Two Questions: (a) Renewal (b) Invalid Intermediate

Domain: ukdirectsale.co.uk

Okay, so after a few hits and misses I finally got everything working okay, after installing certbot, but still have a couple of questions.

a) So, I believe I can just let cron take care of doing certbot auto-renewals for the domain in question, and did the dry-run test successfully. I just want to be certain that I don't manually need to add anything to my crontab, given:

$ systemctl list-timers
NEXT                         LEFT          LAST                         PASSED       UNIT                         ACTIVATES
Thu 2020-10-01 10:33:00 EDT  58min left    Wed 2020-09-30 14:10:00 EDT  19h ago      snap.certbot.renew.timer     snap.certbot.renew.
Thu 2020-10-01 15:06:44 EDT  5h 32min left Wed 2020-09-30 15:06:44 EDT  18h ago      systemd-tmpfiles-clean.timer systemd-tmpfiles-cl
Fri 2020-10-02 00:00:00 EDT  14h left      Thu 2020-10-01 00:00:01 EDT  9h ago       unbound-anchor.timer         unbound-anchor.serv

(i.e. the top line with the snap.certbot.renew.timer should take care of everything, right?)

b) I get the browser padlock on all pages of the domain (except maybe a couple with mixed content I haven't yet got to fixing), and https://www.whynopadlock.com/ passes everything okay, but with one exception, which is:

Invalid Intermediate
You have an invalid or missing intermediate (bundle) certificate. This may not break your padlock on all browsers, but will on others. Please contact your SSL Vendor for assistance with this error.

Is this something that somebody can point me in the right direction with please? Thank you!

1 Like

Looks alright.

Well, your webserver isn't sending the intermediate certificate at all. Unfortunately, as you haven't followed the original questionnaire which should have been presented to every user opening a new thread in the Help section, we have no way to know how you've installed the certificate so we can't guide you with details.

1 Like

Installation as per previous question:

1 Like

Could you give me the short summary in stead letting me dig through thousands of posts to figure out how you might have installed the certificate?

1 Like

Well, as noted in the other question, installed certbot on CentOS 7, Apache 2.x server, and manually added the SSL code blocks for the vhosts.

1 Like

In that case you probably didn't add the intermediate certificate.

Unfortunately, you're only giving the major version of your Apache. The way Apache wants the intermediate certificate configured depends on the minor and patch version too. Before 2.4.8 it used a separate directive while from 2.4.8 and onwards you could put the whole chain in the standard directive. For more information see mod_ssl - Apache HTTP Server Version 2.4

2 Likes

Apache version is Apache 2.4.6

1 Like

For more information see https://httpd.apache.org/docs/current/mod/mod_ssl.html

1 Like

I'm sure that page would be helpful if I knew what I was looking for.

1 Like

"Intermediate" is probably a good keyword to search for.

1 Like

Thanks for nothing. I'll try and get some help elsewhere.

1 Like

Ah, I guess you want a simple cut and clear answer so you wont learn anything? I'm sorry if I refuse to give you a fish so you'd eat for one day. I'm trying to learn you how to fish, so you'll eat for the rest of your life.

I'm terribly sorry you don't see it that way.

Also, before I posted I obviously looked if "intermediate" is indeed a good keyword, which it is.....

Further more, some light reading for upcoming weekend: https://en.wikipedia.org/wiki/Autodidacticism

1 Like

That's typically what a help forum is for -- to help people. You're not helping anyone, you're just being jerkish. Knowing the solution saves a ton of time for me to be more productive helping other people, and I'd immediately know the solution for next time.

1 Like

Help can have many different forms. I choose to guide people, not just give answers.

That's your opinion. I've given you hints and tips where you can find the actual answer yourself.

That's also your opinion, which is allowed of course.

You realise that solution is just like, 5 minutes away, right? Even less probably. Click on the link, press "Ctrl-F", type in the keyword I actually provided against my better judgement, press "Search" or "Next", read and judge the section the keyword is present in et voila, you've found the solution. Or press "Next" again to go to the next section where you'll judge that section.

For this very specific issue, yes. But for a new issue, you'll might open a new thread on a Community such as this. If you'll learn on figuring out an issue and the solution to that issue yourself, you might be able to find the solution for the next problem yourself in stead of relying on other people. I would advice you to try and be more self-sufficient. I don't mean this jerkishly, but expecting other people to do all the work for you comes across a little lazy. That's one of the reasons I guide in stead of just answer. Almost everyone on this Community is a volunteer. We do this by choice. And personally, I detest lazy people expecting answers. On the other hand, if someone is willing to learn, guiding them to an answer is rather rewarding.

1 Like

What will we do when all the people that actually know how die off?

2 Likes

Not everyone who rides a train wants (or needs) to be a train driver.

2 Likes

Not everyone who rides the train steps out of the passenger cabin and into the engine room.
In all fairness, you did cross that line and are no longer "just a passenger" [your clients/users still are].

2 Likes

Hmm, well, I'll decline to debate the relative merits of trains, passengers and engine rooms and the various responsibilities, etc, but if I absolutely know the answer to something, and someone wants to know it, then I simply provide it; I really don't mind if they don't want to learn to fish. Horses for courses; your approach is not one that I'd endorse in this particular situation, but whatever help I get I appreciate, especially as I know it's offered freely.

Still, if you'd like to be even more helpful, maybe you can answer a related question:

Is there anything special I'd need to do in order to get certbot to properly issue certs for a bunch of domains which share the same IP address?

Reason I ask is that when I tried to get a cert done for any single domain of the bunch (i.e. sudo /var/lib/snapd/snap/bin/certbot certonly --apache), it seems to be successful, and provides the cert files, etc, but then the domain fails to work with https (although other sites on the same machine, using the same Apache server, with a GoDaddy-issued cert do work), and whynopadlock.com says (even though it says a cert is current) that "Your SSL certificate appears to be self signed", and "Your SSL certificate does not match your domain name!").

Any helpful hints? Thx!

3 Likes

I can certainly understand the efficiency concerns between researching solutions versus asking questions. It vastly depends upon the circumstances of both sides of the asker-askee equation. Let's please keep it civil though people.

https://community.letsencrypt.org/guidelines

2 Likes

Now, in regards to your questions...

Nope. Just avoid the rate limits.

You can create a maximum of 10 Accounts per IP Address per 3 hours. You can create a maximum of 500 Accounts per IP Range within an IPv6 /48 per 3 hours. Hitting either account rate limit is very rare, and we recommend that large integrators prefer a design using one account for many customers. Exceeding these limits is reported with the error message too many registrations for this IP or too many registrations for this IP range.


certbot performs two functions: acquisition and installation.

Acquiring a certificate is comparatively easy.

If you're seeing a warning about self-signed certificates, it means that your acquired certificates aren't installed (in memory). Try restarting your webserver.

1 Like