The cert is not the problem.
The missing chain is the problem.
1 Like
we are already using fullchain.pem and key file.
generated through /usr/local/bin/certbot certonly --apache -d umeform.tookan.in --no-bootstrap -n --expand
still unable to identify the issue.
Show the webserver vhost config file that serves that FQDN ("umeform.tookan.in").
<VirtualHost *:80>
ServerName umeform.tookan.in
Redirect / https://umeform.tookan.in
</VirtualHost>
<VirtualHost *:443>
ServerName umeform.tookan.in
DocumentRoot /var/www/html/umeCory/tookan-client-web-panel
ErrorLog /var/log/httpd/default_error.log
CustomLog /var/log/httpd/default_access.log combined
SSLEngine on
SSLProxyEngine on
SSLCertificateFile /etc/letsencrypt/live/umeform.tookan.in-0001/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/umeform.tookan.in-0001/privkey.pem
</VirtualHost>
Then your Apache program or its' config may be (inadvertently) deceiving you.
Either:
-
you haven't totally restarted all apache threads since you made that vhost config (low probability)
to that end, hard restartApacheor the entire server (if possible) -
there is a name:port conflict and another vhost config is being used to serve it (high probability).
to that end, let's have a look at the output of:
sudo apachectl -t -D DUMP_VHOSTS
same configuration is used by the apache and tried by kiiling the pid and then started!!
issue is somewhere else bro
Can you show the output of:
[or is that super top secret stuff?]
VirtualHost configuration:
wildcard NameVirtualHosts and default servers:
*:443 is a NameVirtualHost
default server 1uptoasted.tookan.in (/etc/httpd/conf.d/aaa1uptoasted.tookan.in.conf:7)
port 443 namevhost 1uptoasted.tookan.in (/etc/httpd/conf.d/aaa1uptoasted.tookan.in.conf:7)
port 443 namevhost test12345678.tookan.in (/etc/httpd/conf.d/aaaaaaaaaaaaaaaaaaaaatest12345678.tookan.in.conf:6)
port 443 namevhost supplyhound.tookan.in (/etc/httpd/conf.d/aaaaaaaaaaasupplyhound.tookan.in.conf:5)
port 443 namevhost tamexpressdelivery.tookan.in (/etc/httpd/conf.d/aaaaaaaaatamexpressdelivery.tookan.in.conf:6)
port 443 namevhost yfs.tookan.in (/etc/httpd/conf.d/aaaaaaaayfs.tookan.in.conf:5)
port 443 namevhost tamexpresstest.tookan.in (/etc/httpd/conf.d/aaaatamexpresstest.tookan.in.conf:6)
port 443 namevhost tryparcel.tookan.in (/etc/httpd/conf.d/aaaatryparcel.tookan.in.conf:5)
port 443 namevhost umeform1.tookan.in (/etc/httpd/conf.d/aaaaumeform1.tookan.conf:7)
port 443 namevhost umeform2.tookan.in (/etc/httpd/conf.d/aaaaumeform2.tookan.conf:7)
port 443 namevhost umecory3.tookan.in (/etc/httpd/conf.d/aaaaumeform3.tookan.conf:7)
sharing fewlines there are 2000+ domains we are hosting
OK try:
sudo apachectl -t -D DUMP_VHOSTS | grep -i umeform.tookan.in
Thanks mate this issue is sorted!
1 Like
Just a quick note for CentOS 7 users: I pushed a certbot update yesterday so that you can choose the shorter chain via --preferred-chain. Currently the update is in epel-testing so you need to tell yum to use that repo explicitely.
The update will be available in the regular stable repo in two weeks. You can help getting it into stable by installing the update from epel-testing and leave positive karma there.
More details how to get the update via Fedora bodhi.
3 Likes
AFAIK Apache 2.2 doesn't support putting the certificate chain to SSLCertificateFile directive (it can do this starting from 2.4.8 according to the docs
Try these 3 directives instead:
SSLCertificateFile /etc/letsencrypt/live/umeform.tookan.in-0001/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/umeform.tookan.in-0001/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/umeform.tookan.in-0001/chain.pem
2 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.