Hi, I have faced with a problem. I have successfully issued a certificate from LetsEncrypt.
I issued my certificate using certbot --apache -d mydomain.net
It had worked great before I rebooted a server.
After that I got a weird behavior of my server. After visiting the page the browser showed an error.
NET::ERR_CERT_AUTHORITY_INVALID
And in case I accept using an untrusted certificate it shows me the default httpd page “Test 1,2,3”, but should show a virtual host site.
And a browser really shows that the certificate is self-signed.
I started to explore log files and found only these messages (/var/log/httpd/error_log)
[Mon Apr 10 13:59:58.816952 2017] [core:notice] [pid 5750] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Mon Apr 10 14:27:07.705574 2017] [mpm_prefork:notice] [pid 5750] AH00170: caught SIGWINCH, shutting down gracefully
[Mon Apr 10 14:27:38.818878 2017] [suexec:notice] [pid 525] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Mon Apr 10 14:27:38.824084 2017] [ssl:warn] [pid 525] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using mydomain.net. Set the 'ServerName' directive globally to suppress this message
[Mon Apr 10 14:27:38.887075 2017] [auth_digest:notice] [pid 525] AH01757: generating secret for digest authentication ...
[Mon Apr 10 14:27:38.887773 2017] [lbmethod_heartbeat:notice] [pid 525] AH02282: No slotmem from mod_heartmonitor
[Mon Apr 10 14:27:38.888874 2017] [ssl:warn] [pid 525] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Mon Apr 10 14:27:39.487227 2017] [mpm_prefork:notice] [pid 525] AH00163: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips configured -- resuming normal operations
[Mon Apr 10 14:27:39.487275 2017] [core:notice] [pid 525] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
At first, I thought that the problem could be in the mod_security module, but now I have just disabled it and the same weird behavior.
But the more interesting fact is that if I restart the httpd server using systemctl restart httpd
command , everything starts to work as expected, the certificate is valid, the correct page is displayed.
There some more interesting cases of this weird behavior.
When I try to change /etc/hosts/ file for example
x.x.x.x mydomain.net
I get the same behavior with the certificate and restarting httpd doesn’t help.
But there are more error messages are logged.
Mon Apr 10 01:45:43.010329 2017] [ssl:error] [pid 2288] AH02217: ssl_stapling_init_cert: Can't retrieve issuer certificate!
[Mon Apr 10 01:45:43.010340 2017] [ssl:error] [pid 2288] AH02235: Unable to configure server certificate for stapling
[Mon Apr 10 01:45:43.184655 2017] [ssl:error] [pid 2288] AH02217: ssl_stapling_init_cert: Can't retrieve issuer certificate!
The same happens when I try to change ServerName property in the httpd.conf file
I have spent several days trying to solve the problem, but still no luck.
I would be grateful for any help regarding this issue or advice what else to try.
Thanks