SSL with Lemonstand store, showing old cloudflare ssl and now down


#1

My domain is: http://www.terracecafecups.com - The ssl certificate is incorrect and showing cloudflare instead of the new certificate from let’s encrypt.

I ran this command: Here at the lemonstand docs and everything succeeded.

It produced this output:

Congratulations! Your certificate and chain have been saved at: 
/etc/letsencrypt/live/terracecafecups.com/fullchain.pem
Your key file has been saved at: 
/etc/letsencrypt/live/terracecafecups.com/privkey.pem
Your cert will expire on 2018-12-09. 
To obtain a new or tweaked version of this certificate in the future, simply run certbot again. 
To non-interactively renew *all* of your certificates, run "certbot renew"

- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
Donating to EFF:                    https://eff.org/donate-le

My web server is (include version): Not sure, Lemonstand’s.

The operating system my web server runs on is (include version): Not sure, Lemonstand’s.

My hosting provider, if applicable, is: Lemonstand.

I can login to a root shell on my machine (yes or no, or I don’t know): No.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Lemondstand backend.

Before doing any of the Let’s Encrypt steps in the Lemonstand docs i created a CloudFlare account and hooked up the domain, but when I realized that was not going to work and that it was not the proper way to add SSL to a lemonstand store I removed the domain settings from cloudflare and deleted the domain from the cloudflare account. I then changed back my Name Servers at Godaddy and pointed my root to Lemondstand and my www. to @. The issue I am experiencing shows the old Cloudflare certificate and it is not secure according to my browser.


#2

What is your domain name? That’s really going to give us the most diagnostic info. Otherwise it’s just shots in the dark until something sticks.


#3

my mistake. the domain is: http://terracecafecups.com. since I have written the post it has gone down. I am wondering if the transition is now in the works? Like Lemonstand’s docs suggest I ran a SSL checker at: https://www.sslshopper.com/ssl-checker.html and it still returns Cloudflare.


#4

No, I don’t believe that’s the case. Your server is showing a certificate from the Cloudflare Origin CA, which is used to encrypt data between your server and Cloudflare, but isn’t publicly trusted. It doesn’t appear down to me, just untrusted. When your domain is using Cloudflare, they have their own publicly trusted certificates in place, but you can’t get that on your server directly.

Are you sure that you actually updated lemonstand (I have no familiarity with this product) with your new certificate? I see you issued one, but did you go through the process to paste it into the control panel? Did it return a success message?


#6

Yes i believe I followed the steps here correctly. I then copied the fullchain.pem for my Primary SSL Certificate– * and the privkey.pem for my Private Key and submitted the information. My lemondstand account area now shows “configured” in my ssl area. but whether that was correct or not is still up in the air, this being my first time doing this with LemondStand. One thing that I thought was odd, the fullchain.pem had two BEGIN CERT and END CERT groups. is that typical? Thank you for taking a look at this.


#7

Hi @samuelkobe

the fullchain.pem contains your certificate and the intermediate certificate.

Split the file, save the two parts with .crt as file extension. Then Windows shows the two certificates.

I don’t use LemonStand. But:

There are three certificates with terracecafecups.com as name, one is from 2018-09-10, today, the others from August and Juny.

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:terracecafecups.com&lu=cert_search

And there

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:www.terracecafecups.com&lu=cert_search

are two certificates with www.terracecafecups.com from August / Juny.

Normally, you should have one certificate with two names. So use

certbot certonly --manual -d www.terracecafecups.com -d terracecafecups.com

to create this one certificate with two names.


#9

Wow thank you so much for all the information. Lemonstand give you the ability to put a intermediate certificate in as well. So I believe me pasting both into the primary is most likely causing some of my issues.

Is there a way to delete certificates? Because I don’t want the cloudflare one anymore. Because I created the cloudflare one today, and I thought I had created another with letsencrypt through the lemonstand instructions. Would it show two certificates from today’s date if I had?

Thanks.


#10

So I believe me pasting both into the primary is most likely causing some of my issues.

Maybe not though… because: https://docs.lemonstand.com/extend/lets-encrypt-ssl-installation states that I should be using the fullchain.pem as the Primary SSL Certificate. I’m definitely looking forward to talking to support tomorrow.


#11

You can delete a certificate - remove the files. But first create the new certificate and install it.

You can have a lot of active certificates. This isn’t a problem.

PS: You can edit your reply.


#13

I believe that Lemonstand might have some special cases because there are some steps, like step 2. here, that make me think I can’t add both:

certbot certonly --manual -d www.terracecafecups.com -d terracecafecups.com like this.

I am feeling a little out of sorts now, there are so many little steps to take and it being my first time I don’t know which I have done correctly or incorrectly. Not to mention I can’t even get to the backend of the site anymore because it shows This site can’t be reached now for me on my mac. I’ll try again tomorrow.


#14

If you use certbot certonly, perhaps you can also use the dns-01 - validation.

So you don’t need to create and upload a file. Instead, you have to create two dns-entries.

_acme-challenge.terracecafecups.com
_acme-challenge.www.terracecafecups.com

or (if you have a domain menu, this context adds the domain):

_acme-challenge
_acme-challenge.www

Perhaps your dns-provider supports an api, certbot has a long list of supported dns-providers.

you can automate this part.


#15

My DNS provider is Godaddy for this client. My only experience here is following the docs at Lemonstand. Why would they not include the naked url + www if I needed to do this? I am not questioning your suggestions here. But the way you have to add site and page templates on their backend to then have the certbot go and check for a file with the unique authorization code in it doesn’t seem to work if I need to create two separate ones.

I have DNS control. So I can add the dns-entries you are suggesting above. But I feel I am getting further away from THEIR solution, again that might just be my lack of knowledge/comfortability speaking.

I am going to try starting from the top and re-adding the fullchain.pem to their primary certificate location, and adding the privkey.pem to the private certificate location?

For more context, this is what the page looks like where I add this information:


#16

I would try two things: First, follow this guidline, create one certificate with one domain name terracecafecups.com - install it.

If this works, you can create a second certificate with two names (via dns-01 - validation).

It’s very unusual that your http://www.terracecafecups.com/ has a redirect to lemonstand.com.

download http://www.terracecafecups.com/ -h
Cache-Control: no-store, private, no-cache, must-revalidate,pre-check=0, post-check=0, max-age=0, max-stale = 0
Date: Mon, 10 Sep 2018 16:47:21 GMT
Server: Apache
Pragma: no-cache
Expires: Sat, 26 Jul 1997 05:00:00 GMT,0
Last-Modified: Mon, 10 Sep 2018 16:47:21 GMT
Location: https://lemonstand.com
Content-Length: 0
Content-Type: text/html; charset=utf-8
Set-Cookie: SERVERID=app1; path=/

Status: 302 Redirect

Your own www should redirect to your non-www. Then you need one certificate with two names.


#17

I think that one of the problems was that I took this domain from the Shopify account that was originally using the domain. I read somewhere the Shopify forces a HTST for 90 days even after moving it. Shopify gives you an SSL out of the box and I am guessing one of the August or June SSL certificates are from them.

Right now I have my www pointed to @(I put in terracecafecups.com and it was added as @) and my non-www pointed to lemondstand’s IP Address that is provided in the custom domain setup. Is this not correct?

I believe this is correct:


#18

Your dns - settings are correct. Both domains (www + non-www) have 23.21.107.184 as ip. The redirect must be in the webserver / shopsystem. Perhaps because www is “not registered as shop”. But I don’t know how LemonStand handles that.


#19

I mean that is straight from their setup guide so I don’t know either.


#20

So there was a couple reasons why I was having issues. I had followed their steps correctly but:

  1. I changed the name of the site from demo-site to Terrace Cafe Cups right before I started implementing the custom domain and SSL stuff. My test url was demo-site.lemondstand.com and I guess there was some internal issues with that url as it was reserved in some capacity.

  2. I added a secondary domain of demo-site.lemondstand.com and this may be why the redirect from www.terracecafecups.com was weirdly redirecting to lemonstand.com. Once I changed the secondary domain in the lemonstand settings to www.terracecafecups.com, and continued to use terracecafecups.com as the primary it stopped that odd redirect.

  3. I setup cloudflare earlier when trying to get SSL working and it slowed down the entire process.

  4. Testing was huge bummer because my browser and machine kept giving me:
    This site can’t be reached terracecafecups.com’s server IP address could not be found. DNS_PROBE_FINISHED_NXDOMAIN.
    This paired with the fact that the domain was previously used at Shopify, where the domain is forced to use HSTS for 90 days even after the DNS records are changed just added more questions.

  5. And lastly, You have to do the setup Step 1. Part (b) for both the naked URL and the www. You can achieve this by adding both domains and separating them with comma like so: example.com, www.example.com. After that you have to duplicate the Step 2. for however many domains you are adding to the certificate.

Docs that I am referencing.

Basically next time will be easily, new knowledge, following their guides from the start should get me up and running sooner.

Thank you both of you who reached out and helped a total stranger ask the right questions to support.


#21

Yes, you could use dns-01 - validation to get a certificate with two domain names. Then install this certificate (the current with one name as backup) and test, if it works.

https://www.terracecafecups.com/ sends *.lemonstand.com, lemonstand.com as domain names, so the certificate is wrong.


#22

thanks again :slight_smile: