My certificate invalid and issued by not Let's Encrypt Authority X3

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
cargo-hemat.com
I ran this command:
sudo certbot --apache (follow instruction from https://certbot.eff.org/lets-encrypt/centosrhel7-apache.html)
It produced this output:

My web server is (include version):
Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.3.15
The operating system my web server runs on is (include version):
CentOS 7.1 64-bit
My hosting provider, if applicable, is:
domainesia
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 1.0.0

Helo,

First of all, i generate ssl for domain cargo-hemat.com in previous VPS and success.
and then i move this domain into another VPS, I was trying generate SSL this domain together with another domain (dev1.cargo-hemat.com). The domain dev1.cargo-hemat.com is success, but the domain cargo-hemat.com is invalid.

I give screenshot of this 2 domains, why the issuer of this 2 domain is different ?

I hope somebody can help my problems,

Thanks,

1 Like

The first cert is only for the dev1 subdomain; as seen in the Subject Alternate Name field in the Details pane:

The second cert is a self-signed cert issued by the server for itself.

To better understand your current options, please show the output of:
certbot certificates

1 Like

is this what you mean…

[root@cargo-hemat ~]# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: cargo-hemat.com-0001
Domains: cargo-hemat.com
Expiry Date: 2020-05-27 13:14:04+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/cargo-hemat.com-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/cargo-hemat.com-0001/privkey.pem
Certificate Name: dev1.cargo-hemat.com
Domains: dev1.cargo-hemat.com
Expiry Date: 2020-05-27 05:55:24+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/dev1.cargo-hemat.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/dev1.cargo-hemat.com/privkey.pem


[root@cargo-hemat ~]#

1 Like

I just revoke with this command :
[root@cargo-hemat ~]# certbot revoke --cert-path /etc/letsencrypt/live/cargo-hemat.com-0001/cert.pem --reason superseded

and certbot certificate become
[root@cargo-hemat ~]# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: dev1.cargo-hemat.com
Domains: dev1.cargo-hemat.com
Expiry Date: 2020-05-27 05:55:24+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/dev1.cargo-hemat.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/dev1.cargo-hemat.com/privkey.pem


After that im trying to generate new certificate…by command below

[root@cargo-hemat ~]# sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

Which names would you like to activate HTTPS for?


1: cargo-hemat.com
2: dev1.cargo-hemat.com
3: www.cargo-hemat.com


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel): 1
Obtaining a new certificate
An unexpected error occurred:
There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: cargo-hemat.com: see https://letsencrypt.org/docs/rate-limits/
Please see the logfiles in /var/log/letsencrypt for more details.

Is it means that i can issue new certificate next week ?

Don’t. Unless the private key is compromised, revocation is always the wrong answer, and it won’t have any effect on any rate limits.

3 Likes

(ignore this message)

Stop right now.

Are there lines saying # managed by certbot in any file in your /etc/apache/sites-enabled directory?

1 Like

@dillahdoang, somewhere on your filesystem (in /etc/letsencrypt I dare say), unless you have deleted it, there is a valid certificate for the domains you need, issued yesterday: https://crt.sh/?q=cargo-hemat.com

You just need to install that.

The proper command should be

certbot --reinstall --apache -d cargo-hemat.com -d www.cargo-hemat.com -d dev1.cargo-hemat.com
2 Likes

The certs shown are unique and unrelated to each other - neither supersedes the other.
Deleting either would have been “wrong” enough.
You add insult to that injury by also revoking a perfectly good cert.

2 Likes

hi,

I follow you instruction, by doing this command…

[root@cargo-hemat ~]# certbot --duplicate --reinstall --apache -d cargo-hemat.com -d www.cargo-hemat.com -d dev1.cargo-hemat.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Created an SSL vhost at /etc/httpd/sites-available/cargo-hemat.com-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/sites-available/cargo-hemat.com-le-ssl.conf
Enabling site /etc/httpd/sites-available/cargo-hemat.com-le-ssl.conf by adding Include to root configuration
Deploying Certificate to VirtualHost /etc/httpd/sites-available/cargo-hemat.com-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/sites-available/dev1.cargo-hemat.com-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.


1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Enhancement redirect was already set.
Enhancement redirect was already set.
Enhancement redirect was already set.


Congratulations! You have successfully enabled https://cargo-hemat.com,
https://www.cargo-hemat.com, and https://dev1.cargo-hemat.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=cargo-hemat.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.cargo-hemat.com
https://www.ssllabs.com/ssltest/analyze.html?d=dev1.cargo-hemat.com


IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/cargo-hemat.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/cargo-hemat.com/privkey.pem
    Your cert will expire on 2020-05-28. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”

  • Some rewrite rules copied from
    /etc/httpd/sites-enabled/cargo-hemat.com.conf were disabled in the
    vhost for your HTTPS site located at
    /etc/httpd/sites-available/cargo-hemat.com-le-ssl.conf because they
    have the potential to create redirection loops.

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le


And after than when i test with url : https://www.ssllabs.com/ssltest/analyze.html?d=cargo-hemat.com
its still like this

in subdomain dev1.cargo-hemat.com , the https works fine, and when i check the certification information in browser, this certification issued to cargo-hemat.com…it is different with the previous.

I try to compare the certification information in browser
this is in url https://cargo-hemat.com


this is in url https://dev1.cargo-hemat.com

CMIIW, I think domain cargo-hemat still not get the new certificate, based on date of “valid from…”

And I would like to ask, I have another subdomain in another server…is it gonna be a problem, since this certificate issued to main domain of cargo-hemat.com.

Thanks,

1 Like

You need to check your VirtualHost blocks for cargo-hemat.com. It’s pulling a self-signed Certificate from your server (which usually means it’s routing to the default 443 vhost instead of the 443 vhost you have set up for cargo-hemat.com).

2 Likes

It also means it isn’t pulling the proper certificate, it would work just fine had it pulled both.

@dillahdoang, you need to check all the ServerName directives anywhere in /etc/httpd/sites-enabled . there should be one per file (or more). maybe some are in /etc/httpd/httpd.conf

Certbot says the cert is installed, so it’s apache now we’re debugging :smiley:

2 Likes

Reading on this, if you dont’t have any other website hosted on that machine you can remove all other files from the sites-enabled directory. (you should probably use the a2dissite helper command)

2 Likes

In what file it is ?

I am using centos 7 , and based on my searching in google , there is no command “a2dissite”. in centos… CMIIW

When I see the content of folder /sites-enabled/ …it contents of symbolic link from folder /sites-available/ …
so, is it i have to make symbolic link for 2 file ssl.conf that exist ini sites-available…
but, the thing that make me confuse is without ssl.conf in sites-enabled, domain dev1.cargo-hemat.com still running ok.

i already create symbolic link for *ssl.conf … but its still not working :sob: :sob:

You do not need to create a symbolic link for the le-ssl.conf file. It is already linked as an include in the httpd.conf file. However if your server name reflects cargo-hemat.com it may be automatically routing to your default VirtualHost in /etc/httpd/conf.d/ssl.conf instead of the one that certbot made.

2 Likes

Hi,

So how i can make it …?

hi…

I can solved my problem with change content in ssl.conf with in conf that generate by certbot.

My reference is from this link :

Thanks,

1 Like

The common way is to have, in sites-available, in a single file, both the http and https virtualhost, like this:


<VirtualHost *:80>
  ServerName example.com
  ServerName www.example.com

  # do stuff: serve unencrypted content, redirect, whatever
</VirtualHost>
<VirtualHost *:443>
  ServerName example.com
  ServerName www.example.com

  # do other stuff: serve encrypted content, etc etc
</VirtualHost>

I haven’t used apache in a long time though.

Then you symlink this file in sites-enabled and reload apache.

1 Like