Scattered certificates and keys

Help
#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
growyournestegg.com

I ran this command:
sudo certbot install -d growyournestegg.com -d www.growyournestegg.com -v --preferred-challenges http

It produced this output:
Root logging level set at 10
Saving debug log to /etc/apache2/sites-available/~/.certbot/logs/letsencrypt.log
Requested authenticator None and installer None
Apache version is 2.4.18
Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x7fcf411286a0>
Prep: True
Selected authenticator None and installer <certbot_apache.override_debian.DebianConfigurator object at 0x7fcf411286a0>
Plugins selected: Authenticator None, Installer apache

Which certificate would you like to install?

1: affordablesouthwesthomes.com
2: chocoholic.com
3: growyournestegg.com
4: winetreefarm.com

Select the appropriate number [1-4] then [enter] (press ā€˜cā€™ to cancel): 3
Created an SSL vhost at /etc/apache2/sites-available/growyournestegg.com-le-ssl.conf
Creating backup of /etc/apache2/sites-available/growyournestegg.com-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/growyournestegg.com-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/growyournestegg.com-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/growyournestegg.com-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if youā€™re confident your site works on HTTPS. You can undo this
change by editing your web serverā€™s configuration.

Select the appropriate number [1-2] then [enter] (press ā€˜cā€™ to cancel): 2
Creating backup of /etc/apache2/sites-enabled/growyournestegg.com.conf
Redirecting vhost in /etc/apache2/sites-enabled/growyournestegg.com.conf to ssl vhost in /etc/apache2/sites-available/growyournestegg.com-le-ssl.conf
Already enabled redirect for this vhost

My web server is (include version):
Server version: Apache/2.4.18 (Ubuntu)
Server built: 2019-04-03T13:34:47

The operating system my web server runs on is (include version):
Ubuntu 16.04

My hosting provider, if applicable, is:
Running on a self managed VPS hosted by A2.hosting

I can login to a root shell on my machine (yes or no, or I donā€™t know):
YES

Iā€™m using a control panel to manage my site (no, or provide the name and version of the control panel):
NO (ssh to a terminal interface)

The version of my client is (e.g. output of certbot --version or certbot-auto --version if youā€™re using Certbot):
certbot 0.31.0

Problem

growyournestegg.com does not appear in ā€˜/etc/letsencrypt/liveā€™ which is where I thought all letsencrypt generated certificates and keys were stored.

A number of my certs and keys are stored in:
/etc/apache2/sites-available/~/.certbot/config/live/

and some in:
/usr/share/wordpress/~/.certbot/config/live/

and there are even some in:
~/~/.certbot/config/live

Is it something that Iā€™m doing that is scattering certificates all over the place?

Also when trying to access: growyournestegg.com

it goes to:
affordablesouthwesthomes.com which creates a ā€œSSL_ERROR_BAD_CERT_DOMAINā€ error

ā€œaffordablesouthwesthomes.comā€ which is the default server listed by ā€œsudo apache2 -Sā€ itā€™s also the first site listed in /etc/letsencrypt/live.

I donā€™t know whatā€™s causing certs and keys to be scattered all over the file system? Could it be the phase of the moon?

-Pete
When I try to access growyournestegg.com

#2

Hi @renopete

checking your first domain I don't see a problem.

Instead, you have a Grade B, that's very good ( https://check-your-website.server-daten.de/?q=growyournestegg.com ):

The certificate:

CN=growyournestegg.com
	25.04.2019
	24.07.2019
expires in 90 days	
growyournestegg.com, www.growyournestegg.com - 2 entries

And all 4 standard checks are fine, two correct redirects http -> https, one correct not-preferred-version -> preferred version:

Domainname Http-Status redirect Sec. G
ā€¢ http://growyournestegg.com/
198.100.45.83 301 https://growyournestegg.com/ 0.240 A
ā€¢ http://www.growyournestegg.com/
198.100.45.83 301 https://www.growyournestegg.com/ 0.240 A
ā€¢ https://growyournestegg.com/
198.100.45.83 301 https://www.growyournestegg.com/ 1.817 B
ā€¢ https://www.growyournestegg.com/
198.100.45.83 200 1.697 B

Grade B is really good. Looks like you have fixed the problem.

Or it's a local caching problem, so only you see the wrong data.

#3

Juergen

You were right. I checked late this evening on:

https://www.sslshopper.com/ssl-checker.html#hostname=growyournestegg.com

And it does not report a name mismatch. Am going to have to reboot my systems to see if
I can clear the browser caches of bad data.

Thanks for the quick response. As for letsencrypt storing all certificates and keys in
/etc/letsencrypt/live, I guess thatā€™s not longer the case.

-Pete

2 Likes
#4

Certbot does normally store everything in /etc/letsencrypt.

Check /etc/letsencrypt/cli.ini (ironically) and ~/.config/letsencrypt/cli.ini to see if there are settings telling it to put stuff elsewhere?

It sounds like perhaps something is configured to put things in ā€œ~/.config/certbotā€ but the ā€œ~ā€ isnā€™t being expanded.

1 Like
#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.