Please don't tell me I'ts over (Can't seem to be able to certificate my website in any way)

Help
1

My domain is: www.elviservizi.it

I ran this command: nano 000-default-le-ssl.conf
It produced this output:

<IfModule mod_ssl.c>
<VirtualHost *:443>

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

ServerName www.elviservizi.it
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/elviservizi.it/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/elviservizi.it/privkey.pem
</VirtualHost>
</IfModule>

My web server is (include version): Server version: Apache/2.4.41 (Ubuntu); Server built: 2023-01-23T18:36:09

The operating system my web server runs on is (include version): Ubuntu 20.04 (LTS) x64

My hosting provider, if applicable, is: https://cloud.digitalocean.com/

I can login to a root shell on my machine: YES

I'm using a control panel to manage my site: NO, but i have access with FileZilla (don't think this info useful but if it helps it's here).

The version of my client is: certbot 2.4.0

So the certification never worked for me, i've tried multiple times starting a new droplet and re-uploading everything but with no results, I built this website, did the domain migration, set up digitalocean for a very small company here in Italy but can't seem to make SSL work.
I'm pretty sure I screwed something up while trying to install the certificate again (i was a bit tilted after 3 hours of searching for soluction and installed again without uninstalling first) but it didn't let me because of this red output when trying to sudo certbot certonly " Encountered error while loading certificate or csr: [('PEM routines', '', 'no start line')]
An unexpected error occurred:
OpenSSL.crypto.Error: [('PEM routines', '', 'no start line')] " ,

Now I have to say that I might have compromised the file called cert.pem as I tried putting another certificate inside (thinking this file wasn't even used because file 000-default-le-ssl.conf had no reference of this) and I was playing around with it, anyway I hoped I gaved a general view of the situation.
I can't seem to make anything work and tbh if I keep trying stuff I'm pretty sure I'm going to f something up. I'm very open to suggestions as this has a finish date time that i have to follow.

Thanks in advance, let me know if you need other informations lor better if you know any solution please.

1 Like
2

Welcome to the community @youdrippinseb

First, you made some progress because I see you have a cert but that it only has your apex domain elviservizi.it in it. You need to get a cert with that and your www subdomain in it too. See a site like this SSL Checker (link here) to see the cert being used by your server.

And, you earlier got a wildcard cert which has not yet expired (link here) which would have covered both names.

But, right now it sounds like you have, well, a mess. Let's start with you showing us the output of this

sudo apachectl -t -D DUMP_VHOSTS

and this

sudo certbot certificates
4 Likes
3

Thank you for responding so fast Mike I appreciate,
so here's the output of what you told me.

sudo apachectl -t -D DUMP_VHOSTS

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443                  www.elviservizi.it (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80                   127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)

Second one looks scary and red..

sudo certbot certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log
verifying the signature of the certificate located at /etc/letsencrypt/live/elviservizi.it/cert.pem has failed.                 Details: Valid PEM but no BEGIN CERTIFICATE/END CERTIFICATE delimiters. Are you sure this is a certificate?
Traceback (most recent call last):
  File "/snap/certbot/2836/lib/python3.8/site-packages/certbot/crypto_util.py", line 305, in verify_renewable_cert_sig
    cert = x509.load_pem_x509_certificate(cert_file.read(), default_backend())
  File "/snap/certbot/2836/lib/python3.8/site-packages/cryptography/x509/base.py", line 551, in load_pem_x509_certificate
    return rust_x509.load_pem_x509_certificate(data)
ValueError: Valid PEM but no BEGIN CERTIFICATE/END CERTIFICATE delimiters. Are you sure this is a certificate?
Renewal configuration file /etc/letsencrypt/renewal/elviservizi.it.conf produced an unexpected error: verifying the signature of the certificate located at /etc/letsencrypt/live/elviservizi.it/cert.pem has failed.                 Details: Valid PEM but no BEGIN CERTIFICATE/END CERTIFICATE delimiters. Are you sure this is a certificate?. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following renewal configurations were invalid:
  /etc/letsencrypt/renewal/elviservizi.it.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4

The apachectl output is scary too :slight_smile:

Let's do one step at a time. Please show contents of default.conf and use 3 backticks before and after output so we don't lose apache settings. Like this

```
contents of: /etc/apache2/sites-enabled/000-default.conf
```

3 Likes
5

Please als show the output of:

ls -l /etc/letsencrypt/live/elviservizi.it/

and

ls -l /etc/letsencrypt/archive/elviservizi.it/
3 Likes
6

I'm thinking once Apache is fixed we can wipe the /etc/letsencrypt and start over. It doesn't have a valid domain name set anyway. But, if you want to try to repair that go for it :slight_smile:

3 Likes
7

Hi Osiris, here's what you asked me

ls -l /etc/letsencrypt/live/elviservizi.it/
-rw-r--r-- 1 root root 692 Mar  6 09:36 README
lrwxrwxrwx 1 root root  38 Mar  6 13:39 cert.pem -> ../../archive/elviservizi.it/cert2.pem
lrwxrwxrwx 1 root root  39 Mar  6 13:39 chain.pem -> ../../archive/elviservizi.it/chain2.pem
lrwxrwxrwx 1 root root  43 Mar  6 13:39 fullchain.pem -> ../../archive/elviservizi.it/fullchain2.pem
lrwxrwxrwx 1 root root  41 Mar  6 13:39 privkey.pem -> ../../archive/elviservizi.it/privkey2.pem

ls -l /etc/letsencrypt/live/elviservizi.it/
total 40
-rw-r--r-- 1 root root 1566 Mar  6 09:36 cert1.pem
-rw-r--r-- 1 root root 1704 Mar  9 09:54 cert2.pem
-rw-r--r-- 1 root root 3749 Mar  6 09:36 chain1.pem
-rw-r--r-- 1 root root 3749 Mar  6 13:39 chain2.pem
-rw-r--r-- 1 root root 5315 Mar  6 09:36 fullchain1.pem
-rw-r--r-- 1 root root 5315 Mar  6 13:39 fullchain2.pem
-rw------- 1 root root  241 Mar  6 09:36 privkey1.pem
-rw------- 1 root root  241 Mar  6 13:39 privkey2.pem

Thank you.

1 Like
8

CONTENTS FROM /etc/apache2/sites-enabled/000-default.conf

(I'm pretty sure i got the format wrong but don't know another way)

<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
RewriteEngine on
RewriteCond %{SERVER_NAME} =elviservizi.it
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
9

That's the correct format - thanks.

But, the Certbot Apache plug-in needs a valid HTTP VirtualHost for the domain names but that is not correct.

You need to add these to that conf file

ServerName elviservizi.it
ServerAlias www.elviservizi.it

and add this near the bottom next to your existing rewritecond

RewriteCond %{SERVER_NAME} =www.elviservizi.it

Then, show again the output of

apachectl -t -D DUMP_VHOSTS
4 Likes
10

Ok good I got the format right, hope I will not be stressing you guys much more.
Until then here's the output:

CONTENT OF apachectl -t -D DUMP_VHOSTS

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443                  www.elviservizi.it (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80                   elviservizi.it (/etc/apache2/sites-enabled/000-default.conf:1)

Thank you

11

Hmm. Did you add both the ServerName and ServerAlias lines? Because usually both names appear in the -D output.

Ignoring that for a moment. You need to make a similar change in the 000-default-le-ss.conf file. Make sure you have both domain names in it. One as ServerName and the other as ServerAlias (same sequence as in your http VirtualHost is cleaner)

Also, you are missing an A record in your DNS for elviservizi.it. You should create one with the same value as your www domain. I'm not sure how you got the Let's Encrypt cert with just that name in it without the A record but we'll ignore that for now too. Perhaps you used the DNS Challenge? In any case, you will want an A record so people can use either domain name.

Lastly, please show the contents of both your VirtualHost files when you are done with these changes.

Using backticks like this:
```
contents of: /etc/apache2/sites-enabled/000-default-le-ssl.conf
```

and:
```
contents of: /etc/apache2/sites-enabled/000-default.conf
```

4 Likes
12

Goodmorning, thanks for still helping.
So here's the:

contents of: /etc/apache2/sites-enabled/000-default.conf

  GNU nano 4.8                                       /etc/apache2/sites-enabled/000-default.conf                                                 
<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ServerName elviservizi.it
        ServerAlias www.elviservizi.it

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
RewriteEngine on
RewriteCond %{SERVER_NAME} =elviservizi.it
RewriteCond %{SERVER_NAME} =www.elviservizi.it
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

And ssl one
contents of: /etc/apache2/sites-enabled/000-default-le-ssl.conf

  GNU nano 4.8                                   /etc/apache2/sites-enabled/000-default-le-ssl.conf                                              
<IfModule mod_ssl.c>
<VirtualHost *:443>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html
        ServerName elviservizi.it
        ServerAlias www.elviservizi.it


        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf

ReWriteCond %{SERVER_NAME} =www.elviservizi.it
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/elviservizi.it/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/elviservizi.it/privkey.pem
</VirtualHost>
</IfModule>

If i get the same message if i try to apachectl -t -D DUMP_VHOSTS

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443                  elviservizi.it (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80                   elviservizi.it (/etc/apache2/sites-enabled/000-default.conf:1)

Let me know if i have to provide any other info, right now i'm

Record A DNS Settings
Record A DNS Settings1636×766 38.9 KB

THIS IS MY DNS SETTINGS

//A
//HostName	IPAddress
A		XXX.90.XXX.XXX
A	www	XXX.90.XXX.XXX

//AAAA
//HostName	IPV6Address

//TXT
//Value	HostName

//MX

//CNAME
//HostName	AliasName
CNAME	32890289	sendgrid.net.
CNAME	url2632	sendgrid.net.
CNAME	s2._domainkey.www	s2.domainkey.u32890289.wl040.sendgrid.net.
CNAME	s1._domainkey.www	s1.domainkey.u32890289.wl040.sendgrid.net.
CNAME	em706.www	u32890289.wl040.sendgrid.net.

//NS
//NameServer	IPAddress

//SRV
//Service	Protocol	Priority	Weight	Port	Target
13

Ok so I made some progress playing around with DNS I managed to make elviservizi.it SSL secure but i still need to SSL the sub www.elviservizi.it wich still says not safe.

14

Yes, you did. Terrific. Now that Apache is better we can fix your cert. I also see something wrong with your Apache HTTP to HTTPS redirects but we'll fix those later.

You have a cert but as you know now it only has one domain name in it. We need to get a cert with both domain names in it (see my post #2)

So, let's start with showing us this (again)

sudo certbot certificates
4 Likes
15

Allright, so here comes the problem with me touching on cert.pem as when i sudo certbot certificates this is what comes up:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
verifying the signature of the certificate located at /etc/letsencrypt/live/elviservizi.it/cert.pem has failed.                 Details: Valid PEM but no BEGIN CERTIFICATE/END CERTIFICATE delimiters. Are you sure this is a certificate?
Traceback (most recent call last):
  File "/snap/certbot/2836/lib/python3.8/site-packages/certbot/crypto_util.py", line 305, in verify_renewable_cert_sig
    cert = x509.load_pem_x509_certificate(cert_file.read(), default_backend())
  File "/snap/certbot/2836/lib/python3.8/site-packages/cryptography/x509/base.py", line 551, in load_pem_x509_certificate
    return rust_x509.load_pem_x509_certificate(data)
ValueError: Valid PEM but no BEGIN CERTIFICATE/END CERTIFICATE delimiters. Are you sure this is a certificate?
Renewal configuration file /etc/letsencrypt/renewal/elviservizi.it.conf produced an unexpected error: verifying the signature of the certificate located at /etc/letsencrypt/live/elviservizi.it/cert.pem has failed.                 Details: Valid PEM but no BEGIN CERTIFICATE/END CERTIFICATE delimiters. Are you sure this is a certificate?. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following renewal configurations were invalid:
  /etc/letsencrypt/renewal/elviservizi.it.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
16

Just wanted to make sure that was still a problem.

We can try to repair but if it gets difficult we might do the unusual step to manually delete the folders and start fresh. Can you show the contents of this file (it's safe to do this as this is a public cert). The privkey.pem should never be shown to others just so you know.

/etc/letsencrypt/live/elviservizi.it/cert.pem

Update:
I can see Apache is using the cert2.pem file so maybe it will be easy to repair it to avoid the Certbot error.

4 Likes
17

It's a private key, and it doesn't let me post it here says -----BEGIN PRIVATE KEY----- at start and -----END PRIVATE KEY----- and finish

18

Did you put the private key in the cert.pem file?

If you look at cert.pem, does it have two sections with ----BEGIN ... in it?

If so, just remove the part for the private key. That should not be in there.

4 Likes
19

Never ever share or post a PRIVATE KEY.

3 Likes
20

no it doesn't have any section with ---begin-- i probably swapped the content of this file already, I have to recreate this i'm pretty sure