Change it to SSLCertificateFile /etc/letsencrypt/live/your-domain.com/fullchain.pem and SSLCertificateKeyFile /etc/letsencrypt/live/your-domain.com/privkey.pem.
So I have it like this now:
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/www.nuriasol.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.nuriasol.net/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/www.nuriasol.net/chain.pem
Still I get the invalid certifate error:
"nuriasol.net uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is not valid for the name nuriasol.net. Error code: SEC_ERROR_UNKNOWN_ISSUER"
Something stupid I fail to see here?
Originally I followed these instructions:
Authority Information Access:
OCSP - URI:http://ocsp.int-x3.letsencrypt.org/
CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
X509v3 Subject Alternative Name:
DNS:www.nuriasol.net
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
User Notice:
Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/www.nuriasol.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.nuriasol.net/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/www.nuriasol.net/chain.pem
Probably one with <VirtualHost *:80> for the HTTP requests and the other <VirtualHost *:443> for the HTTPS site. That's normal and doesn't explain why your webserver isn't serving the correct certificate
I doubt that's useful. Somehow there's a certificate served for loft9004.dedicatedpanel.com.
One thing I saw in your configuration files is you're using only ServerAlias and notServerName. This could be a problem for Apache: core - Apache HTTP Server Version 2.4
This is problematic if you're using both hostnames in a single <VirtualHost> section, because Apache will just serve one certificate for both hostnames. Options are:
Split both hostnames in two separate files both with their own <VirtualHost> section pointing to the correct certificate;
Get a third certificate but now for BOTH hostnames and use that new certificate in the current <VirtualHost> section.
If I try to ask for a certificate for both, it fails on a timeout now (certbot-auto --apache -d nuriasol.net -d www.nuriasol.net)
I can of course create separate vhost files, but they at the moment only contain the rewrite rule, i.e. they are not pointing to any certificate.
The certificates are mentioned in the nuriasol.net-le-ssl.conf file.
Maybe if I delete that, and put the corresponding
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/www.nuriasol.net/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.nuriasol.net/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/www.nuriasol.net/chain.pem
To each vhost file?
I think the problem originally occurred, because I created tha certificate separately for www.nuriasol.net and nuriasol.net, while they were having one vhost file only (with both configured as aliases: I fixed that)
Created a vhost file for www.nuriasol.net and for nuriasol.net separately, as there are two certificates because of my mistake…
Then deleted the nuriasol.net-le-ssl.conf file.
Then added the reference to the corresponding certificates on the end of the vhost configurations.
Re-enabled both vhosts and then reloaded apache.
That's because certbot has generated a specific configuration file for the HTTPS site: the nuriasol.net-le-ssl.conf file.
The original file nuriasol.net.conf should contain a <VirtualHost *:80> and the nuriasol.net-le-ssl.conf file contained a <VirtualHost *:443> section, respectively the virtualhost section for HTTP and HTTPS.
Euh, did you add the SSL directives to the <VirtualHost *:80> sections? Although I'm seeing your HTTPS site actually works, so I guess you added it to the correct virtualhost section
Unfortunately, your redirect isn't working now.. If I go to http://www.nuriasol.net I'm seeing an Apache test page. Perhaps you've modified your <VirtualHost *:80> sections to <VirtualHost *:443> sections, and now your HTTP site isn't working any more?
And now you can enter your site(s) into https://whynopadlock.com because there are a lot of non-secure resources loaded on the page, which will remove the green padlock and turn it into a “non-secure” variant!
Also, be advised, this redirect variant will give you issues with the webroot authenticator! I don’t know if you’ve used that authenticator or the apache plugin, but when using webroot, Let’s Encrypt requests the token from the HTTP site in the directory /.well-known/acme-challenge/. With this redirect, the path (/.well-known/acme-challenge/tOkEn) is removed when redirecting!
So if your renewal won’t work because you’re using the webroot plugin and this redirect, you now know why