totally new to certificates.
apache 2.2.15
centos 6.3
ran this —all tho I have tried several of the suggestions
sudo ~/certbot-auto --authenticator webroot --installer apache -d www.mcarton.ca
have a virtual host on port 80
Everything appeared normal during the certificate creation and the changes to httpd.conf
now using ssllabs ---- it says I have a certificate but the name on it is Centos 6 not www.mcarton.ca
common name does not match!
what am I doing wrong?
Hi @silverwater,
Your certificate was issued by the certificate authority
https://crt.sh/?Identity=%mcarton.ca&iCAID=16418
but apparently Certbot did not manage to reconfigure your Apache server correctly to make it use the new certificate. Instead, your Apache server is still using a built-in self-signed certificate created by your operating system, which allows HTTPS connections but produces a browser warning.
I don’t know why this is, but do you happen to have a copy of the complete output from one of the times that you ran Certbot?
And could you perhaps run a command like this?
grep -ir sslcert /etc/httpd
thanks schoen,
[root@Centos6 conf]# sudo ~/certbot-auto --authenticator webroot --installer apache -d www.mcarton.ca
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer apache
Cert not yet due for renewal
You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/www.mcarton.ca-0002.conf)
I ran the grep command you suggested.
I ran the cerbot from secure shell connection------could this be a problem? just thinking that is where it got the CENTOS6 name from. Might I need to logged in at the server?
I will have to wait until I can have another “try” as I have used all my attempts----unless you can reset it
Could you run ~/certbot-auto certificates to see which certificates you have? The -0002 is likely a sign of a problem because your renewed certificates might be getting stored in a different certificate lineage (that your web server isn’t currently pointed at).
[root@Centos6 conf.d]# ~/certbot-auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/www.mcarton.ca-0001.conf produced an unexpected error: expected /etc/letsencrypt/live/www.mcarton.ca-0001/cert.pem to be a symlink. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/www.mcarton.ca.conf produced an unexpected error: expected /etc/letsencrypt/live/www.mcarton.ca/cert.pem to be a symlink. Skipping.
Found the following certs:
Certificate Name: www.mcarton.ca-0002
Domains: www.mcarton.ca
Expiry Date: 2018-04-19 15:02:20+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.mcarton.ca-0002/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.mcarton.ca-0002/privkey.pem
I may have deleted these files…I am not sure.
Well, deleting those files may have broken Certbot somehow (and it may not be producing a useful error as it should). Certbot expects all of the files that it creates in /etc/letsencrypt to continue to be present unless you delete a particular certificate with certbot delete.
However, the /etc/letsencrypt/live/www.mcarton.ca-0002/cert.pem file was properly renewed—it’s valid until April!—so the more immediate question is why your Apache isn’t making use of it.
@bmw, do you have any thoughts about this or anything to suggest trying?
checking more log files I find that an attempt to access https://www.mcarton.ca shows in the default apache log - /etc/var/log/ssl-access_log ever time I try SSLabs test.
So this log is pointed to by /var/httpd/conf.d/ssl.conf ; so it seems that apache is using this ssl.conf in the conf.d folder.
so this is where it goes wrong…how can we stop apache from using ssl.conf?
does this make sense?
Normally it’s OK to have the default ssl.conf still present because it should only apply to virtual hosts for which no more specific certificate has been specified.
in the apache config file it includes all *.conf files in conf.d folder ---- in alphabetic order.
well ahead of the directive at the bottom of the apache httpd.conf file. for this new certificate and listening on 443…I assume the first conf file would out do the second attempt to listen on 443.
can you point me to an example of what httpd.conf and httpd-le-ssl.conf should look like.
Here is the end of my httpd.conf
<VirtualHost *:80>
ServerAdmin info@mcarton.ca
DocumentRoot /var/www/html/mcartonnew/
ServerName www.mcarton.ca
ErrorLog logs/mcarton.ca-error_log
CustomLog logs/mcarton.ca-access_log common
<Location /server-status>
SetHandler server-status
Order allow,deny
Allow from all
#Include /etc/letsencrypt/options-ssl-apache.conf
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/www.mcarton.ca-0002/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.mcarton.ca-0002/privkey.pem
#Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/www.mcarton.ca-0002/chain.pem
wondering if this might help
apachectl -S
[root@Centos6 conf.d]# apachectl -S
VirtualHost configuration:
wildcard NameVirtualHosts and default servers:
*:443 is a NameVirtualHost
default server www.mcarton.ca (/etc/httpd/conf.d/ssl.conf:74)
port 443 namevhost www.mcarton.ca (/etc/httpd/conf.d/ssl.conf:74)
port 443 namevhost www.mcarton.ca (/etc/httpd/conf/httpd-le-ssl.conf:2)
*:80 is a NameVirtualHost
default server www.mcarton.ca (/etc/httpd/conf/httpd.conf:1016)
port 80 namevhost www.mcarton.ca (/etc/httpd/conf/httpd.conf:1016)
Syntax OK
thanks for your help today.
After looking at the above output I realized that it had 2 directives for the Virtual Host at port 443…so edited out the virtual Host in …/conf.d/ssl.conf…no the same output looks much better.
[root@Centos6 conf]# apachectl -S
VirtualHost configuration:
wildcard NameVirtualHosts and default servers:
*:443 is a NameVirtualHost
default server www.mcarton.ca (/etc/httpd/conf/httpd-le-ssl.conf:2)
port 443 namevhost www.mcarton.ca (/etc/httpd/conf/httpd-le-ssl.conf:2)
*:80 is a NameVirtualHost
default server www.mcarton.ca (/etc/httpd/conf/httpd.conf:1016)
port 80 namevhost www.mcarton.ca (/etc/httpd/conf/httpd.conf:1016)
alias mcarton.ca
Syntax OK
now only one option for port 443.
ran the ssllabs test again…and YES it finds the right certificate.
But the original cerbot-auto command did not alter the httpd configuration correctly----so beware.
Now that I have it working ---- how can I redirect all request to http://mcarton.ca to the secure port?
what can I do about the missing files ---- can I get a whole new certificate after april?
thanks for you help.
Hi @silverwater and thanks for opening the discussion about the issue!
Ok, so for the original problem, here’s what I think went wrong:
(I’ll have to do some guessing work and assumptions here)
As your apachectl -S command output suggests, it looks like you have (had) two VirtualHosts competing to serve the ServerName www.mcarton.ca. The other one was pre-existing ssl.conf and the other one was configured by Certbot. Unfortunately when Apache goes through your configuration, it seems to prioritize the ssl.conf one, mostly because of the order of Include statements in the main httpd.conf.
So this has resulted in the situation where Certbot thought it configured your Apache correctly (and in one sense it did), Apache still picks the unchanged ssl.conf instead of the new httpd-le-ssl.conf. The “correct” fix here would have been to remove the ServerName www.mcarton.ca from the ssl.conf so the SSL configuration file generated by Certbot would have taken the preference.
What I would do in your situation, would be to remove both (please take a backup first):
ServerName directive from ssl.conf
VirtualHost that Certbot generated: httpd-le-ssl.conf.And then proceed to re-run Certbot with the exact same command line you originally ran it. When Certbot asks you the following question:
You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/www.mcarton.ca.conf)
What would you like to do?
-------------------------------------------------------------------------------
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel):
You would select 1 to let Certbot recreate the httpd-le-ssl.conf. After this I would think that your configuration should be good. You will also be asked if you want to have Certbot configure your HTTP VirtualHost to redirect to the new HTTPS one.
I’m not completely sure what happened with the renewal configuration files that Certbot is complaining about, but that shouldn’t affect the renewal of the existing, correct one.
Please be aware that since you are using certbot-auto you should take care of configuring the scheduled renewal manually. More information about this can be found at https://certbot.eff.org/#centos6-apache under the title “Automating renewal”.
What comes to the original issue about Certbot possibly choosing the wrong VirtualHost for the base of the new configuration I would need to know if the ServerName www.mcarton.ca directive existed in the ssl.conf originally, or if you manually added it after running Certbot. We have an issue up for the VirtualHost selection in our Github, where I will link this thread to.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.