Net::err_cert_authority_invalid

novice · July 15, 2019, 9:43pm

Info below. This problem occurred spontaneously (i.e., I caused it at some unknown point). The hostname (which I assume wouldn’t be exposed to the world) is “frodo” and Chrome reports that certificate is issued to “frodo” and issued by “frodo” and /var/log/httpd/ssl_error has errors like: “ssl:warn] [pid 22036] AH01909: RSA certificate configured for bdsmfreestories.com:443 does NOT include an ID which matches the server name”

I guess certbot is picking up the hostname – probably because of something dumb I did – but I have no idea how this occurred or how to fix it. It’s curious, this cert covers bdsmfreestories.com, www.bdsmfreestories.com, dev1.bdsmfreestories.com and dev2.bdsmfreestories.com and both of the dev sites work fine.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: bdsmfreestories.com

I ran this command: It produced this output: The problem occurred at some unknown point. I did force a renwal and that didn’t change anything:

certbot --force-renewal renew

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Processing /etc/letsencrypt/renewal/bdsmfreestories.com.conf

Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for bdsmfreestories.com
http-01 challenge for dev1.bdsmfreestories.com
http-01 challenge for dev2.bdsmfreestories.com
http-01 challenge for www.bdsmfreestories.com
Waiting for verification…
Cleaning up challenges

new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/bdsmfreestories.com/fullchain.pem

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/bdsmfreestories.com/fullchain.pem (success)

My web server is (include version): Apache 2.4.6

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: CentOS 7.6.1810

Yes, I can login to a root shell

No, I’m NOT using cpanel/WHM/etc.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.35.1

_az · July 15, 2019, 9:50pm

What’s this show:

apachectl -t -D DUMP_VHOSTS

You might have multiple virtual hosts that match bdsmfreestories.com, and the one that’s actually in effect may have the old/default certificate.

JuergenAuer · July 15, 2019, 9:52pm

Hi @novice

there are some certificates - https://check-your-website.server-daten.de/?q=bdsmfreestories.com

Issuer	not before	not after	Domain names
Let's Encrypt Authority X3	2019-07-15	2019-10-13	bdsmfreestories.com, dev1.bdsmfreestories.com, dev2.bdsmfreestories.com, www.bdsmfreestories.com
4 entries	duplicate nr. 1
Let's Encrypt Authority X3	2019-06-01	2019-08-30	bdsmfreestories.com, dev1.bdsmfreestories.com, dev2.bdsmfreestories.com, www.bdsmfreestories.com
4 entries
Let's Encrypt Authority X3	2019-04-02	2019-07-01	bdsmfreestories.com, dev1.bdsmfreestories.com, dev2.bdsmfreestories.com, www.bdsmfreestories.com
4 entries

But you don't use one of these, instead there is a self signed certificate:

E=root@frodo, CN=frodo, OU=SomeOrganizationalUnit, 
O=SomeOrganization, L=SomeCity, S=SomeState, C=--
	02.10.2018
	02.10.2019
expires in 79 days

Did you restart your server?

What says

apachectl -S

novice · July 15, 2019, 10:31pm

[root@frodo certs]# apachectl -t -D DUMP_VHOSTS
Passing arguments to httpd using apachectl is no longer supported.
You can only start/stop/restart httpd using this script.
If you want to pass extra arguments to httpd, edit the
/etc/sysconfig/httpd config file.

I see that's an error, but I don't know how to solve it. Here's how I would examine the vhosts:

[root@frodo certs]# ls -l /etc/httpd/sites-available/
total 24
-rw-r--r--. 1 root root 391 Oct 2 2018 dev1.bdsmfreestories.com.conf
-rw-r--r--. 1 root root 554 Oct 2 2018 dev1.bdsmfreestories.com-le-ssl.conf
-rw-r--r--. 1 root root 391 Oct 2 2018 dev2.bdsmfreestories.com.conf
-rw-r--r--. 1 root root 554 Oct 2 2018 dev2.bdsmfreestories.com-le-ssl.conf
-rw-r--r--. 1 root root 659 Jul 15 16:17 main.bdsmfreestories.com.conf
-rw-r--r--. 1 root root 764 Oct 2 2018 main.bdsmfreestories.com-le-ssl.conf

_az · July 15, 2019, 10:32pm

Sorry, didn’t realize you are on CentOS:

httpd -t -D DUMP_VHOSTS

novice · July 15, 2019, 10:35pm

Yes, I don’t know how/why I have a self-signed cert or how it’s being served. I guess the CN=frodo is the problem. I don’t know where that is set and I’m pretty certain that only certbot has modified the SSL files since I set up Let’s Encrypt.

Yes, I restarted the server before posting. Sorry not to mention that.

apachectl -S produces no output (just returns the prompt).

JuergenAuer · July 15, 2019, 10:41pm

That happens if you have multiple vHosts with the same ServerName / ServerAlias.

So the wrong vHost (or the default vHost with a self signed certificate) is used.

apachectl -S should show your vHost configuration.

Are the sites in /sites-available/ are enabled? (in /sites-enabled/ as symlinks)? Perhaps no site is enabled -> the standard vHost is used.

_az · July 15, 2019, 10:43pm

On recent Fedora/CentOS, you need to call httpd, not apache2.

JuergenAuer · July 15, 2019, 10:45pm

Thanks, yep, some of these details I don't know

novice · July 15, 2019, 10:47pm

Below is the vhosts info. Is this ok?

[root@frodo letsencrypt]# httpd -S
VirtualHost configuration:
*:80 is a NameVirtualHost
default server dev1.bdsmfreestories.com (/etc/httpd/sites-enabled/dev1.bdsmfreestories.com.conf:1)
port 80 namevhost dev1.bdsmfreestories.com (/etc/httpd/sites-enabled/dev1.bdsmfreestories.com.conf:1)
port 80 namevhost dev2.bdsmfreestories.com (/etc/httpd/sites-enabled/dev2.bdsmfreestories.com.conf:1)
port 80 namevhost bdsmfreestories.com (/etc/httpd/sites-enabled/main.bdsmfreestories.com.conf:1)
alias www.bdsmfreestories.com
*:443 is a NameVirtualHost
default server bdsmfreestories.com (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost bdsmfreestories.com (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost bdsmfreestories.com (/etc/httpd/sites-available/main.bdsmfreestories.com-le-ssl.conf:2)
alias www.bdsmfreestories.com
port 443 namevhost dev1.bdsmfreestories.com (/etc/httpd/sites-available/dev1.bdsmfreestories.com-le-ssl.conf:2)
port 443 namevhost dev2.bdsmfreestories.com (/etc/httpd/sites-available/dev2.bdsmfreestories.com-le-ssl.conf:2)
ServerRoot: “/etc/httpd”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/etc/httpd/logs/error_log”
Mutex authdigest-client: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
PidFile: “/run/httpd/httpd.pid”
Define: _RH_HAS_HTTPPROTOCOLOPTIONS
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“apache” id=48
Group: name=“apache” id=48

JuergenAuer · July 15, 2019, 10:49pm

There

is a duplicate. Merge these two definitions to one definition, remove the other version (or change the ServerName to a not existing domain name, so you can reuse it).

One vHost per port with the non-www as ServerName and the www as ServerAlias (or changed).

novice · July 15, 2019, 10:54pm

Bingo! That file is the default version, so I'm not sure why it's matching now, but didn't previously. It had no ServerName. I uncommented the default (www.example.com) and restarted httpd and now everything works.

Many thanks!

JuergenAuer · July 15, 2019, 10:57pm

Yep, now my browser is happy.

schoen · July 15, 2019, 11:21pm

Default behavior in some versions of CentOS use the default HTTPS server vs. the explicitly-configured depending on whether or not the file that defines the explicitly-configured HTTPS service comes alphabetically before or after ssl.conf (!!). I remember that @joohoi had come up with a fix for this issue some months ago, but I can no longer remember the status of that fix or which versions of Certbot (and CentOS) would be affected.

This can sometimes explain very confusing behavior where some virtual hosts seem to work and others don’t, or where renaming a virtual host or reorganizing the configuration can change whether or not a site appears to work properly.

joohoi · July 18, 2019, 9:54am

The underlying issue here is that the LoadModule ssl_module exists only in the ssl.conf per default, so every <IfModule ssl_module> coming before that when parsing the configuration files in alphabetical order get ignored.

The fix, that should already be in version 0.35.1 that @novice is running is adding LoadModule ssl_module to the main httpd.conf before the inclusion of separate VirtualHost config files. I don’t know why this didn’t work here…

system · August 17, 2019, 9:56am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.