Site serving a self signed certificate

dan382 · June 16, 2016, 4:15pm

Hi all,

I’ve recently tried to use lets encrypt on an EC2 CentOS package but after going through the process my site is serving a self signed certificate (which is odd as I didn’t generate one).

My OS isn’t officially supported so I got the error: “letsencrypt-auto certonly”

I then ran the following:
./letsencrypt-auto --text --agree-tos --email dan@myemail.com certonly --renew-by-default --webroot --webroot-path /var/www/html -d example.co.uk

Which ran fine.

I’ve installed mod_ssl and created a VirtualHost with the following in vhost.conf:

<VirtualHost *:443>
    ServerName pro01.co.uk
    DocumentRoot /var/www/html/example.co.uk

	SSLEngine on 
	SSLCertificateFile /etc/letsencrypt/live/example.co.uk/cert.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/example.co.uk/privkey.pem
	SSLCertificateChainFile /etc/letsencrypt/live/example.co.uk/chain.pem
</VirtualHost>

I’ve also updated the ssl.conf to include the following:

<VirtualHost _default_:443>

    # General setup for the virtual host, inherited from global configuration
    DocumentRoot "/var/www/html/example.co.uk"
    ServerName example.co.uk:443

However when I connect to the site with https I get an error from my browser “Cant verify the identity” and www.ssllabs.com reports a common name mismatch and shows “ip-123-12-12-12 MISMATCH”. (I’ve changed the IP)

All in all I’m a bit stumped. Any help/advise would be appreciated.

Thanks,

Dan

tialaramex · June 16, 2016, 6:00pm

I suggest looking through (maybe using grep?) all the configuration to see if it chooses a different certificate somewhere else in the config files. We’ve definitely had users before who discovered to their surprise that a default config was set to use a self-signed certificate (better than nothing) and so their settings hadn’t overriden that.

In particular, check your settings apply to the exact name of the Virtual host you are visiting, www.example.com and example.com are similar to an end user, but the web server software cares about the difference.

dan382 · June 16, 2016, 7:21pm

Didn’t know how to run an appropriate grep command (bit of a Linux novice), but had an inkling which file to look in. Namely the apply named ssl.conf.

In this file the “SSLCertificateFile”, “SSLCertificateKeyFile” were set to another, local certificate. I’ve also updated the “SSLCertificateChainFile” which was blank but I’ve since populated with the details provided from the correct configuration details.

Think this resolves my issue. Thank you very much for the help.

danb35 · June 16, 2016, 7:48pm

You only need SSLCertificateChainFile set if you're using Apache <= 2.4.7, in which case it should point to chain.pem, and CertificateFile should be set to cert.pem. If you're using Apache >= 2.4.8, the CertificateFile should point to fullchain.pem, and the CertificateChainFile should be undefined.

dan382 · June 16, 2016, 8:01pm

Thanks Dan, I’ll take another look and make sure this is updated.

system · July 16, 2016, 8:01pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.