Self signed certificate instead of "Fake LE Root X1"

Hi everyone,
I’m facing a weird problem:
I successfully issued a certificate for some of my websites (e.g. www.hitasytech.com).
I tried to issue other certificates for other websites (e.g. prestashop.hitasytech.com) and faced the described pb: the certifcate is self-signed (both detected in chrome and firefox). I tried to delete and renew the certificate and … nothing to do. I still get this self-signed certificate (in prod or in test environment).

Is there something I should know ? What am I doing wrong ?? I check the conf files and they are pointing to the right files…

NB: all websites are virtual domains hosted on the same server. Apache 2.2.15.

Thx for your help !

How did you issue your certificates?

Did you use Certbot? If so, what is the output of:

certbot certificates
# or certbot-auto certificates
# or letsencrypt-auto certificates
# however you installed Certbot

Additionally please show the output of:

apachectl -S

Yes they are all issued with certbot-auto.

Output of certbot-auto certificates

Saving debug log to /var/log/letsencrypt/letsencrypt.log

> -------------------------------------------------------------------------------
> Found the following certs:
>   Certificate Name: www.leadalertes.fr
>     Domains: www.leadalertes.fr leadalertes.com leadalertes.fr www.leadalertes.com
>     Expiry Date: 2018-05-06 15:13:34+00:00 (VALID: 89 days)
>     Certificate Path: /etc/letsencrypt/live/www.leadalertes.fr/fullchain.pem
>     Private Key Path: /etc/letsencrypt/live/www.leadalertes.fr/privkey.pem
>   Certificate Name: test.hitasytech.com
>     Domains: test.hitasytech.com
>     Expiry Date: 2018-05-06 11:45:08+00:00 (VALID: 89 days)
>     Certificate Path: /etc/letsencrypt/live/test.hitasytech.com/fullchain.pem
>     Private Key Path: /etc/letsencrypt/live/test.hitasytech.com/privkey.pem
>   Certificate Name: www.hitasytech.com
>     Domains: www.hitasytech.com hitasytech.com ht.hitasytech.com
>     Expiry Date: 2018-05-06 14:37:48+00:00 (VALID: 89 days)
>     Certificate Path: /etc/letsencrypt/live/www.hitasytech.com/fullchain.pem
>     Private Key Path: /etc/letsencrypt/live/www.hitasytech.com/privkey.pem
>   Certificate Name: prestashop.hitasytech.com
>     Domains: prestashop.hitasytech.com
>     Expiry Date: 2018-05-07 08:20:34+00:00 (INVALID: TEST_CERT)
>     Certificate Path: /etc/letsencrypt/live/prestashop.hitasytech.com/fullchain.pem
>     Private Key Path: /etc/letsencrypt/live/prestashop.hitasytech.com/privkey.pem
> -------------------------------------------------------------------------------

Ouput of apache -S :

>  httpd: Could not reliably determine the server's fully qualified domain name, using 192.168.0.101 for ServerName
> VirtualHost configuration:
> wildcard NameVirtualHosts and _default_ servers:
> *:443                  is a NameVirtualHost
>          default server 192.168.0.101 (/etc/httpd/conf.d/ssl.conf:74)
>          port 443 namevhost 192.168.0.101 (/etc/httpd/conf.d/ssl.conf:74)
>          port 443 namevhost test.hitasytech.com (/etc/httpd/conf.d/test.hitasytech.com-le-ssl.conf:2)
>          port 443 namevhost www.hitasytech.com (/etc/httpd/conf.d/www.hitasytech.com-le-ssl.conf:2)
>                  alias ht.hitasytech.com
>                  alias hitasytech.com
>          port 443 namevhost www.leadalertes.com (/etc/httpd/conf.d/www.leadalertes.com-le-ssl.conf:2)
>                  alias leadalertes.com
>                  alias www.leadalertes.fr
>                  alias leadalertes.fr
> *:80                   is a NameVirtualHost
>          default server api.hitasytech.com (/etc/httpd/conf.d/api.hitasytech.com.conf:1)
>          port 80 namevhost api.hitasytech.com (/etc/httpd/conf.d/api.hitasytech.com.conf:1)
>                  alias api.leadalertes.com
>          port 80 namevhost apnk.hitasytech.com (/etc/httpd/conf.d/apnk.hitasytech.com.conf:1)
>          port 80 namevhost handigital.hitasytech.com (/etc/httpd/conf.d/handigital.hitasytech.com.conf:1)
>          port 80 namevhost prestashop.hitasytech.com (/etc/httpd/conf.d/prestashop.hitasytech.com.conf:1)
>          port 80 namevhost test.hitasytech.com (/etc/httpd/conf.d/test.hitasytech.com.conf:1)
>          port 80 namevhost www.hitasy.com (/etc/httpd/conf.d/www.hitasy.com.conf:1)
>                  alias hitasy.hitasytech.com
>                  alias hitasy.com
>          port 80 namevhost www.hitasytech.com (/etc/httpd/conf.d/www.hitasytech.com.conf:1)
>                  alias ht.hitasytech.com
>                  alias hitasytech.com
>          port 80 namevhost www.leadalertes.com (/etc/httpd/conf.d/www.leadalertes.com.conf:1)
>                  alias leadalertes.com
>                  alias www.leadalertes.fr
>                  alias leadalertes.fr
>          port 80 namevhost www.mahutte.com (/etc/httpd/conf.d/www.mahutte.com.conf:1)
>                  alias mahutte.com
>          port 80 namevhost www.sirenalertes.com (/etc/httpd/conf.d/www.sirenalertes.com.conf:1)
>                  alias sirenalertes.com
>          port 80 namevhost 62.210.157.57 (/etc/httpd/conf/httpd.conf:1013)
>                  alias 192.168.0.101
>          port 80 namevhost 192.168.0.101 (/etc/httpd/conf/httpd.conf:1029)
> Syntax OK

To me what stands out is that you have no port 443 namevhost/VirtualHost for prestashop.hitasytech.com - just the non-HTTPS/port 80 one.

That is why your server is not responding with that certificate - Apache has no configuration pointing to it - so it just responds with the default self-signed global certificate from ssl.conf.

I’m not 100% sure how/when Certbot decides to add VirtualHosts, but that is probably the problem you need to solve.

Did you use --dry-run or --staging when issuing the prestashop cert? Maybe it needs to be a live/non-test certificate in order to create the secure VirtualHost in Apache. (Total speculation, if you feel safer waiting for somebody smarter to respond I won’t mind ).

Your questions drove me to the heart of the problem !!

Yes I used first a regular request and then I used the–staging option but non of the requested went OK…
As long as it worked once, it should work for all domains as long as they’re well configured…
It seems that there is a problem with apache that doesn’t load the conf files…
Thanks for your help. I will try to collect further information and hopefully solve this !
If someone has a clue…

That should be clear to understand. You (maybe unintendedly) issued a test certificate for this domain name. Just delete it via:

certbot delete --cert-name prestashop.hitasytech.com

And then reissue.

I did this at least 5 times and the problem’s still there…

Please show the whole command line which you entered.

./certbot-auto --staging --debug --authenticator webroot --installer apache

Why staging? This is for test-certificates.
Just omit this parameter.

–staging because I first want to test… I successfully used the production server for the other websites but reached the rate limits while isuing and re-issuing certificates when I faced my problem.

Ah, I was somewhat misled here. The problem is identified correctly by @_az.
First try to find out, which configuration holds the wrong certificate:

grep -ri prestashop.hitasytech.com /etc/httpd/conf.d

FOUND !!!

Thanks _az for your simple question that pointed out that the web server did not answer on port 443 for the VirtualHost…
Here is the solution… and it is really stupid: my ssl.conf was loaded AFTER the virtualhost conf file. I just renamed my ssl.conf into 000_ssl.conf, reloaded apache conf and now it is OK !!

How do I close this topic ??

Just mark any response as an answer.

I am incredibly curious why apachectl -S didn't show the SSL vhost file for prestashop when it clearly existed ... I guess we'll never know.

the ssl.conf (now 000_ssl.conf is loading the mod_ssl while the vhost files (for https) begin with a “IfModule mod_ssl.c”… All conf files that came before were simply and silently ignored !

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.