Renewal seems successful, yet browsers say the site is not secure


#1

I attempted to renew a cert that had expired on this domain. It ended with the congratulations message, gives me a expiration date 3 months from now, but browsers won’t open with site securely. I tried restarting Apache, also the server, but still no https.

Please fill out the fields below so we can help you better.

My domain is: mohlenkapwoodworks.com

I ran this command: certbot certonly --force-renewal --webroot -w /home/jmmww/public_html -d mohlenkampwoodworks.com -d www.mohlenkampwoodworks.com

It produced this output: Attempting to parse the version 0.9.3 renewal configuration file found at /etc/letsencrypt/renewal/mohlenkampwoodworks.com.conf with version 0.8.1 of Certbot. This might not work.

My operating system is (include version): CENTOS 7.2

My web server is (include version): Apache 2.4.18 (Unix)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): yes, but not in this case


#2

Did you reload/restart Apache? Because you’re using certonly, this won’t happen automatically…


#3

I did, that didn’t work, I also restarted the whole server. Still no https.

It seems to me there are possibly two certs, one expired one not…is that possible?


#4

If you point Apache to the symlinks in the /live/ folder of /etc/letsencrypt/, there’s little chance it points to the wrong cert.

Please check and verify the Apache directives for correctness.


#5

hi xnau

tested your domain and it seems to redirect to xnau.com

Also the certificate currently being served up by your server is valid for the following domains

xnau.com and a few of the others.

Looks like virtual domains on apache might not be working as expected

HTTP seems to be working though :smiley:


#6

I’m not certain where to look for these directives…not finding anything in the Apache conf files. Can you suggest where I might look?


#7

Thanks, that is my business domain, I maybe wasn’t clear… the domain I’m trying to get the cert renewed on is mohlenkampwoodworks.com


#8

Hi xnau

I know :smiley:

http://mohlenkampwoodworks.com - good goes to woodworking site
https://mohlenkampwoodworks.com - redirects to https://xnau.com
http://www.mohlenkampwoodworks.com - good goes to http://mohlenkampwoodworks.com
https://www.mohlenkampwoodworks.com - goes to https://xnau.com

I haven’t done apache for a while but its most likely mod_rewrite rules which are sending to xnau.com

hoping someone more experienced with apache can help out further :smiley:


#9

I see, not sure why that would happen, it’s not the in htaccess, that was one of the first things I checked. OK, well thanks for looking at it!


#10

Somehow your whole TLS virtual host configuration for mohlenkampwoodworks.com is gone…

When I tested, I got a certificate not valid (b/c of the end date) error… This is different, so in between you must have changed something which caused this.


#11

yeah, I tried to start over by removing the expired cert from the configuration in the cpanel. Certbot says the cert is there and valid, so it seems like Apache isn’t aware of it.


#12

So you’re using cPanel… Might have been some useful information to mention earlier…

Do you actually edit the configuration of Apache yourself or do you only use cPanel for the installation of the certificate?


#13

Sorry I don’t use cpanel to install or update the certs, I do all that in the command line, I just did that one thing. It was probably not a good idea.


#14

Xnau,

I am interested in hearing the solution.


#15

Check where the Apache is looking for the certificates. On CentOS, Apache configs should be at /etc/httpd/conf/ or somewhere around that path.

  1. find the config for the vhost you have trouble with
  2. check where it’s looking for the certificates (if it does at all)
  3. verify that the path is right and there are new certificates

If you’re not sure what to look for, copy the configuration here (remove whatever you may consider private) and I or someone else will take a look and possibly navigate you further.

In my case (Ubuntu), certificates are stored at /etc/letsencrypt/live/<domain_name>. So if I were to use Apache and had similar problem, I’d look through Apache configuration files for a vhost (VirtualHost) for the broken domain and checked if the SSL is configured there as follows:

SSLEngine on SSLCertificateFile /etc/letsencrypt/live/<my_domain>/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/<my_domain>/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/<my_domain>/fullchain.pem

It’s not 100% right as I’m actually using Nginx but these are the directives you’re looking for.


#16

Thanks, this is helpful. I did some investigating into the Apache config files, I’m somewhat familiar with working with them. I have 3 other accounts on this machine with letsecrypt certs that are working and updating OK, so I tried to see how they were configured, but as far as I have been able to tell, none of them have an ssl configuration pointing to the letsencrypt certs.

The one that is broken was the first one installed and I used the old letsencrypt-auto to install it. That may be a clue as to why the renewal didn’t work. Anyway, I tried to configure the SSL as you suggested, making sure the paths to the ssl files was correct. These are the paths that certbot gave me after it renewed the cert.

Adding those paths to the configuration file hasn’t helped, the valid certs aren’t seen by the browser, but certbot says they’re OK.

I’m beginning to think I need to rip the whole thing out and start over.


#17

Hmm, strange. Have you tried checking the logs? There might be a clue why the certificates are ignored. Only other reason I can think of is that the configuration you’ve changed is not the one Apache is using for the vhost. I’d try to search all configs for the certificates or the domain name I’m trying to make working - just to make sure there is nothing overwriting or in conflict with my changes.


#18

It is strange…

I do get this error in the Apache logs when I attempt to loaf the site using https:

[Mon Oct 24 14:27:18.626847 2016] [ssl:error] [pid 7046] AH01936: stapling_check_response: response times invalid
[Mon Oct 24 14:27:18.626899 2016] [ssl:error] [pid 7046] AH01943: stapling_renew_response: error in retrieved response!

I do have stapling configured (with caching) in the main apache conf. Do you suppose there is a cached cert in there that is messing things up?


#19

Actually, I see the cache has a freshness time of 300 seconds, so probably not that.


#20

Update: I got it working, but I never found out what the problem was.

I was searching around about how the letsencrypt SSL is configured on a WHM CENTOS system (as mine is) and saw that WHM has a thing called “AutoSSL” that is basically a built-in way to use letsencrypt certs.

So I enabled AutoSSL in WHM…thinking this will either do nothing or make a mess. I was ready to clean up the mess if that happened. Once that was enabled, I ran a check (using WHM) on the site with the broken SSL.

The check came back good, and after that the site came in on https no problem!

I wish I’d figured out what the actual problem was, but since it’s working, I probably never will.