Renewed certificate uses localhost instead of domain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: myithala.education

I ran this command: sudo certbot

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?


1: myithala.education
2: www.myithala.education


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/myithala.education-0001.conf)

What would you like to do?


1: Attempt to reinstall this existing certificate
2: Renew & replace the certificate (may be subject to CA rate limits)


Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for myithala.education
Deploying Certificate to VirtualHost /etc/httpd/conf/httpd-le-ssl.conf
Enhancement redirect was already set.


Your existing certificate has been successfully renewed, and the new certificate
has been installed.

The new certificate covers the following domains: https://myithala.education


IMPORTANT NOTES: ...

My web server is (include version): AWS EC2 Linux instance

The operating system my web server runs on is (include version):
Operating System: Amazon Linux 2
CPE OS Name: cpe:2.3:o:amazon:amazon_linux:2
Kernel: Linux 4.14.256-197.484.amzn2.x86_64
Architecture: x86-64

My hosting provider, if applicable, is: Amazon

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Certbot 1.11.0

This worked when I set up the site. After updating the site files (i.e. content, but not the configuration files), the browser says the site is not secure. When I check the certificate, it shows it is issued by and to localhost.localdomain. This is in the file /etc/httpd/conf/httpd.conf:
<VirtualHost *:80>
DocumentRoot "/var/www/html"
ServerName "myithala.education"
ServerAlias "www.myithala.education"

Please don't renew a perfectly good certificate if the issue is with something else like the installing part.

What's the output of sudo apachectl -S ?

2 Likes

Thanks for the response. I ran the certbot utility to try to fix the "site is not secure" message after updating the content of the site. I set up the site recently on a Linux VM, and everything was fine. After updating the content (i.e. just the files in the /var/www/http folder, not config files in any other folder) I got the "site is not secure" message and tried certbot several times trying to recreate the certificate. It's only after doing this a few times that I noticed it had changed the domain to localhost.locadomain.

This is the output of sudo apachectl -S:
[ec2-user@myithala ~]$ sudo apachectl -S
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using myithala.education. Set the 'ServerName' directive globally to supp ress this message
VirtualHost configuration:
*:80 myithala.education (/etc/httpd/conf/httpd.conf:43)
*:443 is a NameVirtualHost
default server myithala.education (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost myithala.education (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost myithala.education (/etc/httpd/conf/httpd-le-ssl.con f:2)
alias www.myithala.education
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex authdigest-client: using_defaults
Mutex lua-ivm-shm: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex cache-socache: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex watchdog-callback: using_defaults
PidFile: "/run/httpd/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="apache" id=48
Group: name="apache" id=48

Your HTTPS VirtualHost is mentioned in two Apache configuration files, where it should only be in just a single configuration file.

Please make sure your HTTPS Virtualhost (port 443) is only configured in either ssl.conf or httpd-le-ssl.conf. My guess is your localhost selfsigned certificate is configured in ssl.conf and should probably not be configured as the VirtualHost for myithala.education.

3 Likes

You should have picked both ("1" and "2").

2 Likes

So far as I can tell, LetsEncrypt created the file /etc/httpd/conf.d/httpd-le-ssl.conf, and this just contains a subset with the same info as in /etc/httpd/conf.d/ssl.conf.

Just a reminder: I initially set up the site and the certificate was fine until I updated the site contents a few months later. I then got an error with the certificate, but it may have coincidentally expired at the same time. After running certbot this time, the certificate now uses localhost.localdomain instead of the domain specified in the the ssl.conf file. I can't see where it is getting this from. Are there any files I need to delete or change before running certbot for a second time?

No, we are just using myithala.education, not www.myithala.education.

That's the whole issue I think. There shouldn't be two configuration files with the same hostname.

3 Likes

I agree.
This is a problem:

And this one (maybe all are) is missing the "www":

1 Like

I wasn't sure if the AH00558 error might have something to do with this, so I copied the ServerName "myithala.education" line above the <VirtualHost *:443> block, and restarted the web service; the error message is now gone, but I still have the problem with the certificate.

I also removed the line ServerAlias "www.myithala.education" from the /etc/httpd/conf/httpd-le-ssl.conf file since we do not use www.myithala.education.

I tried removing the /etc/httpd/conf/httpd-le-ssl.conf file, but then I can't restart the web service.

I tried removing the SSLCertificateFile /etc/pki/tls/certs/localhost.crt line from the /etc/httpd/conf.d/ssl.conf file, but then I can't restart the web service. I thought this was the most likely issue, since it points to an old file.

When I remove the SSLCertificateFile /etc/letsencrypt/live/myithala.education-0001/fullchain.pem line from the /etc/httpd/conf/httpd-le-ssl.conf file, I can restart the web service but I still have the problem.

Is there a way I can wipe out everything that certbot created so I can start fresh?