Renewal of crose.co.uk secured but not www.crose.co.uk


#1

My domain is: crose.co.uk / www.crose.co.uk

I ran this command: ./letsencrypt-auto certonly

It produced this output:

  • Congratulations! Your certificate and chain have been saved at
    /etc/letsencrypt/live/crose.co.uk/fullchain.pem. Your cert will
    expire on 2017-01-29. To obtain a new or tweaked version of this
    certificate in the future, simply run letsencrypt-auto again. To
    non-interactively renew all of your certificates, run
    "letsencrypt-auto renew"

My web server is (include version): Apache 2.4

Hi All,

I have gone through the steps to renew my certs on my server, however now when I go to www.crose.co.uk I am getting a warning from Chrome: ERR_CERT_AUTHORITY_INVALID (Looking at the cert details it seems to be a self signed one). However during the renewal process I provided both www and non www versions of the domain.

I have also restarted Apache numerous times and even rebooted the server, however I cannot get www.crose.co.uk to be viewable under https.

in my Apache vhost Config I have the usual culprits:
<VirtualHost *:443>
ServerName crose.co.uk
ServerAlias www.crose.co.uk
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/crose.co.uk/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/crose.co.uk/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/crose.co.uk/chain.pem

Which has always been fine previous. Which is why i’m left scratching my head.

Can anyone advise or recommend where I should look?


#2

I’d check if you have www.crose.co.uk anywhere else in your configs ( grep -R www.crose.co.uk /etc/apache2 (or /etc/httpd depending on your server)

I’d also check where the SSL cert is being loaded ( grep -R SSLCertificate /etc/apache2 )


#3

It was found in /etc/httpd/conf/httpd.conf as well…

I have commented out the ServerName in there and restarted Apache but still the same issue. Do I need to regenerate the certs?


#4

Im also seeing this error:

/etc/httpd/logs/ssl_error_log:[Mon Oct 31 04:37:46.521115 2016] [ssl:warn] [pid 1117:tid 139670451341376] AH01909: RSA certificate configured for www.crose.co.uk:443 does NOT include an ID which matches the server name


#5

No, you don’t need to regenerate it - the cert looks fine ( and it looks as if you already generated it 3 times :wink: ) The cert if valid for www.crose.co.uk

OK, so you have removed www.crose.co.uk from httpd.conf and reloaded apache - so there is now only one place that www.crose.co.uk exists ?

What is your server name ? (the error might not matter too much if never use the server name of course :wink: )


#6

Ive commented that line out of the httpd.conf file. so ServerName will be blank in there now.

in the vhost conf file I have:
ServerName crose.co.uk
ServerAlias www.crose.co.uk


#7

In your httpd.com to you have SSLCertificateFile that’s pointing to your self signed cert ? if not, where is that referenced ?


#8

So I had self signed certs config in the ssl.conf file that mod_ssl installs. I have commented these lines out and restarted apache but now it’s not working for non-www or www.

Any ideas?


#9

As a first step, I’d suggest replacing the links to the self signed to the letsencrypt ones (rather than just commenting them out).

if you can paste your config (ssl.conf, mod_ssl and httpd.conf ) - possibly at pastebin.com (easier to time limit and remove :wink: )


#10

Thanks for the help so far:

httpd.conf - http://pastebin.com/m3H1mzNM
ssl.conf - http://pastebin.com/uPha0p3R
crose.co.uk.conf - http://pastebin.com/StsXSu7N

I no longer get the SSL warning, I get an error saying the server sent a bad/wrong request:

"This site can’t provide a secure connection

crose.co.uk sent an invalid response."


#11

At the moment you are issuing http, not https on port 443

I’ll have a look at the configs …


#12

Ok so I decided to comment everything out of the default ssl.conf file andreloaded apache. and all seems to be working ok now!..

blimey! confused.com

Thank you for the help serverco!


#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.