Scattered certificates and keys

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
growyournestegg.com

I ran this command:
sudo certbot install -d growyournestegg.com -d www.growyournestegg.com -v --preferred-challenges http

It produced this output:
Root logging level set at 10
Saving debug log to /etc/apache2/sites-available/~/.certbot/logs/letsencrypt.log
Requested authenticator None and installer None
Apache version is 2.4.18
Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x7fcf411286a0>
Prep: True
Selected authenticator None and installer <certbot_apache.override_debian.DebianConfigurator object at 0x7fcf411286a0>
Plugins selected: Authenticator None, Installer apache

Which certificate would you like to install?


1: affordablesouthwesthomes.com
2: chocoholic.com
3: growyournestegg.com
4: winetreefarm.com


Select the appropriate number [1-4] then [enter] (press ‘c’ to cancel): 3
Created an SSL vhost at /etc/apache2/sites-available/growyournestegg.com-le-ssl.conf
Creating backup of /etc/apache2/sites-available/growyournestegg.com-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/growyournestegg.com-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/growyournestegg.com-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/growyournestegg.com-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.


1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Creating backup of /etc/apache2/sites-enabled/growyournestegg.com.conf
Redirecting vhost in /etc/apache2/sites-enabled/growyournestegg.com.conf to ssl vhost in /etc/apache2/sites-available/growyournestegg.com-le-ssl.conf
Already enabled redirect for this vhost

My web server is (include version):
Server version: Apache/2.4.18 (Ubuntu)
Server built: 2019-04-03T13:34:47

The operating system my web server runs on is (include version):
Ubuntu 16.04

My hosting provider, if applicable, is:
Running on a self managed VPS hosted by A2.hosting

I can login to a root shell on my machine (yes or no, or I don’t know):
YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
NO (ssh to a terminal interface)

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

Problem

growyournestegg.com does not appear in ‘/etc/letsencrypt/live’ which is where I thought all letsencrypt generated certificates and keys were stored.

A number of my certs and keys are stored in:
/etc/apache2/sites-available/~/.certbot/config/live/

and some in:
/usr/share/wordpress/~/.certbot/config/live/

and there are even some in:
~/~/.certbot/config/live

Is it something that I’m doing that is scattering certificates all over the place?

Also when trying to access: growyournestegg.com

it goes to:
affordablesouthwesthomes.com which creates a “SSL_ERROR_BAD_CERT_DOMAIN” error

affordablesouthwesthomes.com” which is the default server listed by “sudo apache2 -S” it’s also the first site listed in /etc/letsencrypt/live.

I don’t know what’s causing certs and keys to be scattered all over the file system? Could it be the phase of the moon?

-Pete
When I try to access growyournestegg.com

Hi @renopete

checking your first domain I don't see a problem.

Instead, you have a Grade B, that's very good ( https://check-your-website.server-daten.de/?q=growyournestegg.com ):

The certificate:

CN=growyournestegg.com
	25.04.2019
	24.07.2019
expires in 90 days	
growyournestegg.com, www.growyournestegg.com - 2 entries

And all 4 standard checks are fine, two correct redirects http -> https, one correct not-preferred-version -> preferred version:

Domainname Http-Status redirect Sec. G
http://growyournestegg.com/
198.100.45.83 301 https://growyournestegg.com/ 0.240 A
http://www.growyournestegg.com/
198.100.45.83 301 https://www.growyournestegg.com/ 0.240 A
https://growyournestegg.com/
198.100.45.83 301 https://www.growyournestegg.com/ 1.817 B
https://www.growyournestegg.com/
198.100.45.83 200 1.697 B

Grade B is really good. Looks like you have fixed the problem.

Or it's a local caching problem, so only you see the wrong data.

Juergen

You were right. I checked late this evening on:

https://www.sslshopper.com/ssl-checker.html#hostname=growyournestegg.com

And it does not report a name mismatch. Am going to have to reboot my systems to see if
I can clear the browser caches of bad data.

Thanks for the quick response. As for letsencrypt storing all certificates and keys in
/etc/letsencrypt/live, I guess that’s not longer the case.

-Pete

2 Likes

Certbot does normally store everything in /etc/letsencrypt.

Check /etc/letsencrypt/cli.ini (ironically) and ~/.config/letsencrypt/cli.ini to see if there are settings telling it to put stuff elsewhere?

It sounds like perhaps something is configured to put things in “~/.config/certbot” but the “~” isn’t being expanded.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.