My website shows my certificate is invalid but when I click on details it shows up as valid

Help
#1

My domain is: iulia-heinrich.com

My web server is (include version):

The operating system my web server runs on is (include version): Wordpress

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.10.1

When I'm opening my website with Chrome it shows up as Not Secure. Clicking on it says that my certificate is not valid, but if I then click on view certificate it tells me that the certificate is valid.

2 Likes
#2

You will want your certificate to cover both www.iulia-heinrich.com and iulia-heinrich.com. For the purposes of SSL, these are different domain names.

At the moment, your certificate only covers www.iulia-heinrich.com. That's why Chrome produces an error when you visit https://iulia-heinrich.com.

So if you got your certificate using a command like:

certbot --apache

you might consider trying:

certbot --apache -d iulia-heinrich.com -d www.iulia-heinrich.com

to make sure both domains are covered.

2 Likes
#3

Both domains are covered. I had to manually add the one without the www. Running that command got me this on the terminal:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator apache, Installer apache

Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.

(ref: /etc/letsencrypt/renewal/iulia-heinrich.com.conf)

What would you like to do?
1: Attempt to reinstall this existing certificate

2: Renew & replace the cert (may be subject to CA rate limits)

2 Likes
#4

The certificate being served at https://iulia-heinrich.com is missing the other domain, so you probably have ended up with two different certificates installed.

Try check the output of:

sudo certbot certificates

If it shows that you have two different certificates, you could then:

  1. Modify your Apache configuration to only use the certificate that covers both domains, and then
  2. Delete the unwanted certificate with certbot delete
4 Likes
#5

Try this:

certbot run --cert-name iulia-heinrich.com --apache -d "iulia-heinrich.com,www.iulia-heinrich.com" --keep

It will update your current certificate named iulia-heinrich.com with the apex and www.

@_az

I agree with your synopsis. I like establishing a solid certificate under a known name. That way we know where the cruft is.

2 Likes
#6

Alright, I have two certificates. One points to both while another one points to just the www. one. I tried sudo certbot delete --cert-name example.com on the one that has just the www and now the website is down.

2 Likes
#7

Try the command I gave you.

2 Likes
#8

I think I deleted the wrong certificate
I'm getting this error now.

Error while running apache2ctl configtest.

Action 'configtest' failed.

The Apache error log may have more information.

AH00526: Syntax error on line 35 of /etc/apache2/sites-enabled/iulia-heinrich.com-le-ssl.conf:

SSLCertificateFile: file '/etc/letsencrypt/live/www.iulia-heinrich.com/fullchain.pem' does not exist or is empty

The apache plugin is not working; there may be problems with your existing configuration.

The error was: MisconfigurationError("Error while running apache2ctl configtest.\nAction 'configtest' failed.\nThe Apache error log may have more information.\n\nAH00526: Syntax error on line 35 of /etc/apache2/sites-enabled/iulia-heinrich.com-le-ssl.conf:\nSSLCertificateFile: file '/etc/letsencrypt/live/www.iulia-heinrich.com/fullchain.pem' does not exist or is empty\n")

2 Likes
#9

Well, step #1 was to modify your Apache configuration so that it no longer used the unwanted certificate.

You should still be able to go into /etc/apache2/sites-enabled and modify the files so that they point to the correct certificate.

3 Likes
#10

Correct. If you run the command I gave you, it should fix that automatically.

@_az

Why update? Running with that --cert-name should use it, right? Ouch. Is there any little-known certbot behavior that will ignore the apache configuration problem (for bootstrapping purposes)?

2 Likes
#11

I ran that command and I got the error above. I will have a look at the Apache configuration and see if I can modify it by hand

2 Likes
#12

Ah. My bad. Didn't realize certbot would check the apache config. _az, as usual, is right on track. I was just hoping to save you the effort.

My plan was to:

  1. Establish the right certificate under the right name.
  2. Clean up the cruft after apache was reloaded by certbot.

Unfortunately, I don't think that even certbot rollback can save you here.

2 Likes
#13

Awesome. It worked! Thank you!

3 Likes
#14

Thank you for taking the time to help me. Both of you are awesome!

3 Likes
#15

:partying_face:

Glad we could help!

By the by, for future reference, using --cert-name lets you name your certificate and modifies the configuration associated with that certificate. --keep reinstalls your existing certificate if it's unmodified (to keep from acquiring a duplicate and risking hitting the rate limits).

Your Complete Certificate History
3 Likes
#16

Is this expected? :thinking:

Screenshot_20201214-165149_Samsung Internet
Screenshot_20201214-165149_Samsung Internet1440×2722 235 KB

2 Likes
#17

Sorry for the late reply. Yes it is supposed to look like that. My pages are private for now.

3 Likes
#18

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.