Supposedly successfully installed but not serving HTTPS


#1

Please fill out the fields below so we can help you better.

My domain is:jamesaverywilhelm.com

I ran this command:

It produced this output:

My operating system is (include version):CENTOS 6

My web server is (include version): Apache 2.4.18

My hosting provider, if applicable, is: Godaddy VPS

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): cpanel/WHM

FYI, I’m a newbie when it comes to anything SLL related; please be gentle.

I successfully generated certificates, but Certbot couldn’t create a proper SSL VHost for some reason.

So I manually created the jamesaverywilhelm.com-le-ssl.conf file and ran certbot-auto install with this result:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Deploying Certificate to VirtualHost
/etc/httpd/conf.d/jamesaverywilhelm.com-le-ssl.conf
Deploying Certificate to VirtualHost
/etc/httpd/conf.d/jamesaverywilhelm.com-le-ssl.conf
Redirecting vhost in /etc/httpd/conf.d/jamesaverywilhelm.com.conf
to ssl vhost in /etc/httpd/conf.d/jamesaverywilhelm.com-le-ssl.conf

It seems everything should be in working order, but I’m not getting redirected to https and when I try to serve my site with https, I get the following error:

Your connection is not private

Attackers might be trying to steal your information from www.jamesaverywilhelm.com (for example, passwords, messages, or credit cards). NET::ERR_CERT_AUTHORITY_INVALID

It seems that the certificate that’s being served is the self-signed cert attached to my VPS. I have no idea what I’ve done wrong. Any help would be greatly appreciated.


#2

hi jaw-development

there are two challenges i think you need to solve

first of all you need to tell appache where to look for the certificates (this may or may not be already done)

mozilla has a sample config here: https://mozilla.github.io/server-side-tls/ssl-config-generator/

the second thing you need to do is run certbot and answer the challenge to get a letsencrypt certificate

you are currently using a self signed certificate

if you have done the two above restart apache and see if that solves the problem as sometimes apache doesn’t load the new certificate until it’s restarted.


#3

In my Debian install I have the following entries in my default-ssl.conf file:

SSLCertificateFile /etc/letsencrypt/live/penfold.fr/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/penfold.fr/privkey.pem

Maybe check in there?

Also your screenshot says "Cannot find a cert or key directive in /files/etc/httpd/conf.d/jamesaverywilhelm.com-le-ssl.conf/IfModule/VirtualHost. VirtualHost was not modified.

I don’t know about httpd setup in CentOS but I’m guessing you need to add something similar to the above pointing to your certificate file and key file. And then restart Apache.


#4

Thanks for the speedy responses, @ahaw021 and @davep!

Unfortunately, I’ve already done what you both suggested. I ran Certbot and was issued certs. And here are the contents of my SLL VHost file with paths pointing to the certificate files:

         <VirtualHost *:443>
                ServerAdmin xxx@jamesaverywilhelm.com
                DocumentRoot /pathto/root/public_html
                ServerName jamesaverywilhelm.com
                ServerAlias www.jamesaverywilhelm.com
                ErrorLog /pathto/root/error.log
                CustomLog /pathto/root/requests.log
        	SSLCertificateFile /etc/letsencrypt/live/jamesaverywilhelm.com/fullchain.pem
        	SSLCertificateKeyFile /etc/letsencrypt/live/jamesaverywilhelm.com/privkey.pem
        	Include /etc/letsencrypt/options-ssl-apache.conf
        </VirtualHost>

After creating that VHost config file, I reran certbot with the install subcommand, and got this message after:

I restarted Apache, but I’m still not redirecting to https and only serving the self-signed certificate from my VPS instead of the Let’s Encrypt certificate. I have no idea what to try next.


#5

I’d have a check of the default ssl.conf file - and see what cert etc that is serving.

If nothing there, can you do a recursive grep for SSLCertificateFile in your apache folder, and see what other configs it finds.

Also, looking at your file, you don’t have “SSLEngine on” included in it.


#6

Agreed. Here’s my default-ssl.conf file as en example:

   <IfModule mod_ssl.c>
    <VirtualHost _default_:443>
        ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html
    ServerName www.penfold.fr
    ServerAlias penfold.fr
    SSLEngine on
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    SSLHonorCipherOrder on
 SSLCipherSuite "ECDHE-RSA-CHACHA20-POLY1305 \
 DHE-RSA-CHACHA20-POLY1305 \
 DHE-RSA-AES256-GCM-SHA384 \
 ECDHE-RSA-CHACHA20-POLY1305 \
 ECDHE-RSA-AES256-GCM-SHA384 \
 ECDHE-ECDSA-AES256-GCM-SHA384 \
 ECDHE-ECDSA-AES256-SHA384 \
 DHE-RSA-AES256-SHA256 \
 DHE-RSA-AES256-SHA"
 SSLCertificateFile /etc/letsencrypt/live/penfold.fr/fullchain.pem
 SSLCertificateKeyFile /etc/letsencrypt/live/penfold.fr/privkey.pem
 SSLOpenSSLConfCmd DHParameters /etc/letsencrypt/live/...
 # deprecated - SSLCertificateChainFile conf/chain.pem
 SSLStrictSNIVHostCheck On
 SSLCACertificateFile /etc/letsencrypt/live/penfold.fr/chain.pem
 SSLOpenSSLConfCmd ECDHParameters Automatic
 SSLOpenSSLConfCmd Curves secp384r1:secp521r1
 SSLOCSPEnable On
 SSLCompression off
 Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
 Header always set Content-Security-Policy "default-src https: 'unsafe-inline' 'unsafe-eval'"
 Header always set X-Frame-Options "SAMEORIGIN"
 Header always set X-Xss-Protection "1; mode=block"
 Header always set X-Content-Type-Options "nosniff"
 SSLOptions +StdEnvVars
 ErrorLog ${APACHE_LOG_DIR}/error.log
 CustomLog ${APACHE_LOG_DIR}/access.log combined
  CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log vhost_combined
 CustomLog ${APACHE_LOG_DIR}/ssl.log "%t %h %k %X %{SSL_PROTOCOL}e\
  %{SSL_CIPHER}e %{SSL_SESSION_ID}e %{SSL_SESSION_RESUMED}e"

 </VirtualHost>
</IfModule>

#7

And to redirect, I have the following in my 000-default.conf file

NameVirtualHost *:80

<VirtualHost _default_:80>
    ServerName penfold.fr
    ServerAlias www.penfold.fr

    Redirect permanent / https://penfold.fr

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined
CustomLog ${APACHE_LOG_DIR}/other_vhosts_access.log vhost_combined

RewriteEngine on
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>

#8

And maybe check your apache2.conf has the first option below:

# Include the virtual host configurations:
IncludeOptional sites-enabled/*.conf

<IfModule mod_headers.c>
        Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
</IfModule> 

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

SSLOpenSSLConfCmd DHParameters "/etc/letsencrypt/live/..."

#9

Take care with

Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains; preload”

If you don’t understand / want it. There are many people who suddenly realise they can’t reach subdomains which they haven’t got SSL certs for … because they didn’t think through the implications of that statement :wink:


#10

Thanks. I don’t actually have any and will no doubt forget your advice by the time I do though :stuck_out_tongue_winking_eye:


#11

:slight_smile: The advice was as much for others coming along, reading your post, and blindly adding it to their config :wink:


#12

Thanks for all the advice. I’m out of town for the rest of the week, but I’ll be sure to check back in next week once I’ve had some time to do some more troubleshooting.


#13

I’m still not getting anywhere with this. It seems like any edits I make in /etc/httpd/conf/httpd.conf don’t actually change anything. So I’m wonder if I mucked something up in the process. I’m pretty much at my wits end with this so any other suggestions are very much appreciated.


#14

are you reloading (or restarting) apache after your changes ? so that they are actually read and used ?


#15

Yes, but after looking at the output of httpd -S it’s not looking like my vhosts are being updated.


#16

I just discovered that WHM/cpanel has a Let’s Encrypt plugin for their AutoSSL feature. Problem solved.

Thanks for all the advice, everyone!


#17

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.