Newbie getting beaten by ssl

Please fill in the fields below so that we can better assist you. Note: You must provide your domain name for help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so retaining your domain name here does not increase secrecy, but it just makes it harder for us to provide help.

My domain is: liberatti.com

I ran this command:

sudo snap install core; sudo snap update core
sudo yum install epel-release
sudo yum install snapd
sudo systemctl enable --now snapd.socket
sudo snap install core; sudo snap update core
sudo ln -s /var/lib/snapd/snap /snap
sudo snap install core; sudo snap update core
sudo snap install --certbot classic
sudo certbot --apache -d www.liberattigestao.com.br
sudo certbot --apache -d www.liberattigestao.com.br
sudo yum install mod_ssl
certbot install --cert-name liberattigestao.com.br
sudo sed -i '/certbot-auto/d' /etc/crontab
certbot certificates
sudo snap install --certbot classic
sudo bash -c 'grep -R liberattigestao.com.br /etc/{nginx,httpd,apache2}'
sudo certbot --apache -d www.liberattigestao.com.br

It produced this output:
I found the following certificates:
Certificate Name: liberattigestao.com.br

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: self-hosted apache - Centos 7

I can log into a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the control panel name and version): yes

My client version is (e.g. output from certbot --version or certbot-auto --version if you are using Certbot): certbot 1.28.0

Problem:
The certificate presented when accessing the site is self-signed is not a valid ssl by lets.
Where did I go wrong?

Hi @Souricardo, and welcome to the LE community forum :slight_smile:

One word: Apache

Let's see what mischief it has gotten you into, with the output of:
apachectl -t -D DUMP_VHOSTS

3 Likes

Notice the different responses for "www" and apex:

curl -Iik https://www.liberattigestao.com.br/
HTTP/1.1 200 OK
Date: Thu, 09 Jun 2022 01:01:48 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.2.34
X-Powered-By: PHP/7.2.34
Set-Cookie: id_usuario_sabium=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0
Set-Cookie: id_vendedor_sabium=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0
Set-Cookie: id_usuario_sabium=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0
Set-Cookie: id_vendedor_sabium=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0
Set-Cookie: MYSQL_HOST=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0
Set-Cookie: MYSQL_USER=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0
Set-Cookie: MYSQL_PASSWORD=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0
Set-Cookie: MYSQL_DB_NAME=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0
Set-Cookie: id_usuario_painel=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0
Set-Cookie: nome_usuario_painel=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0
Set-Cookie: tipo_usuario_painel=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0
Set-Cookie: email_usuario_painel=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0
Set-Cookie: descricao_tipo_usuario_painel=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0
Set-Cookie: principal_empresa_usuario_painel=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0
Set-Cookie: empresa_usuario_painel=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0
Set-Cookie: imagem_usuario_painel=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0
Set-Cookie: link=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0
Set-Cookie: usuario=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0
Set-Cookie: senha=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0
Content-Type: text/html; charset=UTF-8

curl -Iik https://liberattigestao.com.br/
HTTP/1.1 301 Moved Permanently
Date: Thu, 09 Jun 2022 01:02:10 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.2.34
Location: http://liberattigestao.com.br/
Content-Type: text/html; charset=iso-8859-1

The second one actually forms a "permanent" loop [http > https > http > https > http > ...]:

curl -Iik http://liberattigestao.com.br/
HTTP/1.1 301 Moved Permanently
Date: Thu, 09 Jun 2022 01:03:19 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.2.34
Location: https://liberattigestao.com.br/
Content-Type: text/html; charset=iso-8859-1

curl -Iik https://liberattigestao.com.br/
HTTP/1.1 301 Moved Permanently
Date: Thu, 09 Jun 2022 01:03:30 GMT
Server: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/7.2.34
Location: http://liberattigestao.com.br/
Content-Type: text/html; charset=iso-8859-1
6 Likes

Thank you very much for the reception. I've seen that I'm among friends. Come on.
Follow:
[root@web01 conf.d]# apachectl -t -D DUMP_VHOSTS
Passing arguments to httpd using apachectl is no longer supported.
You can only start/stop/restart httpd using this script.
If you want to pass extra arguments to httpd, edit the
/etc/sysconfig/httpd config file.
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using fe80::dad3:85ff:feb9:e294. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443 is a NameVirtualHost
default server fe80::dad3:85ff:feb9:e294 (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost fe80::dad3:85ff:feb9:e294 (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost liberattigestao.com.br (/etc/httpd/conf.d/virtualhosts-le-ssl.conf:2)
*:80 is a NameVirtualHost
default server liberattigestao.com.br (/etc/httpd/conf.d/virtualhosts.conf:1)
port 80 namevhost liberattigestao.com.br (/etc/httpd/conf.d/virtualhosts.conf:1)
port 80 namevhost www.provarejotop.com.br (/etc/httpd/conf.d/virtualhosts.conf:10)
alias provaejotop.com.br
[root@web01 conf.d]#

It seems that neither of them is doing the "www".
Please show files:

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.