SSL Certificate is not trusted (certbot/Centos)

Help
#1

My domain is: blocks.telos.kitchen

I ran this command: Checking SSL certificate via online checkers, or just hitting "https://blocks.telos.kitchen"

It produced this output: “The certificate is no signed by a trusted authority”

My web server is (include version): Apache latest

The operating system my web server runs on is (include version): Centos 7

My hosting provider, if applicable, is: Dedicated server

I can login to a root shell on my machine (yes or no, or I don’t know): YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.35.1

I am also using Virtual Hosts like this:

<VirtualHost *:443>
    ServerName blocks.telos.kitchen
    ServerAlias blocks.telos.kitchen
    DocumentRoot /var/www/blocks.telos.kitchen/html
    SSLEngine on
    ErrorLog /var/www/blocks.telos.kitchen/log/error.log
    CustomLog /var/www/blocks.telos.kitchen/log/requests.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/blocks.telos.kitchen/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/blocks.telos.kitchen/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/blocks.telos.kitchen/chain.pem
</VirtualHost>
</IfModule>```

I followed this instructions. I also tried haproxy, but then reversed that because it didn't help. I'd like to add it once SSL is working.

https://serversforhackers.com/c/letsencrypt-with-haproxy

Thank you!!
M
#2

Hi @gravitt8460

checking your domain you have created two certificates ( https://check-your-website.server-daten.de/?q=blocks.telos.kitchen#ct-logs ):

Issuer not before not after Domain names LE-Duplicate next LE
Let's Encrypt Authority X3 2019-08-05 2019-11-03 blocks.telos.kitchen - 1 entries duplicate nr. 2
Let's Encrypt Authority X3 2019-08-03 2019-11-01 blocks.telos.kitchen - 1 entries duplicate nr. 1

So that part has worked.

You don't use one of these, instead, there is a self signed certificate:

E=root@blocks.telos.kitchen, CN=blocks.telos.kitchen, 
OU=SomeOrganizationalUnit, O=SomeOrganization, L=SomeCity, 
S=SomeState, C=--
	03.08.2019
	02.08.2020
expires in 363 days

Looks like the default vHost is used.

Your server block is wrong.

ServerAlias with the same name as ServerName is duplicated. Looks like that vHost isn't used.

  • Remove the ServerAlias - row, restart your Apache
  • recheck your domain

If that doesn't help: What says

apachectl -S

or (CentOS)

httpd -S
2 Likes
#3

Thank you for the instruction. I removed ServerAlias since it was a duplicate of ServerName, then I restarted apache. I checked the results again and they were the same (still untrusted).

I ran a grep to make sure I removed all duplicates:

image
image.png1028×323 223 KB

I also ran httpd -S and I got the following results:

-bash-4.2$ httpd -S
VirtualHost configuration:
*:80                   blocks.telos.kitchen (/etc/httpd/sites-enabled/blocks.telos.kitchen.conf:1)
*:443                  is a NameVirtualHost
         default server blocks.telos.kitchen (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost blocks.telos.kitchen (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost blocks.telos.kitchen (/etc/httpd/sites-available/blocks.telos.kitchen-le-ssl.conf:2)
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
PidFile: "/run/httpd/httpd.pid"
Define: _RH_HAS_HTTPPROTOCOLOPTIONS
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="apache" id=48 not_used
Group: name="apache" id=48 not_used

Finally, this server will primarily be an API server and I hope to put haproxy on to manage traffic. Will that make a difference or is the first step to get the cert working through apache?

Here is the haproxy.cfg file that I think I will need to use (although haproxy is not running currently).

frontend
    bind *:80

    # This is our new config that listens on port 443 for SSL connections
    bind *:443 ssl crt /etc/ssl/blocks.telos.kitchen/blocks.telos.kitchen.pem

    # Test URI to see if its a letsencrypt request
    acl letsencrypt-acl path_beg /.well-known/acme-challenge/
    use_backend letsencrypt-backend if letsencrypt-acl

    default_backend backend-web

# LE Backend
backend letsencrypt-backend
    server letsencrypt 127.0.0.1:7777

# Normal (default) Backend
# for web servers
backend backend-web
    server self 127.0.0.1:u6e80

thank you!
Max

#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.