SSL on subdomain hosted on another server


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: provedor.online (hosting on another server)

I ran this command: ertbot-auto --apache -d www.lionstelecom.provedor.online -d lionstelecom.provedor.online

It produced this output: Command Ok. Result on page: NET::ERR_CERT_AUTHORITY_INVALID

My web server is (include version):
Apache/2.4.10

The operating system my web server runs on is (include version):
Debian 3.16.56-1+deb8u1

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): ISPConfig

I need to configure the subdomain informed to work with SSL. I ran several tests and always displays error in the certificate when accessing the subdomain page.

Anyone who can point the way, just above, will be a great help, from there I search and try to do. Thanks.

*It is not duplicate because the posts with similar titles did not have the same problem that I have, only the goal was the same.


#2

Please share your /var/log/letsencrypt/letsencrypt.log file. It will tell us if certbot had any trouble configuring Apache for you and if so, why.


#3

Hello @guttemberg

there are two correct certificates (created today) (four entries, two precertificates, two leaf certificates).

https://crt.sh/?q=lionstelecom.provedor.online

This

https://crt.sh/?id=519772641

has two correct names:

X509v3 Subject Alternative Name:
DNS:lionstelecom.provedor.online
DNS:www.lionstelecom.provedor.online

So it looks like a local problem to install this certificate.


#4

Hi,

It seems that you either need to install the certificate from the web manager panel or find the vHost the manager created and install it.

(P.S. you might need to install the certificate from the panel, since the certificate you have now is provided by the panel)

Thank you


#5
2018-06-12 06:00:24,089:DEBUG:certbot.main:Root logging level set at 20
2018-06-12 06:00:24,091:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-06-12 06:00:24,092:DEBUG:certbot.main:certbot version: 0.10.2
2018-06-12 06:00:24,092:DEBUG:certbot.main:Arguments: ['-n', '--post-hook', "echo '1' > /usr/local/ispconfig/server/le.restart"]
2018-06-12 06:00:24,093:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2018-06-12 06:00:24,097:WARNING:certbot.storage:Attempting to parse the version 0.25.0 renewal configuration file found at /etc/letsencrypt/renewal/www.master.provedor.online.conf with version 0.10.2 of Certbot. This might not work.
2018-06-12 06:00:24,111:DEBUG:parsedatetime:parse (top of loop): [30 days][]
2018-06-12 06:00:24,123:DEBUG:parsedatetime:CRE_UNITS matched
2018-06-12 06:00:24,124:DEBUG:parsedatetime:parse (bottom) [][30 days][][]
2018-06-12 06:00:24,125:DEBUG:parsedatetime:weekday False, dateStd False, dateStr False, time False, timeStr False, meridian False
2018-06-12 06:00:24,125:DEBUG:parsedatetime:dayStr False, modifier False, modifier2 False, units True, qunits False
2018-06-12 06:00:24,125:DEBUG:parsedatetime:_evalString(30 days, time.struct_time(tm_year=2018, tm_mon=6, tm_mday=12, tm_hour=6, tm_min=0, tm_sec=24, tm_wday=1, tm_yday=163, tm_isdst=0))
2018-06-12 06:00:24,125:DEBUG:parsedatetime:_buildTime: [30 ][][days]
2018-06-12 06:00:24,125:DEBUG:parsedatetime:units days --> realunit days
2018-06-12 06:00:24,126:DEBUG:parsedatetime:return
2018-06-12 06:00:24,126:INFO:certbot.renewal:Cert not yet due for renewal
2018-06-12 06:00:24,132:DEBUG:parsedatetime:parse (top of loop): [30 days][]
2018-06-12 06:00:24,132:DEBUG:parsedatetime:CRE_UNITS matched
2018-06-12 06:00:24,132:DEBUG:parsedatetime:parse (bottom) [][30 days][][]
2018-06-12 06:00:24,132:DEBUG:parsedatetime:weekday False, dateStd False, dateStr False, time False, timeStr False, meridian False
2018-06-12 06:00:24,133:DEBUG:parsedatetime:dayStr False, modifier False, modifier2 False, units True, qunits False
2018-06-12 06:00:24,133:DEBUG:parsedatetime:_evalString(30 days, time.struct_time(tm_year=2018, tm_mon=6, tm_mday=12, tm_hour=6, tm_min=0, tm_sec=24, tm_wday=1, tm_yday=163, tm_isdst=0))
2018-06-12 06:00:24,133:DEBUG:parsedatetime:_buildTime: [30 ][][days]
2018-06-12 06:00:24,133:DEBUG:parsedatetime:units days --> realunit days
2018-06-12 06:00:24,133:DEBUG:parsedatetime:return
2018-06-12 06:00:24,134:INFO:certbot.renewal:Cert not yet due for renewal
2018-06-12 06:00:24,135:WARNING:certbot.storage:Attempting to parse the version 0.25.0 renewal configuration file found at /etc/letsencrypt/renewal/www.lionstelecom.provedor.online.conf with version 0.10.2 of Certbot. This might not work.
2018-06-12 06:00:24,139:DEBUG:parsedatetime:parse (top of loop): [30 days][]
2018-06-12 06:00:24,140:DEBUG:parsedatetime:CRE_UNITS matched
2018-06-12 06:00:24,140:DEBUG:parsedatetime:parse (bottom) [][30 days][][]
2018-06-12 06:00:24,140:DEBUG:parsedatetime:weekday False, dateStd False, dateStr False, time False, timeStr False, meridian False
2018-06-12 06:00:24,140:DEBUG:parsedatetime:dayStr False, modifier False, modifier2 False, units True, qunits False
2018-06-12 06:00:24,140:DEBUG:parsedatetime:_evalString(30 days, time.struct_time(tm_year=2018, tm_mon=6, tm_mday=12, tm_hour=6, tm_min=0, tm_sec=24, tm_wday=1, tm_yday=163, tm_isdst=0))
2018-06-12 06:00:24,140:DEBUG:parsedatetime:_buildTime: [30 ][][days]
2018-06-12 06:00:24,140:DEBUG:parsedatetime:units days --> realunit days
2018-06-12 06:00:24,141:DEBUG:parsedatetime:return
2018-06-12 06:00:24,141:INFO:certbot.renewal:Cert not yet due for renewal
2018-06-12 06:00:24,142:WARNING:certbot.storage:Attempting to parse the version 0.25.0 renewal configuration file found at /etc/letsencrypt/renewal/g7internet.provedor.online-0001.conf with version 0.10.2 of Certbot. This might not work.
2018-06-12 06:00:24,146:DEBUG:parsedatetime:parse (top of loop): [30 days][]
2018-06-12 06:00:24,147:DEBUG:parsedatetime:CRE_UNITS matched
2018-06-12 06:00:24,147:DEBUG:parsedatetime:parse (bottom) [][30 days][][]
2018-06-12 06:00:24,147:DEBUG:parsedatetime:weekday False, dateStd False, dateStr False, time False, timeStr False, meridian False
2018-06-12 06:00:24,147:DEBUG:parsedatetime:dayStr False, modifier False, modifier2 False, units True, qunits False
2018-06-12 06:00:24,147:DEBUG:parsedatetime:_evalString(30 days, time.struct_time(tm_year=2018, tm_mon=6, tm_mday=12, tm_hour=6, tm_min=0, tm_sec=24, tm_wday=1, tm_yday=163, tm_isdst=0))
2018-06-12 06:00:24,147:DEBUG:parsedatetime:_buildTime: [30 ][][days]
2018-06-12 06:00:24,148:DEBUG:parsedatetime:units days --> realunit days
2018-06-12 06:00:24,148:DEBUG:parsedatetime:return
2018-06-12 06:00:24,148:INFO:certbot.renewal:Cert not yet due for renewal
2018-06-12 06:00:24,148:DEBUG:certbot.renewal:no renewal failures

@JuergenAuer, It seems like a local problem, but what would it be?

@stevenzhu, I will do this

When I click on the error warning in the certificate that chrome displays, I see this message: “This root certificate of the certification authority is not trusted because it is not in the trusted root certificate authorities repository.”

Thanks.


#7

Your protocol confirms this. “Cert not yet due for renewal”, the Letsencrypt-Certificate is active and new.

But it isn’t installed.

You have a self-signed-certificate installed:

lionstelecom.provedor.online verwendet ein ungültiges Sicherheitszertifikat. Dem Zertifikat wird nicht vertraut, weil es vom Aussteller selbst signiert wurde. Fehlercode: SEC_ERROR_UNKNOWN_ISSUER

Found at https://lionstelecom.provedor.online/

You must remove your self signed certificate and add the Letsencrypt-certificate.


#8

Unfortunately certbot ran to check for renewals since you issued the certificate, so this isn’t the log we were looking for.

Please check the .1, .2 files in /var/log/letsencrypt for a date/time matching when you tried to issue the certiticate and share that file. The correct file should list --apache and/or your domain name on the DEBUG:certbot.main:Arguments line near the top.


#9

Hello. Since I was having a lot of problems, I migrated to another server. I do not know if I should open a new topic, so I’ll continue to answer the one I opened earlier.

Following the instructions of this link https://certbot.eff.org/lets-encrypt/debianstretch-apache, I executed the command

certbot --authenticator webroot --installer apache --test

And I had the following error:

root@master:~# certbot --authenticator webroot --installer apache --test
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer apache
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated)  (Enter 'c' to cancel): admin.provedor.online
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for admin.provedor.online
Input the webroot for admin.provedor.online: (Enter 'c' to cancel): /var/www/html/admin
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. admin.provedor.online (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://admin.provedor.online/.well-known/acme-challenge/du6kvml6bOmyvinwr_motuKqSY8-PdFcpR6uEjat1B0: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p"

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: admin.provedor.online
   Type:   unauthorized
   Detail: Invalid response from
   http://admin.provedor.online/.well-known/acme-challenge/du6kvml6bOmyvinwr_motuKqSY8-PdFcpR6uEjat1B0:
   "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
   <html><head>
   <title>404 Not Found</title>
   </head><body>
   <h1>Not Found</h1>
   <p"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

The letsenctrypt log is this:

letsencrypt.txt (19.0 KB)

My web server is (include version):
Apache/2.4.25 (Debian)

The operating system my web server runs on is (include version):
Debian 9.4

My hosting provider, if applicable, is: nothing

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#10

Hi @guttemberg,

Could you create a file /var/www/html/admin/test.txt and see if you can see it at http://admin.provedor.online/test.txt? If so, could you create a file /var/www/html/admin/.well-known/acme-challenge/test2.txt and see if you can see it at http://admin.provedor.online/.well-known/acme-challenge/test2.txt?

While you’re doing this, could you please check your IPv6 configuration and your AAAA record? You’re advertising an IPv6 address fe80::4875:7dff:fe61:bc14 which is a link-local (LAN) IPv6 address rather than a public address, and should not be advertised to the public in DNS because it’s not reachable over the Internet. However, this is probably not directly related to the problem that you’re experiencing.


#11

@schoen,

I created the test.txt file in /var/www/html/admin/ and could not access through the browser. When creating another file in /var/www/html/ I was able to access through the url http://admin.provedor.online/test.txt

The .well-known folder was automatically created within /var/www/html/admin/, but the acme-challenge/ folder was not created inside it.

I removed the IPV6 from the DNS zone, now we have to wait to propagate the changes.


#12

In that case, you should probably specify /var/www/html instead of /var/www/html/admin as the webroot directory.