Says LE is active but website still says Connection Not Private and won't let access

Hi,

Whenever I try to renew my LE certificate through the AWS Lightsail Console, I am being told that it's active and not due for renewal (I renewed it prior to expiry already). However, I still cannot access the site, getting this msg:

sapsonic.com normally uses encryption to protect your information. When Google Chrome tried to connect to sapsonic.com this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be sapsonic.com, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Google Chrome stopped the connection before any data was exchanged.

You cannot visit sapsonic.com at the moment because the website sent scrambled credentials that Google Chrome cannot process.

Whynopadlock result (https://www.whynopadlock.com/results/bf0cad22-3d81-4c2d-95fd-70129bb344ca) shows this warning:

You have an invalid or missing intermediate (bundle) certificate. This may not break your padlock on all browsers, but will on others. Please contact your SSL Vendor for assistance with this error.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: sapsonic.com

I ran this command:

bitnami@ip-XXX-XX-X-X:~ DOMAIN=sapsonic.com bitnami@ip-XXX-XX-X-X:~ WILDCARD=*.DOMAIN bitnami@ip-XXX-XX-X-X:~ echo $DOMAIN && echo WILDCARD sapsonic.com *.sapsonic.com bitnami@ip-XXX-XX-X-X:~ sudo certbot -d $DOMAIN -d $WILDCARD --manual --preferred-challenges dns certonly

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/sapsonic.com.conf)

What would you like to do?


1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)

My web server is (include version): Ubuntu 16.04.5 LTS (GNU/Linux 4.4.0-1109-aws x86_64)

The operating system my web server runs on is (include version): Ubuntu 16.04.5 LTS (GNU/Linux 4.4.0-1109-aws x86_64)

My hosting provider, if applicable, is: AWS Lightsail

I can login to a root shell on my machine (yes or no, or I don't know): I don't know, but I am a root user on AWS Lightsail.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Not sure if this is what you mean, but on my Control Panel (that I launched from AWS Lightsail), it says this: Bitnami WordPress 5.0.3-2

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

2 Likes

Welcome to the Let's Encrypt Community :slightly_smiling_face:


For those using Bitnami, we recommend:


This means that you are missing the CA intermediate certificate. Usually it means you are using cert.pem that only contains your certificate instead of fullchain.pem that contains your certificate AND the CA intermediate certificate.

For reference:
Let’s Encrypt Authority X3 Intermediate Certificate


You really want to choose either www or non-www and redirect to that. This is known as name canonicalization and helps ensure that you get the best search ranking.


Regarding the insecurity, sapsonic.com is currently serving an expired certificate despite the fact that two unexpired certificates exist (including one generated recently). Always keep your existing certificate if it isn't close to expiry.

Try restarting apache:
sudo /opt/bitnami/ctlscript.sh restart apache

Here is an improved certbot command:
sudo certbot certonly --cert-name sapsonic.com --manual --preferred-challenges dns -d "$DOMAIN,$WILDCARD" --keep-until-expiring


You currently have TLSv1 enabled. It is insecure and needs to be disabled.


Complete certificate history:


2 Likes

Thank you for the swift response! I've been using the instructions on AWS lightsail so far to install/renew my certs and it worked fine so far, except this one. Will using the new link cause any issues now?

Also, to resolve all of the above issues, I only need to follow the instructions on the Binami docs, is it? Or any other step too?

3 Likes

Oh, this resolved the issue! Thank you so much! :slight_smile:

3 Likes

Are you using apache or nginx?

Most people here run in terror when they see "Bitnami" written anywhere in a post. :grin: It is notorious for conflicting with certbot. I'm astounded that you got it working.

Let me check something...

3 Likes

certonly, especially with --manual is generally safe.

It's when people try to use just certbot, certbot --apache or certbot --nginx where it's dangerous to use with Bitnami.

4 Likes

It's... so... beautiful!

:partying_face:

2 Likes

Always make sure to restart apache or nginx after acquiring your new certificate! One poor guy didn't do this for 6 months...

3 Likes

Yes it is! I've been banging my head against this for hours! Thank you so much for the timely advice! :rocket:

3 Likes

Oh man, lesson learned! Will do! :slight_smile:

3 Likes

As for the other things, address as you will.

@_az

How to get rid of TLSv1?

1 Like

Oh, right. How to do this? I found this link, but I can't really understand the instructions.

2 Likes

do you use apache or nginx?

I reran your test. Looking pretty good. :upside_down_face:

1 Like

Apache. That's the restart command I used and I think is the default in Lightsail.

2 Likes

How about this? Should take you... 5 seconds to try. :smiley:

1 Like

Maybe I'm doing something wrong, this is what's happening:

bitnami@ip-172-26-4-46:~ SSLProtocol TLSv1.2 SSLProtocol: command not found bitnami@ip-172-26-4-46:~
bitnami@ip-172-26-4-46:~$ /opt/bitnami/apache2/conf/bitnami/bitnami.conf
-bash: /opt/bitnami/apache2/conf/bitnami/bitnami.conf: Permission denied

2 Likes
  1. Open /opt/bitnami/apache2/conf/bitnami/bitnami.conf in your favorite text editor.
  2. Change the entry of SSLProtocol to TLSv1.2.
  3. Run /opt/bitnami/ctlscript.sh restart apache
1 Like

Thank you for the prompt responses. This is the part I'm not able to understand. I only have a terminal within Lightsail I can use and where I'm running into an issue (refer to the screenshot below).

I'm not much of a dev, apologies if I'm missing something too obvious! :slight_smile:

2 Likes

sudo nano /opt/bitnami/apache2/conf/bitnami/bitnami.conf

1 Like

Damn - nothing specific to Bitnami in the Mozilla page! ! !


Even the REFERENCE doesn't cover all cases
2 Likes