Website no longer secure, certificate created 5/3/2021, renewal due 8/1/2021

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: hprauto.com

I ran this command:www.hprauto.com

It produced this output: No longer secure site. Certificate in the key chain is valid. Renewal due Aug 1st.

My web server is (include version): Server 5.6.1

The operating system my web server runs on is (include version): Mac OS High Sierra 10.13.6

My hosting provider, if applicable, is: Network Solutions

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):Terminal

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):0.33.0

2 Likes

hprauto.com redirects to www.hprauto.com, but your certificate only covers hprauto.com. You need to fix either your redirect or your certificate.

4 Likes

Thanks so much. Working now. I had looked at that but thought the certificate was for www.hprauto.com.

3 Likes

Welcome to the Let's Encrypt Community, Jeffrey :slightly_smiling_face:

Still not fixed...

https://certlogik.com/ssl-checker/

In addition to the current certificate not covering www.hprauto.com, no intermediate certificates are being served for either hprauto.com or www.hprauto.com.

https://whatsmychaincert.com/?hprauto.com

https://whatsmychaincert.com/?www.hprauto.com

2 Likes

Thank you very much. I redirect the other sites to hprauto.com for which the certificate has been authorized. Now it works.

1 Like

I don't think you understand, my friend.

The certificate being served for www.hprauto.com does not include www.hprauto.com. When many people visit https://www.hprauto.com, they will be shown a warning about the website being unsecure before being redirected. Depending upon your visitors' browsers, the lack of intermediate certificates being served by hprauto.com and www.hprauto.com can result in both addresses being considered unsecure due to presenting incomplete certificate chains. Additionally, none of the cipher suites being used support forward secrecy.

https://www.ssllabs.com/ssltest/analyze.html?d=hprauto.com

https://www.ssllabs.com/ssltest/analyze.html?d=www.hprauto.com

I highly recommend using the Intermediate ciphers shown here:

https://ssl-config.mozilla.org/

1 Like

First of all, I really appreciate the time you are taking to help me out. This is my first foray into certificates. When I first initiated the request I listed hprauto.com and www.hprauto.com a domains. I see now that the certificate only applies to hprauto.com because that is the domain established with my internet provider. I see the cipher suite. Two questions. My webserver is Apache. I assume that the cipher suite needs to be placed into the httpd-vhosts.conf file, correct. The other question is that I have another domain listed at the same IP address. Will adding that cipher suite cause this other domain to be redirected to the secure site. I do not have a certificate for that site. Thank you in advance for your help.

1 Like

You are quite welcome, my friend. :slightly_smiling_face:

Hopefully we haven't come across too demandingly. We want you to truly succeed in your certificate endeavors.


When you registered hprauto.com with your domain register (Network Solutions), all of its subdomains came included. You have A records in your DNS for both hprauto.com and www.hprauto.com that point to a live webserver, so you need a certificate to cover both names.

I see no such certificate ever issued:

https://crt.sh/?q=hprauto.com


Certbot should have set these for you in its own include file if you used the apache installer.

sudo certbot --cert-name hprauto.com --apache -d "hprauto.com,www.hprauto.com"


Not if the directives (from the aforementioned include) are inside the VirtualHost for hprauto.com.

What are the outputs of:

sudo certbot certificates
sudo ls -lRa /etc/letsencrypt
sudo apachectl -S
sudo ls -lRa /etc/apache2/sites-available
sudo ls -lRa /etc/apache2/sites-enabled

Please put 3 backticks above and below each output, like this:

```
output
```


@tialaramex is too modest about the post below and actually outlines fixes that I should have.

Ah, @griffin beat me to it. No need to read this unless you want to as it mostly duplicates his advice.

Last first, let's talk about that Mozilla configuration recommendation:

The section about rewriting (all the lines that start with Rewrite, such as RewriteCond and RewriteRule and their enclosing VirtualHost condition) are the part of Mozilla's recommendation that upgrades people to HTTPS. So you should not apply this for the site for which you don't have a certificate, if unsure, leave all those lines out altogether for now. The part nearer the bottom from the line starting SSLProtocol is the part that would improve the security of the site for visitors by using more modern ciphers and so that's the change which is more important to integrate.

While you're in the Apache configuration (and before telling Apache to reload the configuration) look for SSLCertificateFile and see if it's currently set to a path ending in fullchain.pem, if it isn't, this may be why your site fails that "Chain" check somebody else mentioned. This may not have any apparent effect for you, but it can cause problems on some browsers, so better fix it if possible by using the fullchain.pem file.

You might look at whether you can just ask Certbot to expand your certificate to include the name www.hprauto.com as well. It sounds like these are essentially the same web site, on the same machine, in which case it could be as simple as:

certbot --expand -d hprauto.com -d www.hprauto.com

This tells Certbot that you'd like the existing certificate "expanded" by adding www.hprauto.com to it, and you can prove you control this name too.

1 Like

Good recommendations, @tialaramex. :slightly_smiling_face:

I'd do this like so:

sudo certbot --cert-name hprauto.com --apache -d "hprauto.com,www.hprauto.com"

This ensures that it's the hprauto.com certificate that gets expanded.

1 Like

I personally despise using rewrites when there's a much better way.

Avoid them:

A common use for RewriteRule is to redirect an entire class of URLs. For example, all URLs in the /one directory must be redirected to http://one.example.com/, or perhaps all http requests must be redirected to https.

These situations are better handled by the Redirect directive.

https://httpd.apache.org/docs/current/rewrite/avoid.html

How:

https://cwiki.apache.org/confluence/plugins/servlet/mobile?contentId=115522478#content/view/115522444

That is the command that I used to create the certificate but I only received it for hprauto.com. I assume in retrospect that I did not get a certificate for www.hprauto.com because it was listed as a domain. I had set the path to where the fullchain.pem file was but got an error saying it was missing or empty. You are correct, the only reason I have www.hprauto.com as a site is to redirect users to hprauto.com. Thanks for responding.

1 Like

I'll give that a try. I originally used the command recommended by tialaramex and it gave me an option to expand but then I got an error stating that the http-01 challenge for www.hprauto.com could not be found.

1 Like

That looks like a very simple solution. I will try that. Thanks again.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.