NET::ERR_CERT_AUTHORITY_INVALID Cent os 7

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.spoopytripwire.com

I ran this command:certbot --apache -d spoopytripwire.com -d www.spoopytripwire.com

It produced this output:Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/spoopytripwire.com.conf)

What would you like to do?

1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (may be subject to CA rate limits)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Deploying Certificate to VirtualHost /etc/httpd/sites-available/tripwire-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/sites-available/tripwire-le-ssl.conf
Enhancement redirect was already set.
Enhancement redirect was already set.

Congratulations! You have successfully enabled https://spoopytripwire.com and
https://www.spoopytripwire.com

My web server is (include version):Apache/2.4.6 (CentOS)

The operating system my web server runs on is (include version): Centos 7

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 1.9.0

For some reason my site seems to be serving a self signed cert instead of my cert bot one, I tried reinstalling as well as renewing to no change, I think I have a configuration issue but I'm not sure where to look any advice?

1 Like
2

Is your SSL Site enabled?
/etc/httpd/sites-enabled/tripwire-le-ssl.conf

2 Likes
3

I dont have a tripwire-le-ssl.conf but in my tripwire.conf I have

<VirtualHost *:80>
ServerName www.spoopytripwire.com
ServerAlias spoopytripwire.com
DocumentRoot /var/www/tripwire/public
ErrorLog /var/www/tripwire/log/error.log
CustomLog /var/www/tripwire/log/reqests.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.spoopytripwire.com [OR]
RewriteCond %{SERVER_NAME} =spoopytripwire.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

1 Like
4

Your certbot shows this file:

What says:
ls -l /etc/httpd/sites-enabled/

If tripwire-le-ssl.conf IS NOT present in your enabled sites you should consider enabling it:

a2ensite tripwire-le-ssl.conf
Then restart apache.

2 Likes
5

Ok I enabled tripwire-le-ssl.conf

ServerName www.spoopytripwire.com ServerAlias spoopytripwire.com DocumentRoot /var/www/tripwire/public ErrorLog /var/www/tripwire/log/error.log CustomLog /var/www/tripwire/log/reqests.log combined

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/spoopytripwire.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/spoopytripwire.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/spoopytripwire.com/chain.pem

Restarted apache and no change

1 Like
6

What says?:
apachectl -S
or maybe it is:
httpd -S

2 Likes
7

*:80 www.spoopytripwire.com (/etc/httpd/sites-enabled/tripwire.conf:1)
*:443 is a NameVirtualHost
default server www.spoopytripwire.com (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost www.spoopytripwire.com (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost www.spoopytripwire.com (/etc/httpd/sites-enabled/tripwire-le-ssl.conf:2)
alias spoopytripwire.com
port 443 namevhost www.spoopytripwire.com (/etc/httpd/sites-available/tripwire-le-ssl.conf:2)
alias spoopytripwire.com
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/tripwire/public"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default
Mutex mpm-accept: using_defaults
PidFile: "/run/httpd/httpd.pid"
Define: _RH_HAS_HTTPPROTOCOLOPTIONS
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="apache" id=48
Group: name="apache" id=48

1 Like
8

One of the names is loaded three times:

port 443 namevhost www.spoopytripwire.com (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost www.spoopytripwire.com (/etc/httpd/sites-enabled/tripwire-le-ssl.conf:2)
port 443 namevhost www.spoopytripwire.com (/etc/httpd/sites-available/tripwire-le-ssl.conf:2)

You need to check your main config; It should only include files from the /sites-enabled/.
The ssl.conf file is probably redundant and should be deleted.

1 Like
9

The changes we made to the main config is
IncludeOptional sites-enabled/*.conf

The only things in sites-enabled is tripwire.conf and now tripwire-le-ssl.conf

Is that it or something else?

1 Like
10

Somehow the /sites-available/ is also being included.
Which makes that one file load twice.
But more importantly:

As it comes first and will be matched first and served for that name.

1 Like
11

Removing that file render the site unable to start I'm checking the config to see where it is being called to have it call the other vhost instead

I was able to find the reason for the sites available showing up and have corrected that

*:443 is a NameVirtualHost
default server www.spoopytripwire.com (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost www.spoopytripwire.com (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost www.spoopytripwire.com (/etc/httpd/sites-enabled/tripwire-le-ssl.conf:2)
alias spoopytripwire.com
*:80 www.spoopytripwire.com (/etc/httpd/sites-enabled/tripwire.conf:1)
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/tripwire/public"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
Mutex ssl-stapling: using_defaults
PidFile: "/run/httpd/httpd.pid"
Define: _RH_HAS_HTTPPROTOCOLOPTIONS
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="apache" id=48
Group: name="apache" id=48

1 Like
12

Ok was able to address the duplicate issue

VirtualHost configuration:
*:443 www.spoopytripwire.com (/etc/httpd/conf.d/ssl.conf:56)
*:80 www.spoopytripwire.com (/etc/httpd/sites-enabled/tripwire.conf:1)
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/tripwire/public"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex authdigest-client: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
PidFile: "/run/httpd/httpd.pid"
Define: _RH_HAS_HTTPPROTOCOLOPTIONS
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="apache" id=48
Group: name="apache" id=48

1 Like
13

Here are the contents of both ssl.conf and tripwire-le-ssl.conf

1 Like
14

Is no longer being used.
ssl.conf is crashing with it probably because your main config defines the hostname as: www.spoopytripwire.com (bad practice)

1 Like
15

Changing the server name from www to just spoopytripwire.com seems to have resolved it

thanks!

1 Like
16

Hmm may have spoke too soon when we log in we get an unsecure message

1 Like
17

And after rebooting my machine none of the certs are working again

1 Like
18

Please show:
apachectl -S
httpd -S
[again]

2 Likes
19

Hi - I'm working with Elvish on this project.
apachectl -S outputs nothing;
httpd -S outputs:
VirtualHost configuration:
*:443 is a NameVirtualHost
default server spoopytripwire.com (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost spoopytripwire.com (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost spoopytripwire.com (/etc/httpd/sites-enabled/tripwire-le-ssl.conf:2)
alias www.spoopytripwire.com
*:80 www.spoopytripwire.com (/etc/httpd/sites-enabled/tripwire.conf:1)
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/tripwire/public"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex mpm-accept: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default
PidFile: "/run/httpd/httpd.pid"
Define: _RH_HAS_HTTPPROTOCOLOPTIONS
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="apache" id=48
Group: name="apache" id=48

1 Like
20

It still shows spoopytripwire.com in ssl.conf
Please show:
sudo grep -Ri spoopytripwire.com /etc/httpd/

1 Like