New SSL Certificate not working NameMismatch and ChainErrors

My domain is: notjustdetails.com , www.notjustdetails.com

I ran this command: sudo certbot --apache
I tried a few days ago and failed the listening at port 80.
Today I figured that out and added to my httpd.conf
Listen 80
<VirtualHost *80>
ServerName notjustdetails.com
ServerAlias www.notjustdetails.com
Redirect permanent / https://www.notjustdetails.com

I ran the same sudo certbot —apache and received a successful message
but the site does not go to SSL. When I checked the URL with SSL labs, I received the RemoteCertificateNameMismatch error and RemoteCertificateChainErrors
I also went to the [https://check-your-website.server-daten.de] site and saw that some of my images were by IP so I changed the server alias to include the IP. I also noticed that the Redirect should be
Redirect permanent / https://notjustdetails.com (not with www) so I changed that too
I also saw certbot had added rewrite lines to the virtualhost, so it was like the examples I see. So currently httpd.conf has
<VirtualHost *80>
ServerName notjustdetails.com
ServerAlias www.notjustdetails.com xxx.xxx.xx.xxx
Redirect permanent / https://notjustdetails.com
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.notjustdetails.com [OR]
RewriteCond %{SERVER_NAME} =notjustdetails.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

I tried sudo certonly --apache and it did not work
I checked the httpd-le-ssl.conf
and it still had my old redirect

so I tried again with sudo certbot --apache
Option 1: Attempt to reinstall this existing certificate
Option 2: Redirect
It generated this error message but says it was otherwise successful
Failed redirect for notjustdetails.com
Unable to set enhancement redirect for notjustdetails.com
Unable to find corresponding HTTP vhost; Unable to create one as intended addresses conflict; Current configuration does not support automated redirection
IMPORTANT NOTES - We were unable to set up enhancement redirect for your server, however, we successfully installed your certificate.
…
The URL still does not go to ssl and I get the same errors
So I just tried changing the redirect line in httpd-le-ssl.conf which still pointed to the www address.
I decided to manually edit the Redirect Permanent line
Now it looks like
<VirtualHost *80:443>
ServerName notjustdetails.com
ServerAlias www.notjustdetails.com
Redirect permanent / https://notjustdetails.com/
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/notjustdetails.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/notjustdetails.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/notjustdetails.com/chain.pem

and it still doesn’t work
I’m really new to this and I’m not sure how to get my certificate to have the correct name.
I noticed I don’t have any separate 443 virtual host lines. Do I need one in httpd? Do I need to separate the one virtual host that was created in the SSL conf?

Thanks in advance for your help
I feel very stuck with this

My web server is (include version): Digital Ocean droplet

The operating system my web server runs on is (include version): CentOS7

My hosting provider, if applicable, is: none

I can login to a root shell on my machine (yes or no, or I don’t know): Y

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): N

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): current - this is a new install

Thanks!
Christine

Hi @Christine

reading your check you have created one certificate - https://check-your-website.server-daten.de/?q=notjustdetails.com

May be the certonly command has worked.

Did you restart your server?

What says

sudo apachectl -S

PS: Or

sudo httpd -S

Thank you @JuergenAuer. I thought I was restarting the server but I was apparently using the incorrect command … So I did and got these errors
[Sat Apr 04 23:26:40.136861 2020] [core:error] [pid 6110] (EAI 2)Name or service not known: AH00547: Could not resolve host name *80 – ignoring!
[Sat Apr 04 23:26:40.138226 2020] [core:error] [pid 6110] (EAI 2)Name or service not known: AH00547: Could not resolve host name *80 – ignoring!
AH00558: httpd: Could not reliably determine the server’s fully qualified domain name, using ::1. Set the ‘ServerName’ directive globally to suppress this message
VirtualHost configuration:
*:443 ::1 (/etc/httpd/conf.d/ssl.conf:56)
…

So I explicitly defined the ServerName and restarted again

[Sat Apr 04 23:32:39.410938 2020] [core:error] [pid 6118] (EAI 2)Name or service not known: AH00547: Could not resolve host name *80 – ignoring!
[Sat Apr 04 23:32:39.412404 2020] [core:error] [pid 6118] (EAI 2)Name or service not known: AH00547: Could not resolve host name *80 – ignoring!
VirtualHost configuration:
*:443 notjustdetails.com (/etc/httpd/conf.d/ssl.conf:56)
ServerRoot …

Editing - noticed the missing : in the *:80 - fixed that and have

[Sat Apr 04 23:41:27.542021 2020] [core:error] [pid 6128] (EAI 2)Name or service not known: AH00547: Could not resolve host name *80 – ignoring!
VirtualHost configuration:
*:80 notjustdetails.com (/etc/httpd/conf/httpd.conf:43)
*:443 notjustdetails.com (/etc/httpd/conf.d/ssl.conf:56)
ServerRoot …

but the SSL still isn’t working…
thanks
Christine

Read your output:

<VirtualHost *80>

is wrong, must be

<VirtualHost *:80>

And one vHost only with one port, not with two.

@JuergenAuer. thank you - I fixed that in httpd.conf so I think the problem must be in httpd-le-ssl.conf
It has

<VirtualHost *80:443>
ServerName notjustdetails.com
ServerAlias www.notjustdetails.com
Redirect permanent / https://notjustdetails.com/
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/notjustdetails.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/notjustdetails.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/notjustdetails.com/chain.pem

When I split this, do I keep all of the lines in both? or are the first 3 with 80 and the rest with 443?

Thanks

Now I have a serious problem
I split into two tags and it didn’t work (even though no errors)

<VirtualHost *:80>
ServerName notjustdetails.com
ServerAlias www.notjustdetails.com
Redirect permanent / https://notjustdetails.com/

Include /etc/letsencrypt/options-ssl-apache.conf

<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/notjustdetails.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/notjustdetails.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/notjustdetails.com/chain.pem

after restart
VirtualHost configuration:
*:80 is a NameVirtualHost
default server notjustdetails.com (/etc/httpd/conf/httpd.conf:43)
port 80 namevhost notjustdetails.com (/etc/httpd/conf/httpd.conf:43)
alias www.notjustdetails.com
alias 165.227.39.217
port 80 namevhost notjustdetails.com (/etc/httpd/conf/httpd-le-ssl.conf:2)
alias www.notjustdetails.com
*:443 is a NameVirtualHost
default server notjustdetails.com (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost notjustdetails.com (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost notjustdetails.com (/etc/httpd/conf/httpd-le-ssl.conf:10)

But it still didn’t work
Then I noticed SSL Labs was saying my alternate names were invalid- so I thought maybe I shouldn’t have the www one at all
So I commented out the server alias lines and the ones with the www and tried to install the cert again - thinking it might work with just the notjustdetails.com
After I pushed typed 2 for redirect, I got this horrible error

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Enhancement redirect was already set.
Error while running apachectl graceful.
Job for httpd.service invalid.
Unable to restart apache using [‘apachectl’, ‘graceful’]
Error while running apachectl restart.
Job for httpd.service failed because the control process exited with error code. See “systemctl status httpd.service” and “journalctl -xe” for details.
Rolling back to previous server configuration…
Error while running apachectl graceful.
Job for httpd.service invalid.
Unable to restart apache using [‘apachectl’, ‘graceful’]
Error while running apachectl restart.
Job for httpd.service failed because the control process exited with error code. See “systemctl status httpd.service” and “journalctl -xe” for details.
Encountered exception during recovery:
Traceback (most recent call last):
File “/usr/lib/python2.7/site-packages/certbot/_internal/error_handler.py”, line 125, in _call_registered
self.funcs-1
File “/usr/lib/python2.7/site-packages/certbot/_internal/client.py”, line 627, in _rollback_and_restart
self.installer.restart()
File “/usr/lib/python2.7/site-packages/certbot_apache/_internal/configurator.py”, line 2324, in restart
self._reload()
File “/usr/lib/python2.7/site-packages/certbot_apache/_internal/configurator.py”, line 2351, in _reload
raise errors.MisconfigurationError(error)
MisconfigurationError: Error while running apachectl restart.

Job for httpd.service failed because the control process exited with error code. See “systemctl status httpd.service” and “journalctl -xe” for details.

Error while running apachectl restart.

Job for httpd.service failed because the control process exited with error code. See “systemctl status httpd.service” and “journalctl -xe” for details.

IMPORTANT NOTES:

• An error occurred and we failed to restore your config and restart
  your server. Please post to
  https://community.letsencrypt.org/c/help with details about your
  configuration and this error you received.
• Congratulations! Your certificate and chain have been saved at:
  /etc/letsencrypt/live/notjustdetails.com-0001/fullchain.pem
  Your key file has been saved at:
  /etc/letsencrypt/live/notjustdetails.com-0001/privkey.pem
  Your cert will expire on 2020-07-04. To obtain a new or tweaked
  version of this certificate in the future, simply run certbot again
  with the “certonly” option. To non-interactively renew all of
  your certificates, run “certbot renew”
• Some rewrite rules copied from /etc/httpd/conf/httpd.conf were
  disabled in the vhost for your HTTPS site located at
  /etc/httpd/conf/httpd-le-ssl.conf because they have the potential
  to create redirection loops.

So commenting those out was clearly the wrong thing to do - and I don’t know why it didn’t ask if I wanted to replace… really need help. thanks

I am trying to restart the httpd.service and it says

usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] …

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: --apacheq

Note: I decided the failure deserves its own problem

Why do you want to split that? You have already a port 80 definition. Please read the basics of the Apache documentation.

<VirtualHost *:443>

nothing else. Trial and error is always wrong.

PS: And you have already a certificate, so you don't need a second. If your configuration is buggy, it must be fixed.

Your main virtualhost is the port 443 one. On port 80 you only need this:

<VirtualHost *:80>
ServerName notjustdetails.com
ServerAlias www.notjustdetails.com
</VirtualHost>

and then run certbot enhance --redirect

There is already a port 80 vHost.

I know, it looks like a copy of the port 443 one, though.

I thought maybe I need a new one that corrects the redirect line.
My main problem with why the certificate wasn't trusted was that it was saying the Name didn't match so how do I correct the name on the certificate to make it right without getting a new one?

Also, that virtual host was created as <VirtualHost *80:443> (automatically by the install program) so I thought it was trying to be elements of both

Sorry, I'm so confused with this - I have been looking at the documentation...

Thank you - @9peppe. That answers what I should have done there. virtual host 80 was already in httpd.conf. Does it need to be in the SSL config too?

You only need it once.

For each domain⁽¹⁾, you want a pot 80 virtualhost and a port 443 one.

They are independent:

• the port 80 one is only needed to validate certificates and redirect to port 443.
• the port 443 one actually serves the website.

(1): multiple domains can share the same pair of port 80 and 443 virtualhosts.

That's only possible if

• the port 80 vHost is wrong (*80 instead of *:80) and
• if the program doesn't check such fatal config errors.

But if a configuration is buggy, then a program may create the next buggy vHost.

Every vHost must be correct and every combination of port and domain name must be unique -> no duplicate vHosts.

PS: There

is your first error.

Before I did that, I couldn't get past the HTTP -01 challenge
Where was I supposed to add the port 80 listening for that?

Or if you mean the typo error - yes I agree. Was a big mistake.

thank you for your help

I don't know your current configuration.

Again

apachectl -S

That must look good.

NOTE: It was a mistake to add the virtual port to the existing httpd.conf file
Create a new .conf file in the httpd/conf.d folder to hold virtual host 80
websitename.conf
Then try the instructions on the Letsencrypt site
Things worked much better for me after that.

After I fixed everything, I also never needed apachectl -S
Restart worked fine.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.