[Solved]Beta, No trusted certificate

you mean:
“cat /tmp/lets-encrypt-x1-cross-signed.pem >> /etc/letsencrypt/live/anzahcloud.de/cert.pem”

then my apache crash

Ok, what about specifying the original cert in Apache and using the solution in the topic linked above?

sorry dont understand what you mean

cat /tmp/lets-encrypt-x1-cross-signed.pem >> /etc/letsencrypt/live/anzahcloud.de/cert.pem has modified your cert in /etc/letsencrypt/live/anzahcloud.de/cert.pem. So you should either:

  • restore a backup,
  • delete the LE X1 cert (separated by -----BEGIN/END CERTIFICATE-----) blocks from your cert; it should be the most bottom such block
  • just re-get the cert (re-run letsencrypt)

I was referring to this solution: add SSLCertificateChainFile /etc/letsencrypt/lets-encrypt-x1-cross-signed.pem (or similar) to your Apache conf.

1 Like

i know, i have rollback the /etc/letsencrypt/live/anzahcloud.de/cert.pem, thats not the problem, it was only a information;

ok i have write it in my conf and now i have a valid cert, only the ssl test is confused “Prefix handling Not valid for “www.anzahcloud.de” CONFUSING”

<IfModule mod_ssl.c>
<VirtualHost 176.9.90.67:443>
	ServerName anzahcloud.de
	ServerAdmin tealk@anzahcraft.de
	DocumentRoot /var/www/owncloud/
	<Directory /var/www/owncloud/>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                Allow from all
                Satisfy Any
	</Directory>

        <FilesMatch "\.(cgi|shtml|phtml|php)$">
                SSLOptions +StdEnvVars
        </FilesMatch>
        <Directory /usr/lib/cgi-bin>
                SSLOptions +StdEnvVars
        </Directory>
        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

        ErrorLog ${APACHE_LOG_DIR}/error.log
        LogLevel warn
        CustomLog ${APACHE_LOG_DIR}/access.log combined

SSLEngine on

SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder     on
SSLCompression          off

ServerSignature Off

SSLCertificateFile /etc/letsencrypt/live/anzahcloud.de/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/anzahcloud.de/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/lets-encrypt-x1-cross-signed.pem
</VirtualHost>

</IfModule>

Did you run letsencrypt with -d anzahcloud.de -d www.anzahcloud.de for this certificate?

1 Like

no only with -d anzahcloud.de

Well, try it with both domains specified - should yield a SAN cert.

ok looks like it run, and i only need 1 apache.conf for www.anzahcloud.de and anzahcloud.de is included?

Yeah, if your cert includes both www and non-www, one apache config file will do the thing.
I recommend you read this if you want to configure strong SSL: https://books.google.com/books?id=fQOLBAAAQBAJ&lpg=PA317&ots=sFfqVNEdG4&dq=Bulletproof%20SSL%20and%20TLS%20download&hl=fr&pg=PA477#v=onepage&q&f=false
Also, https://cipherli.st/ might be useful later if you need to configure SSL over Dovecot, postfix, or other.

1 Like