[SOLVED] LetsEncrypt Issues Self-Signed Certificate


#1

On my new VPS I issued an SSL certificate for my website and now I’m getting issues with an invalid self-signed being issued instead of an actual Lets Encrypt certificate.

In this case, I have these issues going on:

Google Chrome:
Subject Alternative Name missing
The certificate for this site does not contain a Subject Alternative Name extension containing a domain name or IP address.

Now when I do openssl s_client -connect starprison.net:443 </dev/null or openssl s_client -connect starprison.net:443 </dev/null
The certificate information shows as invalid including the client certificate CA not being sent.

Now here’s what I did:

  1. Ran sudo cerbot run to being installing the SSL certificate for my domain
  2. SSL certificate installs successfully, however issues start to arise when I head to the internet
  3. First, off I have the issue from the Google Chrome section including the certificate showing as self-signed
  4. Then I go to SSLLabs and I receive this result: https://www.ssllabs.com/ssltest/analyze.html?d=starprison.net&hideResults=on

System:
Centos 7
Apache 2.4

I’ve tried various different methods and researched on Google and this forum and cannot figure it out. Any help would be appreciated!


#3

Please share your /var/log/letsencrypt/letsencrypt.log file; it should give us a clue as to what went wrong with the certificate installation.

It may be too long to paste here. If so, you can use a service like gist.github.com or pastebin.com and link to it here.


#4

Here is my letsencrypt.log file: https://hastebin.com/weyaxikane.cs


#5

Hi @masterhova,

Today, servers use SNI for serving certificates for different virtual hosts sharing the same ip so the command that you should use to check your certificate is:

openssl s_client -connect starprison.net:443 -servername starprison.net </dev/null

or if you want to see the certificate details:

openssl s_client -connect starprison.net:443 -servername starprison.net </dev/null | openssl x509 -noout -text

If you don’t use -servername parameter your web server will provide the default certificate.

This won’t solve your issue but keep in mind for future checks ;).

Could you please show your apache conf for virtual host starprison.net (both, for port 80 and port 443)?.

Also, could you please show the output of this command (as root)?

ls -lR /etc/letsencrypt/

Cheers,
sahsanu


#6

I will get that all to you later today.


#7

Hey, here’s all the requested information:

starprison.net.conf (port 80)
starprison.net-le-ssl.conf (port 443)
Output of ls -lR /etc/letsencrypt


#8

Those look fine - the Include /etc/letsencrypt/options-ssl-apache.conf is repeated more times than necessary, but it doesn’t seem like that would cause the problem you’re experiencing. I’d guess the problem is elsewhere in your configuration.

To help determine where, could you please post the output of:

apachectl -S


#9

Here’s the apachectl -S output: https://hastebin.com/wuxikuyeha.bash


#10

Okay, looks like you’ve got another VirtualHost for the same domain name in /etc/httpd/conf.d/ssl.conf that seems to be taking precedence over the one in /etc/httpd/sites-available/starprison.net-le-ssl.conf. You can either remove it, or modify it to match the SSL configuration options from the correct one.


#11

Thank you! I ended up commenting out the default SSL VHost file, reloaded Apache and everything is working properly!


#12

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.