[solved] Server's certificates are not trusted

Server
1

Hello!

So I’ve spent about four or five hours looking through various forums attempting everything mentioned to get this fixed. In short I’m running openSUSE Leap 42.3 with Apache 2.4.23. I utilized the certbot tool to create the certificates for my domain, which seemingly went fine. However I can’t seem to get the actual certificates to become trusted. Below is my SSL virtual host config (the only vhost file I have). Ive checked through other various config files for any possible overwrite I maybe overlooked, but I can’t find anything.

<IfDefine SSL>
<IfDefine !NOSSL>

##
## SSL Virtual Host Context
##
Listen 443
<VirtualHost *:443>

        #  General setup for the virtual host
        DocumentRoot "/srv/www/htdocs"
        ServerName domain.com
        ServerAdmin email@email.com
        ErrorLog /var/log/apache2/error_log
        TransferLog /var/log/apache2/access_log

        #   SSL Engine Switch:
        #   Enable/Disable SSL for this virtual host.
        SSLEngine on

        #   You can use per vhost certificates if SNI is supported.
        SSLCertificateFile /etc/certbot/live/domain.com/fullchain.pem
        SSLCertificateKeyFile /etc/certbot/live/domain.com/privkey.pem
        #SSLCertificateChainFile /etc/certbot/live/domain.com/fullchain.pem

        #   Per-Server Logging:
        #   The home of a custom SSL log file. Use this when you want a
        #   compact non-error SSL logfile on a virtual host basis.
        CustomLog /var/log/apache2/ssl_request_log ssl_combined


        ServerAlias domain.com
</VirtualHost>

</IfDefine>
</IfDefine>

Thanks in advance for the help everyone! Also, I understand this isn’t exactly an uncommon post. I promise I searched through this specific forum and tried various posts in an attempt to fix the problem. Posting is always the last thing I do as I try and not bother busy devs/people when I can try and fix a problem myself. Anyways, let me know if you need any more information from me.

2

domain.com?
Really?

Try:
certbot certificates

3

Yes, I changed it and took out ‘personal’ information before posting. It’s a placeholder for my actual domain. Same with the email

4

we don’t need your email.
but without the actual domain name (which is public information in the issued cert), it is very difficult to assist.

5 
Found the following certs:
  Certificate Name: domain.com
    Domains: domain.com
    Expiry Date: 2018-01-02 00:48:12+00:00 (INVALID: TEST_CERT)
    Certificate Path: /etc/certbot/live/domain.com/fullchain.pem
    Private Key Path: /etc/certbot/live/domain.com/privkey.pem
-------------------------------------------------------------------------------

that is the output of the command, unedited.

6

Please explain this statement more thoroughly.

7

Anytime I load the page it acts simlar to when I had a self-issued certificate, for basic SSL. When checking information on the SSL labs site, it points out that its simply not trusted. I read through the various options they listed and searched around to see what I could do about each one, but didn’t have much luck.

8

the cert in use is from the staging/test system
not from the production system

show the command you ran to get the cert

9 
sudo certbot --apache -d domain.com
10

because it is…

com
myfuckingviews2.com.jpg409×508 36.8 KB

11

I apologize for my ignorance. How should I go about removing what’s currently there and generating proper certificates then?

12

There is a file that saves the certbot parameters…
looking for that now.

did you happen to use the “–staging” flag at any point?

13

No I did not. I only executed the command I sent and the one you requested.

14

look in the
/etc/letsencrypt/renewal
folder for the cert name folder
show those contents (you can exclude the account #)

15 
# renew_before_expiry = 30 days
version = 0.15.0
archive_dir = /etc/certbot/archive/domain.com
cert = /etc/certbot/live/domain.com/cert.pem
privkey = /etc/certbot/live/domain.com/privkey.pem
chain = /etc/certbot/live/domain.com/chain.pem
fullchain = /etc/certbot/live/domain.com/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = apache
installer = apache
rsa_key_size = 4096
account = --
server = https://acme-staging.api.letsencrypt.org/directory

Ill remove it later, just in case someone else pops in. Didn’t think it was needed at first. I don’t mind having it up for a while.

16

change that to:
server = https://acme-v01.api.letsencrypt.org/directory

17

Alright I switched it over. And also the domain is still up in your picture :stuck_out_tongue:

18

rerun the
sudo certbot --apache -d domain.com

19

Should I renew & replace, or just reinstall existing certificates? I’m guessing the first option

What would you like to do?
-------------------------------------------------------------------------------
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
You've asked to renew/replace a seemingly valid certificate with a test certificate (domains: domain.com). We will not do that unless you use the --break-my-certs flag!

Should I go ahead with that?

20

try 1 first
restart apache if needed