Definitely NOT a problem being caused by LE.
Which scripts are you referring to ?
Again, I donāt have any details.
I can only assume your run something that creates the file.
The bad cert was for Nov 15, 2017 - Nov 15, 2018 (self-signed)
LE doesnāt do 1 year certs - never has.
that is very strange, this server is only 3 months old and we had only install LE as a SSL?
This has me puzzled?
There is more than that - somewhere the file is being copied from point A to point B.
Most likely the copy command is appending rather than just copying.
Or including an extra file that wasn't intended to be included.
Is there a way I can trace, or is it possible/best to remove and start again ?
Happy to clean the slate if it resolves the issue.
We need this model to work in production and would not want to have these issue on prod if it can be avoided.
This issue is not a consequence of using cerbot.
You should look for the file with the contents of the first cert you sent.
If you canāt find a file with such content.
You should review all the configuration on the system including any files in the sites-enabled or conf-enabled folders.
And also review any systems that may be inline ahead of yoursā¦ Like a load-balancer, etc. any thing that could be able to manipulate inbound HTTPS traffic and ensure it is not part of the problem.
I simple test you could do locally would be from the same box:
openssl -connect localhost:443 -servername yourdomain.com.au -showcerts
Thanks for all your help.
Will be a bit blind with the search for errors. Be able to trace/search for some of your suggestions,
Ran this command and got an output, though not sure if there are errors or not ?
openssl -connect localhost:443 -servername example.com.au -showcerts
The output should show the certs being served - in order.
Compare them to the ones you posted earlier.
Also:
And yet the version of Apache (2.4.6) is almost 5 years old...
I think your new server came from an old (or re-used) image.
Thanks for highlighting, Time for an upgrade and revisit to the image this was sourced from
Iām getting the impression you are not a Linux guy.
Or maybe just not really into IT.
The problem isnāt that difficult.
The solution - the solutions are many.
If there is nothing to loose, you could just scrap the whole thing and start over.
If you can, Iād use Ubuntuās latest LTS version, with nginx and certbot-auto; but thatās just me and I know nothing about your systems, nor your business, nor their requirements.
Whatever you choose, good luck.
Am in IT,
Not an expert,
Always ask questions
Always learning
Thanks for all your assistance. much appreciated.
This is setup this way as our production is running this version and we are setting up a test server to test upgrading to current versions to identified issues during upgrade
Am glad to here that.
Here is a little something you could ālearnā today:
(a simple way to search through your system for a file that contains a specific string)
cd /
grep -r "MIID/jCCAuagAwIBAgICfAAwDQYJKoZIhvcNA" /etc
The string is from your first cert.
It might take a while as it would be looking through all the files on the disk(s).
Well now that makes sense.
Hmm, I wonder: is it possible that youāve configured the fullchain.pem as SSLCertificateChainFile instead of SSLCertificateFile, and that the SSLCertificateFile directive is pointing at the self-signed cert?
Thanks for the suggestion, but was not the issue. Have checked the LE install/configuration symlinks.....and all appear correct from my understanding.
lead me to think about other possible issues and have found what the problem was discovered in this thread.
" /etc/httpd/conf.d/ssl.conf" contained a default Virtual Host for 443 connections, within which it used a localhost certificate."
This was issuing the server local cert as the "Third cert".
Once I had removed/commented this default virtual server, it allowed LE to correctly issue for base domain and subdomain.
As a recap, There where two answers to my request
- Answer provided by @_az at top of thread.
- Answer found in this thread Certbot issuing self-signed certificate
Our configuration is is a newly installed Centos 7 using apache 2.4.6 .
Old Apache and other versions, require to setup copy of a production server to allow for testing to upgrade.
The answer is always obvious once you know....It's the journey getting there that makes it enjoyable.
Thanks once again to everyone's suggestions and input.
You havenāt waited long enough.
The way I do this is to use dig against all NS DNS records, as you have no way of knowing which will answerā¦ soā¦
If you have NS records of ns1 + ns2 + ns3ā¦
dig +short _acme-challenge.example.com.au txt @ns1
dig +short _acme-challenge.example.com.au txt @ns2
dig +short _acme-challenge.example.com.au txt @ns3
Then only proceed after both TXT records show up per all NS IPs.
You must wait till both TXT records show up on all NS records correctly, before proceeding.
Hi David,
Thanks for your thoughts. Have found various means to test for the files. ONce I have action that test, then I precede with the rest of the process and has been working fine.
Peter
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.