Site showing insecure even after renewing certs


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: there are two domains xxx-stg.yyy.com and zzz-stg.xxx.com.

I ran this command: ./certbot-auto renew

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/xxx-stg.yyy.com.conf


Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/zzz-stg.xxx.com.conf


Cert not yet due for renewal


The following certs are not due for renewal yet:
/etc/letsencrypt/live/emcards-stg.venuetize.com/fullchain.pem expires on 2019-06-30 (skipped)
/etc/letsencrypt/live/emkit-stg.emcards.com/fullchain.pem expires on 2019-06-30 (skipped)
No renewals were attempted.


My web server is (include version):2.2.32

The operating system my web server runs on is (include version):Amazon Linux AMI 2018.03

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):certbot 0.32.0

I have renewed my SSL certs but still shows that my website is insecure. Could you please let me know if having two domains in the same server is the issue? If yes, can you please help me resolve the issue and Please let me know if there is any way to provide the domain name privately.


#2

Hi @nagsp

if you want help, you should share your domain names. Domains are public, so there is nothing secret.

We have a list of online tools you can use:


#3

Hi @nagsp,

If you used --standalone or certonly (so that Certbot isn’t directly managing an installation of the certificate into your web server), you have to restart or reload the web server yourself after each renewal. Most web server applications don’t notice when the underlying certificates have changes, so they have to be told.

This isn’t the case when using --apache (without certonly), which will install the certificate for you and which will then reload Apache on every renewal.


#4

emcards-stg.venuetize.com and emkit-stg.emcards.com


#5

I have restarted httpd but no luck.


#6

If you run certbot certificates, you can see the locations and status of all of the certificates; then you could check in your Apache configuration to see if Apache is pointed directly at the files in live (which is the intended way for it to be set up).


#7

Checked your first domain there is a self signed certificate ( https://check-your-website.server-daten.de/?q=emcards-stg.venuetize.com ):

E=root@emcards-stg.venuetize.com, 
CN=emcards-stg.venuetize.com, 
OU=SomeOrganizationalUnit, O=SomeOrganization, L=SomeCity, S=SomeState, C=--
	10.10.2018
	10.10.2019
expires in 192 days

A Letsencrypt certificate exists:

CRT-Id Issuer not before not after Domain names LE-Duplicate next LE
1089507090 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-01-07 13:45:27 2019-04-07 12:45:27 emcards-stg.venuetize.com
846281182 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2018-10-10 16:35:06 2019-01-08 17:35:06 emcards-stg.venuetize.com
846111690 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2018-10-10 16:24:45 2019-01-08 17:24:45 emcards-stg.venuetize.com

but it expires 2019-04-07.

Looks like you have used the older Letsencrypt certificate.

Perhaps use

certbot -d emcards-stg.venuetize.com

so Certbot may ask if you want to reinstall that certificate.


#8

I re-installed it, but still shows the website is not secure


#9

Your second certificate ( https://check-your-website.server-daten.de/?q=emkit-stg.emcards.com ):

There is the same self signed. Looks like a standard vHost is used, not a vHost with that name.

E=root@emcards-stg.venuetize.com, 
CN=emcards-stg.venuetize.com, 
OU=SomeOrganizationalUnit, O=SomeOrganization, L=SomeCity, S=SomeState, C=--
	10.10.2018
	10.10.2019
expires in 192 days

But there is one new certificate:

CRT-Id Issuer not before not after Domain names LE-Duplicate next LE
1337989914 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-04-01 13:03:47 2019-06-30 13:03:47 emkit-stg.emcards.com duplicate nr. 1
1089569538 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-01-07 14:10:51 2019-04-07 13:10:51 emkit-stg.emcards.com

After using Certbot, restart your Apache.


#10

Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/emkit-stg.emcards.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/emkit-stg.emcards.com/privkey.pem
Your cert will expire on 2019-06-30. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again with the “certonly” option. To non-interactively renew all
of your certificates, run “certbot-auto renew”


#11

I have renewed the cert, butStill no luck.


#12

If you use certonly, the certificate isn’t installed.

https://emkit-stg.emcards.com/ works now.

But

https://emcards-stg.venuetize.com/

has the emkit-certificate. But if you use certonly, there is no installation.


#13

How can I resolve for emcards-stg.venuetize.com/ to make it work?


#14

Check your vHosts.

There must be two or three rows like

 SSLCertificateFile /path/to/www_yoursite_com.crt
 SSLCertificateKeyFile /path/to/www_yoursite_com.key
 SSLCertificateChainFile /path/to/DigiCertCA.crt

There you must use the correct path + filename, the result of

certbot certificates

#15

i used the following command “certbot-auto certonly --standalone --preferred-challenges http -d emcards-stg.venuetize.com” but still no luck


#16

SSLCertificateFile /etc/letsencrypt/live/emcards-stg.venuetize.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/emcards-stg.venuetize.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/emcards-stg.venuetize.com/chain.pem

SSLCertificateFile /etc/letsencrypt/live/emkit-stg.emcards.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/emkit-stg.emcards.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/emkit-stg.emcards.com/chain.pem

certbot-auto certificates Certificate Name: emcards-stg.venuetize.com
Domains: emcards-stg.venuetize.com
Expiry Date: 2019-06-30 17:01:06+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/emcards-stg.venuetize.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/emcards-stg.venuetize.com/privkey.pem
Certificate Name: emkit-stg.emcards.com
Domains: emkit-stg.emcards.com
Expiry Date: 2019-06-30 16:45:27+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/emkit-stg.emcards.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/emkit-stg.emcards.com/privkey.pem

Seems they are present in vhosts file. Do you want me to make the changes to my vhosts file with correct name?


#17

You have two new certificates.

So check the vHost of your working domain -> same with your other domain, restart the server.


#18

Sir, both the configurations are same in the vhosts file. Do you want me to check anything else?


#19

Then one vHost isn’t used.

What says

apache2ctl -S 

#20

VirtualHost configuration:
wildcard NameVirtualHosts and default servers:
*:443 is a NameVirtualHost
default server emkit-stg.emcards.com (/etc/httpd/conf.d/ssl.conf:74)
port 443 namevhost emkit-stg.emcards.com (/etc/httpd/conf.d/ssl.conf:74)
Syntax OK
You have mail in /var/spool/mail/root