Net::err_cert_authority_invalid

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.example.com

I ran this command: sudo certbot certonly --apache -w /var/www/html -d www.example.com -d example.com

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/www.example.com.conf)

What would you like to do?


1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel):
2
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for example.com
http-01 challenge for www.example.com
Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/www.example.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/www.example.com/privkey.pem
    Your cert will expire on 2018-12-28. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

My web server is (include version): Apache/2.4.34 (Fedora)

The operating system my web server runs on is (include version): Fedora release 28

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Hi @DefiantPanda

if you use certonly, you have to install the certificate manual. This isn't done, there is a "localhost.localdomain" - certificate.

You have 4 certificates created. So the next try -> limit 5 certificates.

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:www.example.com&lu=cert_search

Please share your apache configuration.

Sorry what part of the apache do you want? Just the conf file?

ServerRoot “/etc/httpd”
Listen 80
Include conf.modules.d/*.conf
ServerAdmin myemailaddress@blah.com
ServerName www.example.com

AllowOverride none
Require all denied

DocumentRoot “/var/www/html”
<Directory “/var/www”>
AllowOverride none
Require all granted

<Directory “/var/www/html”>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted

DirectoryIndex index.html

<Files “.ht*”>
Require all denied

ErrorLog “logs/error_log”

LogLevel: Control the number of messages logged to the error_log.

Possible values include: debug, info, notice, warn, error, crit,

alert, emerg.

LogLevel warn

# # The following directives define some format nicknames for use with # a CustomLog directive (see below). # LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
  # You need to enable mod_logio.c to use %I and %O
  LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>

CustomLog "logs/access_log" combined

AddDefaultCharset UTF-8

TypesConfig /etc/mime.types

AddType application/x-compress .Z
AddType application/x-gzip .gz .tgz


AddType text/html .shtml
AddOutputFilter INCLUDES .shtml
MIMEMagicFile conf/magic

EnableSendfile on

IncludeOptional conf.d/*.conf

There is an additional ssl-configuration file, there are the definitions.

But: You can create 5 certificates per week with the same domain name set, so you should try one time without “certonly”. Perhaps the installation works - and you don’t need to change your configuration manual.

sudo certbot --apache -w /var/www/html -d www.example.com -d example.com

Unfortunately that didn’t work

Are there errors?

Your copy has only the port 80 - part, not the 443-part.

Check

https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html

LoadModule ssl_module modules/mod_ssl.so

Listen 443
<VirtualHost *:443>
    ServerName www.example.com
    SSLEngine on
    SSLCertificateFile "/path/to/www.example.com.cert"
    SSLCertificateKeyFile "/path/to/www.example.com.key"
</VirtualHost>

in one config file from conf.d/*.conf. Port 443 is running, so there must be a place with "SSLCertificateFile" etc.

The httpd.conf file loads the ssl.conf file

Listen 443 https

SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog

SSLSessionCacheTimeout  300


SSLRandomSeed startup file:/dev/urandom  256  
SSLRandomSeed connect builtin

SSLCryptoDevice builtin


<VirtualHost _default_:443>

# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"
#ServerName www.example.com:443


ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

SSLEngine on

SSLProtocol all -SSLv3
SSLProxyProtocol all -SSLv3


SSLHonorCipherOrder on


SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM


SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key


<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars 
</FilesMatch>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>


BrowserMatch "MSIE [2-5]" \
     nokeepalive ssl-unclean-shutdown \
     downgrade-1.0 force-response-1.0


CustomLog logs/ssl_request_log \
      "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

Hi,

Could you please try this command?
apachectl -S (this would print all configuration files in use by Apache) (you might need to replace apachectl to apache2ctl if there’s a not found message)

Thank you

Running that command got no response
Thanks

Hi,

It should not load with no output…
I could see that your web server is Apache /2.4.34 which should have some meaningful output when executing apachectl -S…

The website example.com serves the correct certificate, could you also please try to locate the virtual host / configuration file for that site?

Thank you

In httpd.conf it says

# Supplemental Configuration
#
# Load config files in the "/etc/httpd/conf.d" directory, if any.
IncludeOptional conf.d/*.conf

In vhost.conf it has

<VirtualHost *:80>
    DocumentRoot /var/www/html
    ServerName www.example.com
    ServerAlias example.com
    ServerAdmin sdfsdf883812@blah.com.au
 RewriteEngine on
 RewriteCond %{SERVER_NAME} =example.com [OR]
 RewriteCond %{SERVER_NAME} =www.example.com
 RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

There you see the usage of your "localhost" - certificate.

Use

certbot certificates

to find the informations of one of your certificates, replace SSLCertificateFile and SSLCertificateKeyFile, reload your server.

Thankyou, that worked.

How do you flag a moderator?

@moderators

Thank you (or you are welcome)

Moderation note: Per @DefiantPanda’s request, I’ve edited everyone’s posts to change their domain name to example.com.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.