Net::err_cert_authority_invalid

Help
1

Hello how are you? This is my first time installing an SSL certificate and I am following these steps about certbot. I receive the error NET :: ERR_CERT_AUTHORITY_INVALID after having created the certificate for https://pueblosdeloeste.com.ar/ and for https://elsoldelcaminoreal.com.ar. I have been seeing the answers to other people with similar problems.
The only one that I see myself agree with is that the certificates are being served twice, but I don't know how to modify it.

Other than that, I understand so little that I'm probably making another mistake. Could you please guide me? Thank you for your answer

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: pueblosdeloeste.com.ar, elsoldelcaminoreal.com.ar.

I ran this command: echo | openssl s_client -connect pueblosdeloeste.com.ar:443 -servername pueblosdeloeste.com.ar 2>/dev/null | awk '/Certificate chain/,/---/'
Certificate chain

It produced this output: echo | openssl s_client -connect pueblodeloeste.com.ar:443 -servername pueblodeloeste.com.ar 2> / dev / null | awk '/ Certificate chain /, / --- /'
Certificate chain
0 s: / C = - / ST=SantaFe/L=Rosario/O=Dattatec.com/OU=IT/CN=centos6.dattaweb.com/emailAddress=root@centos6.dattaweb.com
i: / C = - / ST=SantaFe/L=Rosario/O=Dattatec.com/OU=IT/CN=centos6.dattaweb.com/emailAddress=root@centos6.dattaweb.com
1 s: / C = US / O = GeoTrust Inc./OU=Domain Validated SSL / CN = GeoTrust DV SSL CA - G4
i: / C = US / O = GeoTrust Inc./CN=GeoTrust Global CA
2 s: / C = US / O = GeoTrust Inc./OU=Domain Validated SSL / CN = GeoTrust DV SSL SHA256 CA - G2
i: / C = US / O = GeoTrust Inc./OU=(c) 2008 GeoTrust Inc. - For authorized use only / CN = GeoTrust Primary Certification Authority - G3
3 s: / C = US / O = GeoTrust Inc./CN=RapidSSL SHA256 CA - G3
i: / C = US / O = GeoTrust Inc./CN=GeoTrust Global CA
4 s: / C = US / O = GeoTrust Inc./CN=RapidSSL SHA256 CA
i: / C = US / O = GeoTrust Inc./CN=GeoTrust Global CA
5 s: / C = US / O = thawte, Inc./OU=Domain Validated SSL / CN = thawte DV SSL CA - G2
i: / C = US / O = thawte, Inc./OU=Certification Services Division / OU = (c) 2006 thawte, Inc. - For authorized use only / CN = thawte Primary Root CA

My web server is (include version): CentOS Linux release 7.9.2009 (Core)

The operating system my web server runs on is (include version): CentOS

My hosting provider, if applicable, is: donweb

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.15.0

2 Likes
2

Hi @curchunflo, and welcome to the LE community forum :slight_smile:

How did you get a cert for this domain?
[the name doesn't resolve to any IP for me]
[nor can I find any certs issued for that domain: crt.sh | pueblodeloeste.com.ar ]

3 Likes
3

The cert you can see via openssl is using DigiCert Cert Manager acme services (I think), however I think the first problem is that your public website is using the default self signed certificate installed when you setup your web server, not this cert.

You also need to have a certificate subject that exactly matches the domain(s) you are trying to serve the website for. centos6 is your server name, not your website name, you need a cert for your website name if you want to be able to browse to it in a web browser.

4 Likes
4

Hello, thank you very much for your help. I think the problem is when I installed certbot. I ignored this error:

sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
The apache plugin is not working; there may be problems with your existing configuration.
The error was: NoInstallationError ('Cannot find Apache executable apachectl')

I've been looking for how to solve it but haven't found anything that works for me. Apparently certbot can't find it.

certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
The requested apache plugin does not appear to be installed

UPDATE:

It was not installed :slight_smile:
yum install python-certbot-apache

now I get a new error:

sudo certbot certonly --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter 'c' to cancel): malacate.ar
Attempting to parse the version 1.15.0 renewal configuration file found at /etc/letsencrypt/renewal/elsoldelcaminoreal.com.ar.conf with version 1.11.0 of Certbot. This might not work.
Attempting to parse the version 1.15.0 renewal configuration file found at /etc/letsencrypt/renewal/pueblosdeloeste.com.ar.conf with version 1.11.0 of Certbot. This might not work.
Requesting a certificate for malacate.ar
Performing the following challenges:
http-01 challenge for malacate.ar
Cleaning up challenges
Error while running apachectl graceful.

Job for httpd.service invalid.

Unable to restart apache using ['apachectl', 'graceful']
Error while running apachectl restart.

Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.

Encountered exception during recovery: MisconfigurationError: Error while running apachectl restart.

Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.
Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.
[root@sd-1987764-l /home/malacate/public_html] # systemctl status httpd.service
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
Active: failed (Result: exit-code) since jue 2021-05-27 20:48:15 -03; 10s ago
Docs: man:httpd(8)
man:apachectl(8)
Process: 19529 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=1/FAILURE)
Process: 20875 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
Main PID: 20875 (code=exited, status=1/FAILURE)

may 27 20:48:14 sd-1987764-l.dattaweb.com systemd[1]: Starting The Apache HTTP Server...
may 27 20:48:15 sd-1987764-l.dattaweb.com httpd[20875]: (98)Address already in use: AH00072: make_sock: could n...]:80
may 27 20:48:15 sd-1987764-l.dattaweb.com httpd[20875]: (98)Address already in use: AH00072: make_sock: could n...0:80
may 27 20:48:15 sd-1987764-l.dattaweb.com httpd[20875]: no listening sockets available, shutting down
may 27 20:48:15 sd-1987764-l.dattaweb.com httpd[20875]: AH00015: Unable to open logs
may 27 20:48:15 sd-1987764-l.dattaweb.com systemd[1]: httpd.service: main process exited, code=exited, status=1...LURE
may 27 20:48:15 sd-1987764-l.dattaweb.com systemd[1]: Failed to start The Apache HTTP Server.
may 27 20:48:15 sd-1987764-l.dattaweb.com systemd[1]: Unit httpd.service entered failed state.
may 27 20:48:15 sd-1987764-l.dattaweb.com systemd[1]: httpd.service failed.
Hint: Some lines were ellipsized, use -l to show in full.
[root@sd-1987764-l /home/malacate/public_html] # systemctl start httpd
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.

2 Likes
5

Apache is failing to start, you should check the apache logs to see why, something like:

sudo journalctl -u httpd.service --since today --no-pager

2 Likes
6

Hi! Thank you for your help. This is the output:

sudo journalctl -u httpd.service --since today --no-pager

-- No entries --

The link you send me doesn't work :frowning:

Thank you very much

2 Likes
7

I think the "s" fell off at the end:

https://www.digitalocean.com/community/tutorials/how-to-troubleshoot-common-apache-errors
6 Likes
8

Hi @curchunflo,

I did a little checking around and your domain names are on a shared hosting provided by dattaweb.com. The name servers shown for your domains have over 78,000 other domains on them as well. The CA showing is DattaWeb's server certificate.

Name Servers NS10.HOSTMAR.COM (has 78,379 domains)
NS9.HOSTMAR.COM (has 78,379 domains)

Tech Contact —
IP Address 200.58.108.82 - 2 other sites hosted on this server

The IP address for the 2 domain names you provide above also has a 3rd domain associated with it:

Reverse IP Lookup Results — 3 domains hosted on IP address 200.58.108.82

Domain View Whois Record Screenshots
1. elsoldelcaminoreal.com.ar
2. malacate.ar
3. pueblosdeloeste.com.ar

Checking out those name servers for HostMar.com, this doesn't not look so good.
https://ns.tools/hostmar.com

Using crt.sh | elsoldelcaminoreal.com.ar I see you got 2 LE certs on 26 May, 2021 and 1 cert from cPanel on 14 April, 2021 (which has quite a few subdomains listed). However, none of these 3 certs are being served.

You also got 2 LE certs for malacate.ar on 28 May, 2021, but neither one is being used. Also, there are 2 certs by cPanel you got on 13 May, 2021 for malacate.ar with several subdomains. Neither of these certs are being used either.

It appears you did use cPanel to obtain some certs, and then used CertBot for additional certs. None are being used as your Apache is not restarting.

First line of order is fixing the Apache problem, installing one of the certs you have, then restarting the server so it will serve the cert. I'm afraid I have to head off to bed (3:00 AM here). I'll check on this tomorrow if no one else has jumped in before hand.

3 Likes
9

Hi Jim! Thank you very much for your time and your help. Finnally it was a server problem. They have their own panel, and they sell SSL certificates, so they make VERY difficult to automate the process.

BTW if somebody who has a DonWeb server whants the solution, here is it:

1 > Generar/renovar el SSL

2 > Copiar el "fullchain.pem" de cada dominio en
/opt/apache/conf/ssl.crt/DOMINIO.crt

3 > Copiar el "privkey.pem" de cada dominio en
/opt/apache/conf/ssl.key/DOMINIO.key

4 > Ejecutar en la consola el comando
/scripts/installssl -u USUARIO -d DOMINIO -e

They never told me this, I have been almost a week looking for solutions and they knew it, but they didn't tell me nothing with the pourpose of make me pay more money, and I not have that money and need the certificates.

Now, I have to think how to automate it, so I am reading bash, :frowning:
But, at least is a new problem.

Thank you very much!

3 Likes
10

UPDATE: I have been able to create the certificates correctly for https://www.sottileeccellenza.com.ar but when entering the domain it still shows as not secure. If I force HTTPS I get an 'too many redirects' error.
Could you please help me understand what I am missing and how could I solve it? I greatly appreciate your response.

2 Likes
11

How are you doing the redirection?
The "loop" implies that HTTP is redirecting to HTTPS and then HTTPS is also redirecting back to itself.
[perhaps you are using an .htaccess file and both the HTTP and HTTPS paths are using the same folder]

3 Likes
12

Hi! Thanks for answering! I'm doing it through the hosting panel, which has an option to force https
Should I delete the /public_html/.htaccess?

3 Likes
13

Yes, let's start with that and go from there.

2 Likes
14

it was that!! thank you very much! really!

3 Likes
15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.