SSL not working properly

Help
1

My domain is redirecting to Apache default page after I installed SSL certificate from LetsEncrypt. When I checked on sslshopper it shows the following error
" The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate."

Details are here.

My domain is: hackingguru.codes

I ran this command: certbot --apache

It produced this output:

Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/hackingguru.codes/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/hackingguru.codes/privkey.pem

My web server is (include version): Apache/2.4.37 (centos)

The operating system my web server runs on is (include version): CentOS 8

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.14.0

2

Could you please paste the entire output of certbot?

It seems your server is sending a self signed certificate currently and not the Let's Encrypt certificate.

Also please paste the output of sudo apachectl -S

3

this is the complete output
[root@hackingguru conf.d]# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): xyz@abc.com

Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server. Do you agree?

(Y)es/(N)o: Y

Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.

Which names would you like to activate HTTPS for?

1: hackingguru.codes
2: www.hackingguru.codes

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Requesting a certificate for hackingguru.codes and www.hackingguru.codes
Performing the following challenges:
http-01 challenge for hackingguru.codes
http-01 challenge for www.hackingguru.codes
Waiting for verification...
Cleaning up challenges
Created an SSL vhost at /etc/httpd/sites-available/example.com-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/sites-available/example.com-le-ssl.conf
Enabling site /etc/httpd/sites-available/example.com-le-ssl.conf by adding Include to root configuration
Deploying Certificate to VirtualHost /etc/httpd/sites-available/example.com-le-ssl.conf
Redirecting vhost in /etc/httpd/sites-enabled/example.com.conf to ssl vhost in /etc/httpd/sites-available/example.com-le-ssl.conf

Congratulations! You have successfully enabled https://hackingguru.codes and
https://www.hackingguru.codes

Subscribe to the EFF mailing list (email: xyz@abc.com).

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/hackingguru.codes/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/hackingguru.codes/privkey.pem
    Your certificate will expire on 2021-10-21. To obtain a new or
    tweaked version of this certificate in the future, simply run
    certbot again with the "certonly" option. To non-interactively
    renew all of your certificates, run "certbot renew"

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
    Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

Please dont confuse the example.com in this output as I have directory named example.com where my ssl certs are saved for the hackingguru.codes domain.

output of sudo apachectl -S is empty.

it shows nothing.

4

I'm not entirely sure I understand this part. The example.coms in the output above are for the Apache virtualhost configuration files, not for directories? How do you mean "directories where your ssl certs are saved"? Because certbot saves the certs to /etc/letsencrypt/live/hackingguru.codes/?

That's weird.. Maybe sudo httpd -S?

5

Sorry I meant the in the /etc/httpd/sites-available/example.com-le-ssl.conf
this example.com should not confuse you as my apache config file is with this name and I did not bothered to replace this "example.com" part with "hackingguru.codes" thats it.

output for sudo httpd -S:

VirtualHost configuration:
*:80 www.hackingguru.codes (/etc/httpd/sites-enabled/example.com.conf:1)
*:443 is a NameVirtualHost
default server hackingguru.codes (/etc/httpd/conf.d/ssl.conf:40)
port 443 namevhost hackingguru.codes (/etc/httpd/conf.d/ssl.conf:40)
port 443 namevhost www.hackingguru.codes (/etc/httpd/sites-enabled/example.com-le-ssl.conf:2)
alias hackingguru.codes
port 443 namevhost www.hackingguru.codes (/etc/httpd/sites-available/example.com-le-ssl.conf:2)
alias hackingguru.codes
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex authdigest-client: using_defaults
Mutex lua-ivm-shm: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/etc/httpd/run/" mechanism=default
Mutex cache-socache: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex watchdog-callback: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
PidFile: "/etc/httpd/run/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="apache" id=48
Group: name="apache" id=48

6

Hmm, I think the difference between your HTTP configuration in example.com.conf, which only seems to contain the www subdomain, but not the apex domain itself and the HTTPS configuration in ssl.conf, which does not include the www subdomain, but only the apex domain, confused certbot: it used the only HTTP virtualhost available from example.com.conf and used it to generate a HTTPS template for both hostnames. But there already was a HTTPS virtualhost in ssl.conf for hackingguru.codes which probably has the self signed certificate configured.
You can see that https://www.hackingguru.codes/ has a working HTTPS certificate from Let's Encrypt, but the apex domain does not indeed.

A few things to optimize your configuration:

  • Also add the apex domain name (i.e., your domain without the www subdomain) as a ServerAlias directive in example.com.conf. You might need to modify the redirect directive in that configuration file to make the redirect work for both hostnames too;
  • change the ServerName directive in ssl.conf to some kind of placeholder such as localhost or example.com so that it doesn't come into effect for requests for hackingguru.codes or www.hackingguru.codes.

After those changes your webserver should be good to go.

2 Likes
7

Why is the same file listed for /sites-enabled/ and /sites-available/ ?

8

Thanks

1 Like
9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.