One site gets Cert error few times a week while other sites are fine on the same server


#1

Please fill out the fields below so we can help you better.

My domain is: thebusinessofrisk.com

I ran this command:

It produced this output:

My operating system is (include version): centos 7

My web server is (include version): Apache

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


#2

Hi @millimansearch,

What error do you see? Do you mean an issuance error trying to obtain a new certificate, or a browser error seen by users who are trying to connect to the site?


#3

Hi Schoen,

Below is the error we encounter and when I click on “Advance” then I would see “site main site”. Each time the error occured, I restart the httpd and it resolved the issue. It happened on all browser.

[/uploads/default/original/2X/2/282dffe23e518476493e619c2ff6955be828b161.jpg]

Thanks,
–Stephanie


#4

Your uploaded image is visible at https://community.letsencrypt.org/uploads/default/original/2X/2/282dffe23e518476493e619c2ff6955be828b161.jpg

Do you think that when you get this error you could have someone click on ADVANCED in order to get some more details of why the error is happening? Unfortunately Chrome has taken to hiding more and more technical details from users.

I do see the NET:ERR_CERT_AUTHORITY_INVALID but it would be great to know more. Right now, I can’t see a reason why this error should be happening.


#5

Hi Seth,

When I click on the ADVANCED, it show a white page with the text: site main site

Thanks,
–Stephanie


#6

Hi Stephanie

I am not getting any issues with your site.

Andrei


#7

Hi Andrew,

Because I restarted the httpd and it worked again. We will have issue again and this has been going on for months. When I reported last night and I waited for response for an hour and I couldn’t leave the site down too long. Each time I got the cert error reported, the site was down for awhile already.

It is our live site and I can’t leave it too long that you would see the issue because each time the cert error does happen and I have to restart the http service.

–Stephanie


#8

Hi Stephanie

If this is the case then you need to work to figure out the root cause of the certificate issues.

You have given us a high level overview but not the details.

For example - what do the logs say when these website crash?

It’s possible it’s bad coding or many other things but without the relevant details it’s hard to troubleshoot. There is no one size fits all for web server issues so isolating the root cause is the frist step.

Andrei


#9

Hi Seth,

Our site thebusinessofrisk.com has the Cert error again :frowning:

[/uploads/default/original/2X/d/db0b72427e0c32df46b197adf6deebba43a66e4c.jpg]

[/uploads/default/original/2X/0/081a64fbda48ab67e005077164559180e601ca63.jpg]

[/uploads/default/original/2X/4/4cf83f23a697c294f3e63d97e66aac0f83305dab.png]


#10

Hi Andrei,

We have the staging site and it’s all working without the Cert.
We got the error again and I just renew the Cert few minutes ago.

I click on the Cert error on IE and got the details below. Would you mind to give me any advice what I should do or any steps that I should take when we get the Cert error?

[/uploads/default/original/2X/5/5ded8e64641aba0ee0ed8b8a644cf661f1c1d9a3.png]

[/uploads/default/original/2X/2/25189e1c2421ac9328efc3cbdee118885a06941d.png]
Thanks,
–Stephanie


#11

Currently, the site is working fine (again). I can’t see any issues with the certificate chain which could lead to the aformentioned errors.

Did you take any action between your post and now?

Also, if you’re having renewal problems, which commands are being run at that moment and what is the complete output of that command?


#12

The error in IE is showing a different cert than your Let’s Encrypt cert (a self-signed cert involving “root@mill-wpb” and then we can’t see the rest of it). Do you know anything about this self-signed cert or whether it might be mentioned somewhere in your Apache configuration? Could you possibly post your Apache configuration here so we could make sure it has no references to other certs that could cause this problem?

By contrast, you and everyone here normally do see the Let’s Encrypt cert when visiting your site, suggesting that it’s normally presented correctly to visitors.

The other thing that comes to mind is that the IE browser might be using some kind of firewall or antivirus that generates its own self-signed certs in place of the sites’ certs—do you know whether that’s possible at all?


#13

If you do see the self-signed cert again, could you save a copy of it in a file from IE? (But the Apache configuration is probably more relevant information to have.)


#14

Hi Seth,

I will do that next time I encounter the issue.
My question is, we have 7 sites on the same server but only one site is having problem that showing the localhost cert error.
Should I comment out the two lines that are highlighted in the snapshot below in the ssl.conf?

[/uploads/default/original/2X/1/1b666257610492a89338dde831f94409ca48460a.png]

Thanks,
–Stephanie


#15

Those do seem like they could be a reference to the self-signed cert. It’s still a mystery why you sometimes get that cert instead of the correct one. You can certainly try removing the default HTTPS configuration in ssl.conf (or, if you like, instead pointing it at one of your Let’s Encrypt certificates). It would also be interesting to look over this ssl.conf file and the other files to see if there are any asymmetries between the various virtual hosts and whether there are any conditions that appear to make the default ssl.conf used for some kinds of connections but not others.


#16

Seth,

Do you mind to take a look over all the .conf files we have? Is there a direct email that I can send you the files? I don’t want to post all our .conf files on the message board.

Thanks,
–Stephanie


#17

You could e-mail me at my forum username at eff.org.


#18

Hi Seth,

Our site is down again at the moment: thebusinessofrisk.com
And I check the cert at https://www.ssllabs.com/ssltest/analyze.html?d=thebusinessofrisk.com
And it stated that cert is not trusted, and mismatch…

[/uploads/default/original/2X/1/14182937eb0461c292891922fa810f1921298ea1.jpg]

[/uploads/default/original/2X/a/a2b6d72e758581aff92876194bc978983d511389.jpg]


#19

I’m not sure what happened, but it looks like you got it working properly again!


#20

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.