The certificate is only valid for sys.mysite.org


#1

Tried this 2 times, with the same problem.

./certbot-auto --apache -d mysite.com -d www.mysite.com

Result:

Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/mysite.com/fullchain.pem.
Your cert will expire on 2016-08-30....

But when accessed from any browser, mysite.com:

mysite.com uses an invalid security certificate.
The certificate is not trusted because it is self-signed.
The certificate is only valid for sys.mysite.org
Error code: SEC_ERROR_UNKNOWN_ISSUER

sys.mysite.org is the server host name and does not appear anywhere in Apache config files.
Just one virtual host file is at /etc/httpd/conf.d/mysite_com.conf

Apache 2.2
Centos 6.8


#2

Maybe restart Apache?


#3

All ready did a apache restart and even server reboot, just in case. Why on earth would it create certificates for the sever name when I specifically passed in -d mysite.com -d www.mysite.com. Makes no sense to me.


#4

It’s unlikely that this certificate is from Let’s Encrypt. You would not get “SEC_ERROR_UNKNOWN_ISSUER” for a certificate signed by Let’s Encrypt. My best guess is that your apache was already configured with a self-signed certificate prior to this, and something’s causing apache to pick this certificate rather than the new certificate.

Try grep -r "SSLCertificateFile" /etc/httpd if you don’t see anything obvious. If you need help amending the configuration, we’ll need your apache configuration files.


#5

Found this in ssl.conf after running that command:

SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

Could this be in conflict?


#6

Yep, ssl.conf is probably where the self-signed certificate is set. You’ll want to remove the relevant SSL directives in there (basically anything that matches SSL[...]File, feel free to post the file if you need assistance.


#7

Great - this will give something to investigate further. Much appreciation for your help.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.