Manual Cert renewal not working

Hello, I’ve just run certbot-auto -d example.com --manual --preferred-challenges dns certonly to do a DNS verified renewal.
It worked and I got Your certificate and chain have been saved at: /etc/letsencrypt/live/example.com/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/example.com/privkey.pem
Great! but I am still getting invalid cert errors in my browser.

Running Apache 2.2.15 and CentOS 6.10

I have restarted my apache service, but that did not help

My vhost file conf file looks like this:

<IfModule mod_ssl.c>
<VirtualHost *:443>
    DocumentRoot /var/www/html/link/example
    ServerName example.com
    ErrorLog logs/error_log
    CustomLog logs/access_log common

    RewriteEngine on

    RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-f
    RewriteCond %{DOCUMENT_ROOT}/%{REQUEST_FILENAME} !-d
    RewriteRule ^ /router.php [QSA,L]

    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem

</VirtualHost>
</IfModule>

Is there something further that needs to be done?

Hi,

Could you please tell us your real domain name?
This would definitely help us if we know what’s the exact error…

Also, did you also request www.example.com with example.com? If not, that might throw an error when you visit www.example.com.

Thank you

domain is api.kaizenauto.com

Hi @truckcrash

the Google-CT shows your new certificate, so that part has worked.

What says

certbot certificates
apachectl configtest
apachectl fullstatus
apachectl -S

I am not familiar with Google-CT, but SSL Labs is reporting my cert is invalid:
https://www.ssllabs.com/ssltest/analyze.html?d=api.kaizenauto.com

Here is the output from those commands:
root|H [~]# certbot-auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: api.kaizenauto.com
    Domains: api.kaizenauto.com
    Expiry Date: 2019-07-16 23:25:20+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/api.kaizenauto.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/api.kaizenauto.com/privkey.pem

root|H [~]# apachectl configtest
Syntax OK

root|H [~]# apachectl fullstatus
                                   Not Found

   The requested URL /server-status was not found on this server.

   --------------------------------------------------------------------------

    Apache/2.2.15 (CentOS) Server at localhost Port 80

root|H [~]# apachectl -S
VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:443                  is a NameVirtualHost
         default server ip-50-62-133-208.secureserver.net (/etc/httpd/conf.d/ssl.conf:74)
         port 443 namevhost ip-50-62-133-208.secureserver.net (/etc/httpd/conf.d/ssl.conf:74)
         port 443 namevhost api.kaizenauto.com (/etc/httpd/vhost.d/api-le-ssl.conf:2)
*:80                   is a NameVirtualHost
         port 80 namevhost api.kaizenauto.com (/etc/httpd/vhost.d/api.conf:1)
Syntax OK


(*removed other domains for brevity)

If you create a certificate, it’s listet in CT-logs.

Yes, you have created a new certificate, but you don’t use it. Instead, you use your old expired certificate ( https://check-your-website.server-daten.de/?q=api.kaizenauto.com ):

CN=api.kaizenauto.com
	17.01.2019
	17.04.2019
1 days expired	api.kaizenauto.com - 1 entry

And there is a bad request - http status 400:

Domainname Http-Status redirect Sec. G
http://api.kaizenauto.com/
34.221.163.144 -14 10.026 T
Timeout - The operation has timed out
https://api.kaizenauto.com/
34.221.163.144 400 1.646 N
Bad Request
Certificate error: RemoteCertificateChainErrors
http://api.kaizenauto.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
34.221.163.144 -14 10.050 T
Timeout - The operation has timed out
Visible Content:

So it looks that your configuration doesn’t work, the namevhost api… may not be used. Try to remove (rename) your default server.

But you have two times ip-50-62-133-208.secureserver.net.

Hello,

I made api.kaizenauto.com the default vhost, but that did not work - a certificate error was still shown.

Error code: SEC_ERROR_EXPIRED_CERTIFICATE

Given that when a security exception is added in the browser to allow it to load api.kaizenauto.com does work properly and serves the correct content, I’m inclined to believe it is not a matter of the config file not being loaded. Maybe there is something more nuanced there I am unaware of, but Apache does use that file to know where to serve content from.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.