New SSL Certificate not working NameMismatch and ChainErrors

My domain is: notjustdetails.com , www.notjustdetails.com

I ran this command: sudo certbot --apache
I tried a few days ago and failed the listening at port 80.
Today I figured that out and added to my httpd.conf
Listen 80
<VirtualHost *80>
ServerName notjustdetails.com
ServerAlias www.notjustdetails.com
Redirect permanent / https://www.notjustdetails.com

I ran the same sudo certbot —apache and received a successful message
but the site does not go to SSL. When I checked the URL with SSL labs, I received the RemoteCertificateNameMismatch error and RemoteCertificateChainErrors
I also went to the [https://check-your-website.server-daten.de] site and saw that some of my images were by IP so I changed the server alias to include the IP. I also noticed that the Redirect should be
Redirect permanent / https://notjustdetails.com (not with www) so I changed that too
I also saw certbot had added rewrite lines to the virtualhost, so it was like the examples I see. So currently httpd.conf has
<VirtualHost *80>
ServerName notjustdetails.com
ServerAlias www.notjustdetails.com xxx.xxx.xx.xxx
Redirect permanent / https://notjustdetails.com
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.notjustdetails.com [OR]
RewriteCond %{SERVER_NAME} =notjustdetails.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

I tried sudo certonly --apache and it did not work
I checked the httpd-le-ssl.conf
and it still had my old redirect

so I tried again with sudo certbot --apache
Option 1: Attempt to reinstall this existing certificate
Option 2: Redirect
It generated this error message but says it was otherwise successful
Failed redirect for notjustdetails.com
Unable to set enhancement redirect for notjustdetails.com
Unable to find corresponding HTTP vhost; Unable to create one as intended addresses conflict; Current configuration does not support automated redirection
IMPORTANT NOTES - We were unable to set up enhancement redirect for your server, however, we successfully installed your certificate.

The URL still does not go to ssl and I get the same errors
So I just tried changing the redirect line in httpd-le-ssl.conf which still pointed to the www address.
I decided to manually edit the Redirect Permanent line
Now it looks like
<VirtualHost *80:443>
ServerName notjustdetails.com
ServerAlias www.notjustdetails.com
Redirect permanent / https://notjustdetails.com/
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/notjustdetails.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/notjustdetails.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/notjustdetails.com/chain.pem

and it still doesn’t work
I’m really new to this and I’m not sure how to get my certificate to have the correct name.
I noticed I don’t have any separate 443 virtual host lines. Do I need one in httpd? Do I need to separate the one virtual host that was created in the SSL conf?

Thanks in advance for your help
I feel very stuck with this

My web server is (include version): Digital Ocean droplet

The operating system my web server runs on is (include version): CentOS7

My hosting provider, if applicable, is: none

I can login to a root shell on my machine (yes or no, or I don’t know): Y

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): N

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): current - this is a new install

Thanks!
Christine

Hi @Christine

reading your check you have created one certificate - https://check-your-website.server-daten.de/?q=notjustdetails.com

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2020-04-04 2020-07-03 notjustdetails.com, www.notjustdetails.com - 2 entries duplicate nr. 1

May be the certonly command has worked.

Did you restart your server?

What says

sudo apachectl -S

PS: Or

sudo httpd -S
1 Like

Thank you @JuergenAuer. I thought I was restarting the server but I was apparently using the incorrect command … So I did and got these errors
[Sat Apr 04 23:26:40.136861 2020] [core:error] [pid 6110] (EAI 2)Name or service not known: AH00547: Could not resolve host name *80 – ignoring!
[Sat Apr 04 23:26:40.138226 2020] [core:error] [pid 6110] (EAI 2)Name or service not known: AH00547: Could not resolve host name *80 – ignoring!
AH00558: httpd: Could not reliably determine the server’s fully qualified domain name, using ::1. Set the ‘ServerName’ directive globally to suppress this message
VirtualHost configuration:
*:443 ::1 (/etc/httpd/conf.d/ssl.conf:56)

So I explicitly defined the ServerName and restarted again

[Sat Apr 04 23:32:39.410938 2020] [core:error] [pid 6118] (EAI 2)Name or service not known: AH00547: Could not resolve host name *80 – ignoring!
[Sat Apr 04 23:32:39.412404 2020] [core:error] [pid 6118] (EAI 2)Name or service not known: AH00547: Could not resolve host name *80 – ignoring!
VirtualHost configuration:
*:443 notjustdetails.com (/etc/httpd/conf.d/ssl.conf:56)
ServerRoot …

Editing - noticed the missing : in the *:80 - fixed that and have

[Sat Apr 04 23:41:27.542021 2020] [core:error] [pid 6128] (EAI 2)Name or service not known: AH00547: Could not resolve host name *80 – ignoring!
VirtualHost configuration:
*:80 notjustdetails.com (/etc/httpd/conf/httpd.conf:43)
*:443 notjustdetails.com (/etc/httpd/conf.d/ssl.conf:56)
ServerRoot …

but the SSL still isn’t working…
thanks
Christine

Read your output:

<VirtualHost *80>

is wrong, must be

<VirtualHost *:80>

And one vHost only with one port, not with two.

@JuergenAuer. thank you - I fixed that in httpd.conf so I think the problem must be in httpd-le-ssl.conf
It has

<VirtualHost *80:443>
ServerName notjustdetails.com
ServerAlias www.notjustdetails.com
Redirect permanent / https://notjustdetails.com/
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/notjustdetails.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/notjustdetails.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/notjustdetails.com/chain.pem

When I split this, do I keep all of the lines in both? or are the first 3 with 80 and the rest with 443?

Thanks

Now I have a serious problem
I split into two tags and it didn’t work (even though no errors)

<VirtualHost *:80>
ServerName notjustdetails.com
ServerAlias www.notjustdetails.com
Redirect permanent / https://notjustdetails.com/

Include /etc/letsencrypt/options-ssl-apache.conf

<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/notjustdetails.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/notjustdetails.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/notjustdetails.com/chain.pem

after restart
VirtualHost configuration:
*:80 is a NameVirtualHost
default server notjustdetails.com (/etc/httpd/conf/httpd.conf:43)
port 80 namevhost notjustdetails.com (/etc/httpd/conf/httpd.conf:43)
alias www.notjustdetails.com
alias 165.227.39.217
port 80 namevhost notjustdetails.com (/etc/httpd/conf/httpd-le-ssl.conf:2)
alias www.notjustdetails.com
*:443 is a NameVirtualHost
default server notjustdetails.com (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost notjustdetails.com (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost notjustdetails.com (/etc/httpd/conf/httpd-le-ssl.conf:10)

But it still didn’t work
Then I noticed SSL Labs was saying my alternate names were invalid- so I thought maybe I shouldn’t have the www one at all
So I commented out the server alias lines and the ones with the www and tried to install the cert again - thinking it might work with just the notjustdetails.com
After I pushed typed 2 for redirect, I got this horrible error

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Enhancement redirect was already set.
Error while running apachectl graceful.
Job for httpd.service invalid.
Unable to restart apache using [‘apachectl’, ‘graceful’]
Error while running apachectl restart.
Job for httpd.service failed because the control process exited with error code. See “systemctl status httpd.service” and “journalctl -xe” for details.
Rolling back to previous server configuration…
Error while running apachectl graceful.
Job for httpd.service invalid.
Unable to restart apache using [‘apachectl’, ‘graceful’]
Error while running apachectl restart.
Job for httpd.service failed because the control process exited with error code. See “systemctl status httpd.service” and “journalctl -xe” for details.
Encountered exception during recovery:
Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/certbot/_internal/error_handler.py”, line 125, in _call_registered
self.funcs-1
File “/usr/lib/python2.7/site-packages/certbot/_internal/client.py”, line 627, in _rollback_and_restart
self.installer.restart()
File “/usr/lib/python2.7/site-packages/certbot_apache/_internal/configurator.py”, line 2324, in restart
self._reload()
File “/usr/lib/python2.7/site-packages/certbot_apache/_internal/configurator.py”, line 2351, in _reload
raise errors.MisconfigurationError(error)
MisconfigurationError: Error while running apachectl restart.

Job for httpd.service failed because the control process exited with error code. See “systemctl status httpd.service” and “journalctl -xe” for details.

Error while running apachectl restart.

Job for httpd.service failed because the control process exited with error code. See “systemctl status httpd.service” and “journalctl -xe” for details.

IMPORTANT NOTES:

  • An error occurred and we failed to restore your config and restart
    your server. Please post to
    https://community.letsencrypt.org/c/help with details about your
    configuration and this error you received.
  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/notjustdetails.com-0001/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/notjustdetails.com-0001/privkey.pem
    Your cert will expire on 2020-07-04. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”
  • Some rewrite rules copied from /etc/httpd/conf/httpd.conf were
    disabled in the vhost for your HTTPS site located at
    /etc/httpd/conf/httpd-le-ssl.conf because they have the potential
    to create redirection loops.

So commenting those out was clearly the wrong thing to do - and I don’t know why it didn’t ask if I wanted to replace… really need help. thanks

I am trying to restart the httpd.service and it says

usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] …

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: --apacheq

Note: I decided the failure deserves its own problem

Why do you want to split that? You have already a port 80 definition. Please read the basics of the Apache documentation.

<VirtualHost *:443>

nothing else. Trial and error is always wrong.

PS: And you have already a certificate, so you don’t need a second. If your configuration is buggy, it must be fixed.

Your main virtualhost is the port 443 one. On port 80 you only need this:

<VirtualHost *:80>
ServerName notjustdetails.com
ServerAlias www.notjustdetails.com
</VirtualHost>

and then run certbot enhance --redirect

1 Like

There is already a port 80 vHost.

I know, it looks like a copy of the port 443 one, though.

I thought maybe I need a new one that corrects the redirect line.
My main problem with why the certificate wasn’t trusted was that it was saying the Name didn’t match so how do I correct the name on the certificate to make it right without getting a new one?

Also, that virtual host was created as <VirtualHost *80:443> (automatically by the install program) so I thought it was trying to be elements of both

Sorry, I’m so confused with this - I have been looking at the documentation…

Thank you - @9peppe. That answers what I should have done there. virtual host 80 was already in httpd.conf. Does it need to be in the SSL config too?

You only need it once.

For each domain(1), you want a pot 80 virtualhost and a port 443 one.

They are independent:

  • the port 80 one is only needed to validate certificates and redirect to port 443.
  • the port 443 one actually serves the website.

(1): multiple domains can share the same pair of port 80 and 443 virtualhosts.

That’s only possible if

  • the port 80 vHost is wrong (*80 instead of *:80) and
  • if the program doesn’t check such fatal config errors.

But if a configuration is buggy, then a program may create the next buggy vHost.

Every vHost must be correct and every combination of port and domain name must be unique -> no duplicate vHosts.

PS: There

is your first error.

Before I did that, I couldn’t get past the HTTP -01 challenge
Where was I supposed to add the port 80 listening for that?

Or if you mean the typo error - yes I agree. Was a big mistake.

thank you for your help

I don’t know your current configuration.

Again

apachectl -S

That must look good.

1 Like

NOTE: It was a mistake to add the virtual port to the existing httpd.conf file
Create a new .conf file in the httpd/conf.d folder to hold virtual host 80
websitename.conf
Then try the instructions on the Letsencrypt site
Things worked much better for me after that.

After I fixed everything, I also never needed apachectl -S
Restart worked fine.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.