SSL still shows expired

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
uceou.edu
I ran this command:
certbot certificates

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: uceou.edu-0001
Serial Number: 4dc13fdbc1e2daa46a0b4f8d05709deb5f6
Key Type: RSA
Domains: uceou.edu
Expiry Date: 2024-05-17 09:07:23+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/uceou.edu-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/uceou.edu-0001/privkey.pem
Certificate Name: uceou.edu
Serial Number: 3eea4749757c29461b89c5073118b3c0e68
Key Type: RSA
Domains: uceou.edu www.uceou.edu
Expiry Date: 2024-05-17 09:09:04+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/uceou.edu/fullchain.pem
Private Key Path: /etc/letsencrypt/live/uceou.edu/privkey.pem

My web server is (include version):
Apache 2
The operating system my web server runs on is (include version):
Centos 8 Stream
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.22.0

I still see my website SSL as expired: SSL Server Test: uceou.edu (Powered by Qualys SSL Labs) though I see that the certificate is valid till 17th May.

2

Hi @donisback, and welcome to the LE community forum :slight_smile:

That is usually an indication that something hasn't gone to plan.
Let's try to start unraveling this mystery with the output of:
sudo apachectl -t -D DUMP_VHOSTS

3 Likes
3

Please find below the output.

 sudo apachectl -t -D DUMP_VHOSTS
Passing arguments to httpd using apachectl is no longer supported.
You can only start/stop/restart httpd using this script.
If you want to pass extra arguments to httpd, edit the
/etc/sysconfig/httpd config file.
VirtualHost configuration:
*:80                   uceou.edu (/etc/httpd/conf.d/uceou.edu.conf:2)
*:443                  is a NameVirtualHost
         default server uceou.edu (/etc/httpd/conf.d/ssl.conf:40)
         port 443 namevhost uceou.edu (/etc/httpd/conf.d/ssl.conf:40)
         port 443 namevhost uceou.edu (/etc/httpd/conf.d/uceou.edu.conf:18)
                 alias www.uceou.edu
4

That is a problem.
The same name ["uceou.edu"] appears in two vhosts.
The first file only has that one name.
The second file also includes the "www" - which makes me think that file is probably more correct.
I would recommend that you review both files and merge them into one.
If there is nothing you need from the first file, then just disable it and then delete it.

4 Likes
5

Once that part is done, then we can address the multiple certs issue.

2 Likes
6

How can I disable ssl.conf?

7

Added the line in httpd.con and it worked:
Include conf.d/uceou.edu.conf
Thanks @rg305

1 Like
8

sudo a2dissite ssl.conf

Please show the new output for:
sudo apachectl -t -D DUMP_VHOSTS

2 Likes
9 
[root@uceou ~]# sudo a2dissite ssl.conf
sudo: a2dissite: command not found

I'm using Centos Stream 8. So, this command is not available.


sudo apachectl -t -D DUMP_VHOSTS
Passing arguments to httpd using apachectl is no longer supported.
You can only start/stop/restart httpd using this script.
If you want to pass extra arguments to httpd, edit the
/etc/sysconfig/httpd config file.
VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server uceou.edu (/etc/httpd/conf.d/uceou.edu.conf:2)
         port 80 namevhost uceou.edu (/etc/httpd/conf.d/uceou.edu.conf:2)
                 alias www.uceou.edu
         port 80 namevhost uceou.edu (/etc/httpd/conf.d/uceou.edu.conf:2)
                 alias www.uceou.edu
*:443                  is a NameVirtualHost
         default server uceou.edu (/etc/httpd/conf.d/uceou.edu.conf:18)
         port 443 namevhost uceou.edu (/etc/httpd/conf.d/uceou.edu.conf:18)
                 alias www.uceou.edu
         port 443 namevhost uceou.edu (/etc/httpd/conf.d/ssl.conf:40)
         port 443 namevhost uceou.edu (/etc/httpd/conf.d/uceou.edu.conf:18)
                 alias www.uceou.edu
10

This file is being loaded twice:

And there remains a name:port overlap with these two files:

2 Likes
11

Yes,you're right. But, the SSL is now working fine. I have merged the files - ssl.conf and uceou.edu.conf
Remove incluces too in http.conf. Below is the output now:

[root@uceou conf]# sudo apachectl -t -D DUMP_VHOSTS
Passing arguments to httpd using apachectl is no longer supported.
You can only start/stop/restart httpd using this script.
If you want to pass extra arguments to httpd, edit the
/etc/sysconfig/httpd config file.
VirtualHost configuration:
*:443                  uceou.edu (/etc/httpd/conf.d/ssl.conf:40)
12

You lost the VirtualHost for port 80 (HTTP) though. You won't be able to redirect visitors from HTTP to HTTPS. More important your cert renewal will probably fail now.

What does this do

sudo certbot renew --dry-run

the --dry-run is a test and will not affect your existing production certs.

1 Like
13

You're right, the certbot is failing.
Command output:

 httpd -D DUMP_VHOSTS  
VirtualHost configuration:
*:443                  uceou.edu (/etc/httpd/conf.d/ssl.conf:40)

However, the output of the below command shows port 80 is open:

sudo nmap -sT 202.63.117.90
Starting Nmap 7.70 ( https://nmap.org ) at 2024-02-18 21:07 IST
Nmap scan report for uceou.edu (202.63.117.90)
Host is up (0.00023s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
80/tcp   open  http
111/tcp  open  rpcbind
443/tcp  open  https
3306/tcp open  mysql
7070/tcp open  realserver

Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds
14

Below is the output now:

httpd -D DUMP_VHOSTS  
VirtualHost configuration:
*:80                   uceou.edu (/etc/httpd/conf.d/uceou.edu:12)
*:443                  is a NameVirtualHost
         default server uceou.edu (/etc/httpd/conf.d/uceou.edu:1)
         port 443 namevhost uceou.edu (/etc/httpd/conf.d/uceou.edu:1)
                 alias www.uceou.edu
         port 443 namevhost uceou.edu (/etc/httpd/conf.d/ssl.conf:40)

Added the below command to httpd.conf and it worked.Tried certbot too and it's working fine now.
Include conf.d/uceou.edu

Thank you.

15

You still have this problem:

And this (minor) one:
[the HTTP vhost doesn't cover the "www" name]

2 Likes
16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.