Lets encrypt not supporting mozilla firefox for some verssions

Hi,

When i am trying to open my domain in mozilla firefox for some version we are getting error saying that, This connection is not private.

Could you please help to get resolve this error.

1 Like

Hi @Prathyusha

share your domain name and the FireFox - version you use.

1 Like

thanks for quick response

www.merritos.com
firefox version 60.1

1 Like

Checking your domain there are two problems visible - https://check-your-website.server-daten.de/?q=merritos.com

First, your certificate has only one domain name:

CN=merritos.com
	20.11.2019
	18.02.2020
expires in 53 days	merritos.com - 1 entry

So your www version is insecure. If a user uses the www version -> error message.

If a user uses the non-www version -> no problem. But that's not a browser problem, it's a certificate problem -> create one certificate with both domain names.

Second, your chain is incomplete.

So your server doesn't send the intermediate certificate. Should look like

Looks like your unknown client didn't installed the certificate correct.

2 Likes

could you please help me with the command to install certificates with both the domains with both the domains and also to get the mails alert before its going to expire…

Thank you so much for your support

1 Like

You have a certificate. So a lot of informations are missing.


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

2 Likes

Please find the details below, and let me know if any thing needed…thank you

My domain is: www.merritos.com, www.merritos.in

I ran this command: certbot certonly --manual -d *.merritos.in -d merritos.in --preferred-challenges dns

and for .com

certbot certonly --manual -d *.merritos.com -d merritos.com --preferred-challenges dns

It produced this output: Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/merritos.in-0002.conf)It contains these names: merritos.inYou requested these names for the new certificate: *.merritos.in, merritos.in.Do you want to expand and replace this existing certificate with the new
certificate?


(E)xpand/©ancel: E
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for merritos.in
dns-01 challenge for merritos.in- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
NOTE: The IP of this machine will be publicly logged as having requested this
certificate. If you’re running certbot in manual mode on a machine that is not
your server, please ensure you’re okay with that.Are you OK with your IP being logged?


(Y)es/(N)o: Y- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.merritos.in with the following value:odZaQ0492iLZeYWC1JEkGGmZQM-y-u4lwnW0mhetTUoBefore continuing, verify the record is deployed.


Press Enter to Continue- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name
_acme-challenge.merritos.in with the following value:2r5Wp_sJFi86C2cmEVA6lqiq8Y2_MjXk0NfVf2BapLkBefore continuing, verify the record is deployed.


Press Enter to Continue
Waiting for verification…
Resetting dropped connection: acme-v02.api.letsencrypt.org
Cleaning up challengesIMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/merritos.in-0002/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/merritos.in-0002/privkey.pem
    Your cert will expire on 2020-02 -18. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”
  • If you like Certbot, please consider supporting our work by: Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

for .in and .com same

My web server is (include version): firefox with 60 it is showing error, but when I updated my browser it is working good.

The operating system my web server runs on is (include version): linux

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.27.1

If you use certonly, the certificate isn't installed. Minimal you have to restart your server.

And --manual means manual. If you don't do that, the certificate will expire again.

The certificate creation has worked.

Please: What's your webserver? Firefox isn't a webserver.

1 Like

It is also possible that the web server is currently configured to use merritos.in/fullchain.pem rather than merritos.in-0002/fullchain.pem. Certbot's behavior here often confuses users; the -0001 and -0002 certs are created when you have a previous Certbot-managed certificate that includes some name that the newly-requested certificate doesn't.

If the new certificate is the one that you want, you might have to update your server configuration to point at this one. That's what @JuergenAuer is referring to with

This can also be confusing for some users because non-wildcard certificates obtained with --nginx or --apache were often automatically installed into the web server configuration by Certbot, whereas wildcard certificate obtained with --manual weren't. Nonetheless, the web server configuration would need to be edited in order to make use of the new wildcard certificate if it's saved under a different location than the previous certificate.

2 Likes

we are using node as web server

How did you configure your web server to use your original Let’s Encrypt certificate?

by using redbird npm we configured lets encrypt.

Did you have to do something in particular in Redbird or in its configuration in order to get it to use the certificate?

We are using the below code… please check and review

var redbird = require(‘redbird’)({
port: 80,
secure: false,
ssl: {
port: 443,
key: “…/certs/default.key”,
cert: “…/certs/default.crt”,
}
});

redbird.register(‘merritos.com’, ‘https://merritos.in:5000’, {
ssl: {
key: “/etc/letsencrypt/live/merritos.com-0005/privkey.pem”,
cert: “/etc/letsencrypt/live/merritos.com-0005/cert.pem”,
}
});
redbird.register(‘www.merritos.com’, ‘https://merritos.in:5000’, {
ssl: {
key: “/etc/letsencrypt/live/merritos.com-0005/privkey.pem”,
cert: “/etc/letsencrypt/live/merritos.com-0005/cert.pem”,
}
});

Thanks for sharing that. It is possible that you’ll need to change merritos.com-0005 to merritos.com-0002.

You should be able to find out by checking the certificate coverage with the command certbot certificates.

2 Likes

These are the certificates we are having presently, 0002 is our old certificate

cd /etc/letsencrypt/live
ls -ltr
total 16
drwxr-xr-x 2 root root 4096 Nov 20 06:23 merritos.com-0004
drwxr-xr-x 2 root root 4096 Nov 20 06:53 merritos.in-0005
drwxr-xr-x 2 root root 4096 Nov 20 08:15 merritos.in-0006
drwxr-xr-x 2 root root 4096 Nov 20 09:15 merritos.com-0005

If you run certbot certificates, you’ll find out which names are covered by the most recent version of each of those certificates.

1 Like

Please find the o/p

[root@li1636-240 /]# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/merritos.in-0001.conf produced an unexpected error: expected /etc/letsencrypt/live/merritos.in-0001/cert.pem to be a symlink. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/merritos.com-0002.conf produced an unexpected error: expected /etc/letsencrypt/live/merritos.com-0002/cert.pem to be a symlink. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/merritos.in-0004.conf produced an unexpected error: expected /etc/letsencrypt/live/merritos.in-0004/cert.pem to be a symlink. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/merritos.com-0003.conf produced an unexpected error: expected /etc/letsencrypt/live/merritos.com-0003/cert.pem to be a symlink. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/merritos.in-0003.conf produced an unexpected error: expected /etc/letsencrypt/live/merritos.in-0003/cert.pem to be a symlink. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/merritos.com.conf produced an unexpected error: expected /etc/letsencrypt/live/merritos.com/cert.pem to be a symlink. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/merritos.in.conf produced an unexpected error: expected /etc/letsencrypt/live/merritos.in/cert.pem to be a symlink. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/merritos.in-0002.conf produced an unexpected error: expected /etc/letsencrypt/live/merritos.in-0002/cert.pem to be a symlink. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/merritos.com-0001.conf produced an unexpected error: expected /etc/letsencrypt/live/merritos.com-0001/cert.pem to be a symlink. Skipping.


Found the following certs:
Certificate Name: merritos.in-0005
Domains: *.merritos.in
Expiry Date: 2020-02-18 05:53:55+00:00 (VALID: 46 days)
Certificate Path: /etc/letsencrypt/live/merritos.in-0005/fullchain.pem
Private Key Path: /etc/letsencrypt/live/merritos.in-0005/privkey.pem
Certificate Name: merritos.in-0006
Domains: merritos.in
Expiry Date: 2020-02-18 07:15:51+00:00 (VALID: 46 days)
Certificate Path: /etc/letsencrypt/live/merritos.in-0006/fullchain.pem
Private Key Path: /etc/letsencrypt/live/merritos.in-0006/privkey.pem
Certificate Name: merritos.com-0005
Domains: merritos.com
Expiry Date: 2020-02-18 08:14:59+00:00 (VALID: 46 days)
Certificate Path: /etc/letsencrypt/live/merritos.com-0005/fullchain.pem
Private Key Path: /etc/letsencrypt/live/merritos.com-0005/privkey.pem
Certificate Name: merritos.com-0004
Domains: *.merritos.com
Expiry Date: 2020-02-18 05:23:42+00:00 (VALID: 46 days)
Certificate Path: /etc/letsencrypt/live/merritos.com-0004/fullchain.pem
Private Key Path: /etc/letsencrypt/live/merritos.com-0004/privkey.pem

The following renewal configurations were invalid:
/etc/letsencrypt/renewal/merritos.in-0001.conf
/etc/letsencrypt/renewal/merritos.com-0002.conf
/etc/letsencrypt/renewal/merritos.in-0004.conf
/etc/letsencrypt/renewal/merritos.com-0003.conf
/etc/letsencrypt/renewal/merritos.in-0003.conf
/etc/letsencrypt/renewal/merritos.com.conf
/etc/letsencrypt/renewal/merritos.in.conf
/etc/letsencrypt/renewal/merritos.in-0002.conf
/etc/letsencrypt/renewal/merritos.com-0001.conf


1 Like

You have created one certificate with the non-www version of your domain.

So create

  • one certificate with both domain names (or)
  • a second certificate only with the www version

Read

https://certbot.eff.org/docs/using.html

Looks like you have changed these files manual. That's always bad.

Use fullchain.pem instead of cert.pem. That should fix the chain problem.

You use port 5000, not the standard port.

PS: Checking that port there is the wrong certificate - https://check-your-website.server-daten.de/?q=merritos.com%3A5000

CN=merritos.in
	20.11.2019
	18.02.2020
expires in 47 days	merritos.in - 1 entry

merritos.in doesn't work with merritos.com. So create one certificate with the com and the in - top level domain.

1 Like

We have created different certificates for merritos.in and merritos.com and also different certificates for all the sub domains of .com and .in as shown below.

Found the following certs:
Certificate Name: merritos.in-0005
Domains: *.merritos.in ---------------------------------- for subdomains of .in
Expiry Date: 2020-02-18 05:53:55+00:00 (VALID: 46 days)
Certificate Path: /etc/letsencrypt/live/merritos.in-0005/fullchain.pem
Private Key Path: /etc/letsencrypt/live/merritos.in-0005/privkey.pem
Certificate Name: merritos.in-0006
Domains: merritos.in
Expiry Date: 2020-02-18 07:15:51+00:00 (VALID: 46 days)
Certificate Path: /etc/letsencrypt/live/merritos.in-0006/fullchain.pem
Private Key Path: /etc/letsencrypt/live/merritos.in-0006/privkey.pem
Certificate Name: merritos.com-0005
Domains: merritos.com
Expiry Date: 2020-02-18 08:14:59+00:00 (VALID: 46 days)
Certificate Path: /etc/letsencrypt/live/merritos.com-0005/fullchain.pem
Private Key Path: /etc/letsencrypt/live/merritos.com-0005/privkey.pem
Certificate Name: merritos.com-0004
Domains: *.merritos.com ---------------------------------------------- for subdomains of .com
Expiry Date: 2020-02-18 05:23:42+00:00 (VALID: 46 days)
Certificate Path: /etc/letsencrypt/live/merritos.com-0004/fullchain.pem
Private Key Path: /etc/letsencrypt/live/merritos.com-0004/privkey.pem