one certificate with the non-www version of your domain.
So create
- one certificate with both domain names (or)
- a second certificate only with the www version
Read
https://certbot.eff.org/docs/using.html
Looks like you have changed these files manual. That's always bad.
Use fullchain.pem instead of cert.pem. That should fix the chain problem.
You use port 5000, not the standard port.
PS: Checking that port there is the wrong certificate - https://check-your-website.server-daten.de/?q=merritos.com%3A5000
CN=merritos.in
20.11.2019
18.02.2020
expires in 47 days merritos.in - 1 entry
merritos.in doesn't work with merritos.com. So create one certificate with the com and the in - top level domain.
1 Like
We have created different certificates for merritos.in and merritos.com and also different certificates for all the sub domains of .com and .in as shown below.
Found the following certs:
Certificate Name: merritos.in-0005
Domains: *.merritos.in ---------------------------------- for subdomains of .in
Expiry Date: 2020-02-18 05:53:55+00:00 (VALID: 46 days)
Certificate Path: /etc/letsencrypt/live/merritos.in-0005/fullchain.pem
Private Key Path: /etc/letsencrypt/live/merritos.in-0005/privkey.pem
Certificate Name: merritos.in-0006
Domains: merritos.in
Expiry Date: 2020-02-18 07:15:51+00:00 (VALID: 46 days)
Certificate Path: /etc/letsencrypt/live/merritos.in-0006/fullchain.pem
Private Key Path: /etc/letsencrypt/live/merritos.in-0006/privkey.pem
Certificate Name: merritos.com-0005
Domains: merritos.com
Expiry Date: 2020-02-18 08:14:59+00:00 (VALID: 46 days)
Certificate Path: /etc/letsencrypt/live/merritos.com-0005/fullchain.pem
Private Key Path: /etc/letsencrypt/live/merritos.com-0005/privkey.pem
Certificate Name: merritos.com-0004
Domains: *.merritos.com ---------------------------------------------- for subdomains of .com
Expiry Date: 2020-02-18 05:23:42+00:00 (VALID: 46 days)
Certificate Path: /etc/letsencrypt/live/merritos.com-0004/fullchain.pem
Private Key Path: /etc/letsencrypt/live/merritos.com-0004/privkey.pem