Non trusted certificate


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
lmsestudio.com.br

I ran this command:
sudo certbot --apache -n --expand --redirect -d cnoconsultoria.lmsestudio.com.br

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for cnoconsultoria.lmsestudio.com.br
Waiting for verification…
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/lms_8b48e136dcd8-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/lms_8b48e136dcd8-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/lms_8b48e136dcd8-le-ssl.conf
Redirecting vhost in /etc/apache2/sites-enabled/lms_8b48e136dcd8.conf to ssl vhost in /etc/apache2/sites-available/lms_8b48e136dcd8-le-ssl.conf

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled
https://cnoconsultoria.lmsestudio.com.br

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=cnoconsultoria.lmsestudio.com.br
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/cnoconsultoria.lmsestudio.com.br/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/cnoconsultoria.lmsestudio.com.br/privkey.pem
   Your cert will expire on 2019-05-28. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

My web server is (include version):
Server version: Apache/2.4.18 (Ubuntu)
Server built: 2018-04-18T14:53:04

The operating system my web server runs on is (include version):
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.3 LTS
Release: 16.04
Codename: xenial

My hosting provider, if applicable, is:
We use Digital Ocean, but I am no sure if is it what you ask

I can login to a root shell on my machine (yes or no, or I don’t know):
No

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.26.1

Sometimes we can access the site correctly whitout troubles, but sometimes the certificate got not trusted, and change de common name.
Please help us!

PS. We have lot of subdomains like the used here working without troubles


#2

Hi @metiene

checking your site there is a wrong certificate ( https://check-your-website.server-daten.de/?q=cnoconsultoria.lmsestudio.com.br ):

Domainname Http-Status redirect Sec. G
http://cnoconsultoria.lmsestudio.com.br/
174.138.41.143 301 https://cnoconsultoria.lmsestudio.com.br/ 0.213 A
https://cnoconsultoria.lmsestudio.com.br/
174.138.41.143 200 7.130 N
Certificate error: RemoteCertificateNameMismatch

The certificate:

CN=eagle.ead.lmsestudio.com.br
	26.01.2019
	26.04.2019
expires in 58 days	ead.eaglesistemas.com.br, eagle.ead.lmsestudio.com.br - 2 entries

So the certificate you have created and the vHost isn’t used. Perhaps the standard vHost is used.

Is there another vHost definition with something like

<VirtualHost ...>
ServerName cnoconsultoria.lmsestudio.com.br
...
</Virtualhost>

Perhaps check your vHosts with

apachectl -t -D DUMP_VHOSTS

#3

Thanks for you answer!

I really have two vHosts for cnoconsultoria.lmsestudio.com.br

This I created

<VirtualHost *:80>
        ServerAdmin webmaster@localhost104.236.69.109
        ServerName cnoconsultoria.lmsestudio.com.br
        ServerAlias cnoconsultoria.lmsestudio.com.br
        DocumentRoot /mnt/lmsestudio-instance-vol002/lms_8b48e136dcd8/public
RewriteEngine on
RewriteCond %{SERVER_NAME} =cnoconsultoria.lmsestudio.com.br
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<VirtualHost *:80>
        ServerName cnoconsultoria.lmsestudio.com.br
        DocumentRoot /mnt/lmsestudio-instance-vol002/lms_8b48e136dcd8/public/
</VirtualHost>

<Directory /mnt/lmsestudio-instance-vol002/lms_8b48e136dcd8/public/>
        Options Indexes FollowSymLinks
        AllowOverride All
        Require all granted
</Directory>

And this other, created by certbot

<IfModule mod_ssl.c>
	<VirtualHost *:443>
        ServerAdmin webmaster@localhost104.236.69.109
        ServerName cnoconsultoria.lmsestudio.com.br
        ServerAlias cnoconsultoria.lmsestudio.com.br
        DocumentRoot /mnt/lmsestudio-instance-vol002/lms_8b48e136dcd8/public
		SSLCertificateFile /etc/letsencrypt/live/cnoconsultoria.lmsestudio.com.br/fullchain.pem
		SSLCertificateKeyFile /etc/letsencrypt/live/cnoconsultoria.lmsestudio.com.br/privkey.pem
		Include /etc/letsencrypt/options-ssl-apache.conf
	</VirtualHost>
</IfModule>

I have too many other vHosts and all works ok.

And also, I have vHost in the same format for eagle.ead.lmsestudio.com.br.

I really no understand the problem, can you give any clue to solve this trouble?

Thanks in advance


#4

This vHost

is a duplicate, so remove it.

This definition in the vHost 80 and vHost 443

is duplicate, so remove the second row. A typical usage is

ServerName cnoconsultoria.lmsestudio.com.br 
ServerAlias www.cnoconsultoria.lmsestudio.com.br

But this isn’t the certificate problem.

Check the 443 vHost with these two domain names:

ead.eaglesistemas.com.br
eagle.ead.lmsestudio.com.br

This is used instead of your correct vHost. You can use https://check-your-website.server-daten.de/?q=cnoconsultoria.lmsestudio.com.br to recheck your domain. Browsers are caching sometimes too much.


closed #5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.