Server certificate problems

JRWatchet · March 9, 2020, 5:59pm

A little help please as newish to certs and the problems and can not find theanswer here (maybe missed it)
I run a server at server.watchet.net and have run a certbot certificate for the server. However, the server is still looking in etc/ssl/certs for the certificate and I still can not find where it is being called from (not any .conf file as grepped for hours!)

So, I was just going to replace manaully the certificate in the etc/sll/certs folder with a letencrypt one - but - The files I have in this folder are ca-bundle.crt // ca-bundle.trust.crt // localhost.crt - so I guess the localhost.crt is the main file.

My question is how if possible do I use a letsencrypt certificate to replace the .crt file?

Mny thanks
John
UK

JRWatchet · March 9, 2020, 6:05pm

Please excuse spelling above
used a mobile phone! No excuse!

9peppe · March 9, 2020, 6:10pm

don't. you don't need to.

run certbot install --apache

JRWatchet · March 9, 2020, 6:13pm

PS

Certs are in etc/pki/tls/private and are localhost.ket // watchetwebdesign.co.uk.csr // watchetwebdesign.co.uk.key

The webdesign is no longer used.

In /etc/pki/tls/certs is symbolic link to the folder in first part of post

Sorry
so confused!

9peppe · March 9, 2020, 6:15pm

Forget about those.

What command did you run to obtain your Let's Encrypt certificates?

Osiris · March 9, 2020, 6:39pm

Well, that's a big assumption. I guess your crystal ball works better than mine!

@JRWatchet can you confirm your webserver is Apache? If not, which webserver are you running? Which Linux distribution are we talking about?

9peppe · March 9, 2020, 6:40pm

(I checked the server response headers )

JRWatchet · March 9, 2020, 6:41pm

Hi

certbot - d server.watchet.net --apache
Centos 7 with full root access
found the link to these files in ssl.conf under /conf.d

Osiris · March 9, 2020, 6:41pm

Smart! Not 100 %, but probably close enough

9peppe · March 9, 2020, 6:43pm

ok, and the output was?

if you don't recall, run certbot certificates and tell us how many certificates certbot knows about

JRWatchet · March 9, 2020, 6:44pm

The server.watchet.net certificates are there but if you use say firefox to view https://server.watchet.net then you will see it is looking at the certs mentioned above as there is a makefile with exactly the same text in it to make a self signed cert - which I do not want!

JRWatchet · March 9, 2020, 6:47pm

PS. messages crossed. There are 20 certs on the server all working properly. Ditto for the s.w.n as installed fine and no errors. All there in renewals etc when needed.

Problem is server is looking at these other files instead of reading the virtualhost entry in httpd.conf showing port 443 for ssl

ServerName server.watchet.net DocumentRoot "/var/www/html" DirectoryIndex index.html index.htm index.php index.php4 index.php5

<Directory /var/www/html>
Options +Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
AddType application/x-httpd-php .php

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/server.watchet.net/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/server.watchet.net/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/server.watchet.net/chain.pem

is in httpd.conf

=======================

ssl.conf though has

Server Certificate:

Point SSLCertificateFile at a PEM encoded certificate. If

the certificate is encrypted, then you will be prompted for a

pass phrase. Note that a kill -HUP will prompt again. A new

certificate can be generated using the genkey(1) command.

SSLCertificateFile /etc/pki/tls/certs/localhost.crt

Server Private Key:

If the key is not combined with the certificate, use this

directive to point at the key file. Keep in mind that if

you’ve both a RSA and a DSA private key you can configure

both in parallel (to also allow the use of DSA ciphers, etc.)

SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

Server Certificate Chain:

Point SSLCertificateChainFile at a file containing the

concatenation of PEM encoded CA certificates which form the

certificate chain for the server certificate. Alternatively

the referenced file can be the same as SSLCertificateFile

when the CA certificates are directly appended to the server

certificate for convinience.

#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

Certificate Authority (CA):

Set the CA certificate verification path where to find CA

certificates for client authentication or alternatively one

huge file containing all of them (file must be PEM encoded)

#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

JRWatchet · March 9, 2020, 6:49pm

copy/paste missed out the bracketed stuff in httpd.conf
obviouslst starts with IfModule and the virtual host

Osiris · March 9, 2020, 6:49pm

Please put configuration files between three backticks: ``` before and ``` after.

JRWatchet · March 9, 2020, 6:51pm

sssl.conf

‘’’ # Server Certificate:

Point SSLCertificateFile at a PEM encoded certificate. If

the certificate is encrypted, then you will be prompted for a

pass phrase. Note that a kill -HUP will prompt again. A new

certificate can be generated using the genkey(1) command.

SSLCertificateFile /etc/pki/tls/certs/localhost.crt

Server Private Key:

If the key is not combined with the certificate, use this

directive to point at the key file. Keep in mind that if

you’ve both a RSA and a DSA private key you can configure

both in parallel (to also allow the use of DSA ciphers, etc.)

SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

Server Certificate Chain:

Point SSLCertificateChainFile at a file containing the

concatenation of PEM encoded CA certificates which form the

certificate chain for the server certificate. Alternatively

the referenced file can be the same as SSLCertificateFile

when the CA certificates are directly appended to the server

certificate for convinience.

#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

Certificate Authority (CA):

Set the CA certificate verification path where to find CA

certificates for client authentication or alternatively one

huge file containing all of them (file must be PEM encoded)

#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
‘’’

httpd.conf

‘’’
<VirtualHost 185.41.9.25:443 [fe80::216:3eff:fe6f:40b8]:443>
ServerName server.watchet.net
DocumentRoot “/var/www/html”
DirectoryIndex index.html index.htm index.php index.php4 index.php5

<Directory /var/www/html>
Options +Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
AddType application/x-httpd-php .php

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/server.watchet.net/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/server.watchet.net/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/server.watchet.net/chain.pem

'''

JRWatchet · March 9, 2020, 6:53pm

try again!
‘’’

<VirtualHost 185.41.9.25:443 [fe80::216:3eff:fe6f:40b8]:443>
ServerName server.watchet.net
DocumentRoot “/var/www/html”
DirectoryIndex index.html index.htm index.php index.php4 index.php5

<Directory /var/www/html>
Options +Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch
allow from all
AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
Require all granted
AddType application/x-httpd-php .php

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/server.watchet.net/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/server.watchet.net/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/server.watchet.net/chain.pem

<VirtualHost 185.41.9.25:80 [fe80::216:3eff:fe6f:40b8]:80>
ServerName server.watchet.net
DocumentRoot /var/www/html
DirectoryIndex index.html index.htm index.php index.php4 index.php5

‘’’

JRWatchet · March 9, 2020, 6:55pm

seeems to be missing out brackets etc
so starts with IfModule mod_ssl.c
and after the ssl lines end IfModule end Virtualhost
there is also an end virtual host at the very bottom

9peppe · March 9, 2020, 6:57pm

forget about ssl.conf too, for this moment.

run apachectl configtest

if that does not complain, systemctl reload apache (or however it’s called on centos, httpd maybe?) don’t do this if the previous command complains, apache will stop.

JRWatchet · March 9, 2020, 10:43pm

Already tried a lot of different configurations, some broke apache some didn’t but still did not sort anything out (I run an ftp client the root and edit files that way as easier than vi etc. ) then constantly restart apache to see what works and what doesn’t.

All is happy at the moment but Dovecott was using this fake cert so managed to reconfigure that to use the main server.watchet.net cert so that bit solved.

However, the https:// to the server still shows accessing the cert in the pki folder and grepping everywhere the ONLY file that refers to that cert is the ssl.conf file.

Somehow I have to creat the pair of certs for this location so that the server and localhost are served

john

9peppe · March 9, 2020, 10:56pm

You started from this document here, right?

https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html

(and for apache 2.2 https://httpd.apache.org/docs/2.2/ssl/ssl_howto.html)