Question about correct way to obtain certificate using certonly


#1

Hi friends,
I’ve just added a new website and request its certificates, but some problems I’ve found, here my situation.

On VPS Debian jessie, certbot 0.8.1-2~bpo8+1, and below configuration files:

clin.ini

# Use a 4096 bit RSA key instead of 2048.
rsa-key-size = 4096
  
# Set email and domains.
email = admin@sio4.org
# domains = example.com, www.example.com
  
# Text interface.
text = True
# No prompts.
non-interactive = True
# Suppress the Terms of Service agreement interaction.
agree-tos = True
  
# Use the webroot authenticator.
authenticator = webroot
webroot-path = /var/www/letsencrypt

/etc/apache2/sites-available/letsencrypt.conf

Alias /.well-known/acme-challenge/ /var/www/letsencrypt/.well-known/acme-challenge/
<Directory "/var/www/letsencrypt/.well-known/acme-challenge/">
Options None
AllowOverride None
ForceType text/plain
# avoid access to anything not resembling a challenge
RedirectMatch 404 "^(?!/\.well-known/acme-challenge/[\w­]{43}$)"
</Directory>

/etc/apache2/sites-enabled/vini-bulgarini.com.conf

<VirtualHost *:80>

        ServerName vini-bulgarini.com
        ServerAlias www.vini-bulgarini.com

        ServerAdmin admin@sio4.org
        DocumentRoot /var/www/vini-bulgarini.com/public_html

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

/etc/apache2/sites-enabled/vini-bulgarini.com-ssl.conf

<IfModule mod_ssl.c>
        <VirtualHost *:443>
                ServerAdmin admin@sio4.org
                DocumentRoot /var/www/vini-bulgarini.com/public_html/

                ErrorLog ${APACHE_LOG_DIR}/error.log
                CustomLog ${APACHE_LOG_DIR}/access.log combined

                SSLEngine on

                SSLCertificateFile /etc/letsencrypt/live/www.vini-bulgarini.com/cert.pem
                SSLCertificateKeyFile /etc/letsencrypt/live/www.vini-bulgarini.com/privkey.pem
                SSLCertificateChainFile /etc/letsencrypt/live/www.vini-bulgarini.com/fullchain.pem

                <FilesMatch "\.(cgi|shtml|phtml|php)$">
                                SSLOptions +StdEnvVars
                </FilesMatch>
                <Directory /usr/lib/cgi-bin>
                                SSLOptions +StdEnvVars
                </Directory>

                BrowserMatch "MSIE [2-6]" \
                                nokeepalive ssl-unclean-shutdown \
                                downgrade-1.0 force-response-1.0

                BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

        </VirtualHost>
</IfModule>

Runing this command for obtain new certificates for a new one website domain:

certbot certonly --webroot -w /var/www/letsencrypt -d www.vini-bulgarini.com -d vini-bulgarini.com

Obtain:

1) the first time an error and the certificates do not come:

Failed authorization procedure. www.vini-bulgarini.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.vini-bulgarini.com/.well-known/acme-challenge/WXsltSJg6JZy2Nv7zHF2i-3VMYsv_fIQa67Rx7fTfFc: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: www.vini-bulgarini.com
   Type:   unauthorized
   Detail: Invalid response from
   http://www.vini-bulgarini.com/.well-known/acme-challenge/WXsltSJg6JZy2Nv7zHF2i-3VMYsv_fIQa67Rx7fTfFc:
   "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
   <html><head>
   <title>404 Not Found</title>
   </head><body>
   <h1>Not Found</h1>
   <p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A record(s) for that domain
   contain(s) the right IP address.

2) running, some seconds later, the same command, obtain every certificates:

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at
   /etc/letsencrypt/live/www.vini-bulgarini.com/fullchain.pem. Your
   cert will expire on 2017-01-04. To obtain a new or tweaked version
   of this certificate in the future, simply run certbot again. To
   non-interactively renew *all* of your certificates, run "certbot
   renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

Now, if I try to go to https://www.vini-bulgarini.com/ obtain from Firefox:

www.vini-bulgarini.com uses an invalid security certificate. The certificate is only valid for the following names: cosmogonia.org, www.cosmogonia.org Error code: SSL_ERROR_BAD_CERT_DOMAIN

On fullchain1.pem:

_X509v3 Subject Alternative Name _
DNS:vini-bulgarini.com, DNS:www.vini-bulgarini.com

NB
cosmogonia.org is another web site hosted by the same SERVER/VPS (server.sio4.org)

Many many thanks!


#2

/etc/apache2/sites-enabled/vini-bulgarini.com-ssl.conf is missing a ServerName and ServerAlias

Also, SSLCertificateChainFile “should” point to chain.pem or you can point SSLCertificateFile to fullchain.pem and delete SSLCertificateChainFile if your Apache is version 2.4.8 or newer.


#3

In this case I thought it was unnecessary (only) for the ssl configuration.I was wrong

Ah, I’ve never read before this feature!

Many thanks for all this information!

ciao!


#4

As you said, there’s another site hosted on the same server and without separate IP addresses for the sites/virtualhost, ServerName is necessary indeed.

And don’t forget to point SSLCertificateFile to fullchain.pem!!!


#5

Many thanks for making these tests, really very useful!
I think I’ve put all right :slight_smile:
If possible, could you suggest using what tools you have performed these checks?

many thanks again @Osiris!


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.