Let's Encrypt works fine but don't forget to copy your certs to the balancers (if you have them) :)


#1

Hello there,
I’m trying to test Let’s Encrypt for my University and maybe I’m wrong but I’m receiving a certificate that is not for the domain I’m expecting. I’m using testletsencrypt1.upc.edu for this, that is a CNAME record pointed to lamp-pre.upcnet.es, that has a public IP associated.
The webroot is in /var/www/test1 and I’m using the following command:
./letsencrypt-auto certonly --keep-until-expiring -d testletsencrypt1.upc.edu --webroot -w /var/www/test1
It seems that the auth is fine because it finishes and gives me the “congratulations” message and the route of the full chain, like always, but after setting up everything in Apache and visiting the url https://testletsencrypt1.upc.edu what I got is a ssl_error_bad_cert_domain error and it says that it is only valid for lamp-pre.upcnet.es and www.lamp-pre.upcnet.es, the same if I check the certificate info with:
openssl s_client -connect testletsencrypt1.upc.edu:443
I never gave these names to Let’s Encrypt so I guess there is an issue with the CNAME record, but idk. I’m running out of ideas and I need help at this point, I’ll apreciate it.

Thank you.


#2

The certificate for testletsencrypt1.upc.edu that you are seeing is the one by comodo that is on lamp-pre.upcnet.es (not any certificate issued by LetsEncrypt)

you say “after setting up everything in Apache” - can I ask how you set it up in apache ? because as far as I can tell the LE certificate has not been set up in Apache for testletsencrypt1.upc.edu


#3

As a further note, I can see that 2 certificates were issued ( https://crt.sh/?identity=testletsencrypt1.upc.edu&iCAID=7395 ) to the correct domain ( testletsencrypt1.upc.edu )

Please be aware that there is a limit on the number of certificates issued for a domain ( currently 5 per 7 day period ). For testing it is best to use the --staging option which doesn’t have the same limits.


#4

Thank you for your quick answer.

First, true, my bad, the certificate is not the issued by Let’s Encrypt!, then the topic is absolutely different and the title is nonsense, sorry about that.

I configured Apache the way LE does when you get+install with the --apache option, I basically copied the 443 related part from other server changing the domain names and double-checking the routes, those files are soft links to the cert files, as expected:
SSLCertificateFile /etc/letsencrypt/live/testletsencrypt1.upc.edu/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/testletsencrypt1.upc.edu/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/testletsencrypt1.upc.edu/chain.pem

I have to talk with the team who manage our systems, this is quite big and maybe there is something I don’t know about how is this working so I will ask them and no matter if I solve it or not I will come back here to update the status.

Thank you.


#5

No problem, you should be able to edit the topic title and update it.

Well that looks right.

The obvious question ( sorry for going back to basics) - did you reload apache afterwards ? and is that in the correct virtual host file ?

Thanks :slight_smile:


#6

Okay, I’m back.
Sorry for all of this, everything is alright, it is just about our topology, if the balancers don’t have the correct certificate they use the default for that node and then this happens. This is specific of our network so I edited the title.

Now I can continue with my project. Thank you very much.


#7

Excellent, glad you got it sorted and working :slight_smile:

Whilst you are testing, have a look at the rate limits and potentially use the staging server for testing if needed.