I’ve recently tried to use lets encrypt on an EC2 CentOS package but after going through the process my site is serving a self signed certificate (which is odd as I didn’t generate one).
My OS isn’t officially supported so I got the error: “letsencrypt-auto certonly”
I then ran the following:
./letsencrypt-auto --text --agree-tos --email dan@myemail.com certonly --renew-by-default --webroot --webroot-path /var/www/html -d example.co.uk
Which ran fine.
I’ve installed mod_ssl and created a VirtualHost with the following in vhost.conf:
I’ve also updated the ssl.conf to include the following:
<VirtualHost _default_:443>
# General setup for the virtual host, inherited from global configuration
DocumentRoot "/var/www/html/example.co.uk"
ServerName example.co.uk:443
However when I connect to the site with https I get an error from my browser “Cant verify the identity” and www.ssllabs.com reports a common name mismatch and shows “ip-123-12-12-12 MISMATCH”. (I’ve changed the IP)
All in all I’m a bit stumped. Any help/advise would be appreciated.
I suggest looking through (maybe using grep?) all the configuration to see if it chooses a different certificate somewhere else in the config files. We’ve definitely had users before who discovered to their surprise that a default config was set to use a self-signed certificate (better than nothing) and so their settings hadn’t overriden that.
In particular, check your settings apply to the exact name of the Virtual host you are visiting, www.example.com and example.com are similar to an end user, but the web server software cares about the difference.
Didn’t know how to run an appropriate grep command (bit of a Linux novice), but had an inkling which file to look in. Namely the apply named ssl.conf.
In this file the “SSLCertificateFile”, “SSLCertificateKeyFile” were set to another, local certificate. I’ve also updated the “SSLCertificateChainFile” which was blank but I’ve since populated with the details provided from the correct configuration details.
Think this resolves my issue. Thank you very much for the help.
You only need SSLCertificateChainFile set if you're using Apache <= 2.4.7, in which case it should point to chain.pem, and CertificateFile should be set to cert.pem. If you're using Apache >= 2.4.8, the CertificateFile should point to fullchain.pem, and the CertificateChainFile should be undefined.