Someone please help me! my site not secure anymore

chit164 · June 22, 2023, 1:32pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: nblp.moph.go.th

I ran this command:certbot --apache

It produced this output:
Which names would you like to activate HTTPS for?

1: nblp.moph.go.th

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Renewing an existing certificate
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/000-default-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Created redirect file: le-redirect-nblp.moph.go.th.conf
Rollback checkpoint is empty (no changes made?)

Your existing certificate has been successfully renewed, and the new certificate
has been installed.

The new certificate covers the following domains: https://nblp.moph.go.th

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=nblp.moph.go.th

IMPORTANT NOTES:

Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/nblp.moph.go.th-0002/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/nblp.moph.go.th-0002/privkey.pem
Your cert will expire on 2023-09-20. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew all of
your certificates, run "certbot renew"
If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

root@nblp:/etc/apache2/sites-available# cd /etc/letsencrypt/live/

My web server is (include version):apache // ubuntu20.04

The operating system my web server runs on is (include version): ubuntu20.04

My hosting provider, if applicable, is: my own.

I can login to a root shell on my machine (yes or no, or I don't know): yes.

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):0.40

MikeMcQ · June 22, 2023, 1:59pm

Welcome to the community @chit164

I see your domain is using an expired cert and not the current one. Something is wrong with your Apache config.

Can you show results of these two commands.

certbot certificates

apache2ctl -t -D DUMP_VHOSTS

chit164 · June 22, 2023, 2:37pm

root@nblp:/etc/letsencrypt/live/nblp.moph.go.th-0002# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/nblp.moph.go.th-0001.conf produced an unexpected error: expected /etc/letsencrypt/live/nblp.moph.go.th-0001/cert.pem to be a symlink. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/nblp.moph.go.th.conf produced an unexpected error: renewal config file {} is missing a required file reference. Skipping.

Found the following certs:
Certificate Name: nblp.moph.go.th-0002
Domains: nblp.moph.go.th
Expiry Date: 2023-09-20 12:18:15+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/nblp.moph.go.th-0002/fullchain.pem
Private Key Path: /etc/letsencrypt/live/nblp.moph.go.th-0002/privkey.pem

The following renewal configurations were invalid:
/etc/letsencrypt/renewal/nblp.moph.go.th-0001.conf
/etc/letsencrypt/renewal/nblp.moph.go.th.conf

root@nblp:/etc/letsencrypt/live/nblp.moph.go.th-0002#

root@nblp:/etc/letsencrypt/live/nblp.moph.go.th-0002# apache2ctl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:443 nblp.moph.go.th (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
root@nblp:/etc/letsencrypt/live/nblp.moph.go.th-0002#

MikeMcQ · June 22, 2023, 2:41pm

Would you show the contents of this file? Please put 3 backticks before and after to retain all the settings like

```
contents of conf file
```

chit164 · June 22, 2023, 3:04pm

<IfModule mod_ssl.c>
<VirtualHost *:443>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
RewriteEngine on
RewriteCond %{SERVER_NAME} =nblp.moph.go.th
RewriteRule ^ http://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

ServerName nblp.moph.go.th
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/nblp.moph.go.th-0002/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/nblp.moph.go.th-0002/privkey.pem
</VirtualHost>
</IfModule>

MikeMcQ · June 22, 2023, 3:15pm

First, this should not be there. You are redirecting HTTPS requests back to the insecure HTTP

I also wonder why the DUMP_VHOSTS did not show any VHost for port 80. Yet, HTTP requests work.

You should remove the redirect from the HTTPS VHost and restart your server. There are still several problems to resolve but do this should get a working HTTPS at least.

rg305 · June 22, 2023, 3:22pm

That needs to be corrected.

chit164 · June 22, 2023, 3:31pm

how can I point to the new one --> nblp.moph.go.th-0002 certificate. It only read for an old dir 001
pls. suggest me.
can I change the path to 002 directly. And Happy birthday of your day too rg305.

MikeMcQ · June 22, 2023, 3:38pm

Your Apache VHost already is pointing to the -0002 folder. See your earlier post.

The problem with the -0001 is a problem affecting cert renewals, not HTTPS for your domain right now.

chit164 · June 22, 2023, 3:46pm

So Delete 001 everythings will be back to OK?

rg305 · June 22, 2023, 4:01pm

If/when you want to delete anything, use certbot [don't do it yourself]:
certbot delete --cert-name nblp.moph.go.th-0001

Be sure that nothing is using the cert you want to delete.

chit164 · June 22, 2023, 4:29pm

It comes from my lack of Knowledge my faults. I've to call it a day so tired of exhausted. Thanks a lot, guys. See You then.

system · July 22, 2023, 4:30pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.