Received new cert for apache on CentOS but website is showing self-signed

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://www.doomsday-gourmet.com

I ran this command: certbot --apache -d doomsday-gourmet.com

It produced this output:
goot@ca-web-01(web-server) /home/groot/ $ certbot --apache -d doomsday-gourmet.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/doomsday-gourmet.com.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
Deploying Certificate to VirtualHost /etc/httpd/sites-enabled/doomsday-gourmet.com-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Enhancement redirect was already set.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Your existing certificate has been successfully renewed, and the new certificate
has been installed.

The new certificate covers the following domains: https://doomsday-gourmet.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=doomsday-gourmet.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/doomsday-gourmet.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/doomsday-gourmet.com/privkey.pem
   Your cert will expire on 2019-12-07. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

root@ca-web-01(web-server) /home/groot/ $

My web server is (include version): Apache/2.4.6 (CentOS)

The operating system my web server runs on is (include version): CentOS 7

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.36.0

Hi @ghostwolf

your command

can't work. That creates a certificate only with doomsday-gourmet.com, so your www version isn't secure. And your www version may use the wrong vHost -> self signed certificate.

Yep - there are a lot of wrong certificates - https://check-your-website.server-daten.de/?q=doomsday-gourmet.com

Issuer not before not after Domain names LE-Duplicate next LE
Let's Encrypt Authority X3 2019-09-01 2019-11-30 doomsday-gourmet.com - 1 entries
Let's Encrypt Authority X3 2019-09-01 2019-11-30 doomsday-gourmet.com - 1 entries
Let's Encrypt Authority X3 2019-09-01 2019-11-30 doomsday-gourmet.com - 1 entries
Let's Encrypt Authority X3 2019-09-01 2019-11-30 doomsday-gourmet.com - 1 entries
Let's Encrypt Authority X3 2019-08-25 2019-11-23 doomsday-gourmet.com - 1 entries
Let's Encrypt Authority X3 2019-08-25 2019-11-23 doomsday-gourmet.com - 1 entries
Let's Encrypt Authority X3 2019-08-25 2019-11-23 doomsday-gourmet.com - 1 entries
Let's Encrypt Authority X3 2019-08-25 2019-11-23 doomsday-gourmet.com - 1 entries
Let's Encrypt Authority X3 2019-08-24 2019-11-22 doomsday-gourmet.com - 1 entries
Let's Encrypt Authority X3 2019-07-01 2019-09-29 doomsday-gourmet.com, wholesale.doomsday-gourmet.com, www.doomsday-gourmet.com - 3 entries

So first step: Your vHost configuration:

What says

apachectl -S

There should be one port 80, one port 443 vHost. Both with

ServerName doomsday-gourmet.com
ServerAlias www.doomsday-gourmet.com

so Certbot can find a correct vHost.

Thanks for that bit of information! Here’s the result of apachectl -S
VirtualHost configuration:
*:443 is a NameVirtualHost
default server doomsday-gourmet.com (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost doomsday-gourmet.com (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost doomsday-gourmet.com (/etc/httpd/sites-enabled/doomsday-gourmet.com-le-ssl.conf:2)
alias www.doomsday-gourmet.com
*:80 is a NameVirtualHost
port 80 namevhost doomsday-gourmet.com (/etc/httpd/sites-enabled/doomsday-gourmet.com.conf:1)
alias www.doomsday-gourmet.com

There

you see the problem. Two vHosts with the same domain name. Rename the ServerName in your ssl.conf:56 file (sample: use localhost), so the conf:2 is unique. Restart your server.

Then create one certificate with both domain names:

-d doomsday-gourmet.com -d www.doomsday-gourmet.com
1 Like

That did the trick! Thank you very much!!! Been banging my head against the wall trying to get this working.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.