Website not secure

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: example.com

I ran this command:salt name state.apply letsencrypt

It produced this output:output is sucess but ssl certificate i get connection not secure

My web server is (include version):

The operating system my web server runs on is (include version):Debian 4.

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 0.31.0

 

2 Likes

okay sorry.
https://noorirubbers.in

What's going on exactly? Because there's something terribly wrong..

Please see the certificates issued for your domain here: crt.sh | noorirubbers.in

You're currently using certificate with "crt.sh ID" 6241662845, which is from February. Since then, there have been issued 23 (!!!) (if I counted correctly) certificates! Sometimes multiple on the same day, sometimes just a single one, sometimes a few days without issuance in between (probably due to rate limits......)..

What are you doing?

2 Likes

ya, sometime back i had some issue, then i had tried manually multiple times. after that we didnt get issue on not secure,
now i tried automatically by applying state file i get all ok, but stll my connection is not secure.
iam using apache

What software is that exactly?

2 Likes

configuration management tool saltstack

I can't find anything using state.apply letsencrypt on the official Saltstack documentation. However, I did find some (forks of) a github project GitHub - TimMurphy123/formula-letsencrypt: Saltstack Formula for managing letsencrypt certificates with certbot which doesn't seem to be maintained any longer.

How did you install that state.apply letsencrypt thingy? Did it come with Saltstack? Did you have to do something manually for it to work?

There is however an official (I think?) ACME module and ACME "state" (whatever a state may be):

https://docs.saltproject.io/en/latest/ref/modules/all/salt.modules.acme.html

https://docs.saltproject.io/en/latest/ref/states/all/salt.states.acme.html

Maybe it's a good idea to use that module?

Please use the staging environment for testing/experimenting.

2 Likes

we are using letsencrypt formula, and salt minionname state.apply letsencrypt.

What's the contents of the pillar file you're using for the letsencrypt formula?

2 Likes

letsencrypt:
client:
source:
engine: pkg
config:
email: onlineaccounts@amepos.in
authenticator: apache
# webroot-path: /var/www/html
use_package: true
pkgs:
- python3-certbot-apache
domainsets:
noorirubbers.in
- noorirubbers.in
post_renew:
cmds:
- systemctl reload apache

Ok, so the reload command is present, good.

Could you share the Apache configuration file for noorirubbers.in? The one with SSLCertificateFile in it.

2 Likes
<VirtualHost *:80>
    ServerName noorirubbers.in
    ServerAlias www.noorirubbers.in
    ServerAdmin onlineaccounts@amepos.in

    RewriteEngine on
    RewriteCond %{SERVER_NAME} =www.noorirubbers.in [OR]
    RewriteCond %{SERVER_NAME} =noorirubbers.in
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

#################################################################

<IfModule mod_ssl.c>
    <VirtualHost *:443>
        ServerName noorirubbers.in
        ServerAlias www.noorirubbers.in
        ServerAdmin onlineaccounts@amepos.in
        DocumentRoot /var/www/html/noorirubbers.in

        php_flag display_startup_errors off
        php_flag display_errors off
        php_flag log_errors on
        php_value error_log "/var/www/html/noorirubbers.in/php_errors.log"	

        <Directory /var/www/html/noorirubbers.in>
            Options -Indexes +FollowSymLinks
            AllowOverride All
            DirectoryIndex index.php index.html
        </Directory>

        <Directory /var/www/html/noorirubbers.in/development>
            Options -Indexes +FollowSymLinks
            AllowOverride All
            DirectoryIndex index.php index.html

            php_flag display_startup_errors on
            php_flag display_errors on
            php_flag html_errors on
            php_flag log_errors on
        </Directory>

        ErrorLog ${APACHE_LOG_DIR}/noorirubbers.in-error.log
        CustomLog ${APACHE_LOG_DIR}/noorirubbers.in-access.log combined

    RewriteEngine on

    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/noorirubbers.in/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/noorirubbers.in/privkey.pem

    </VirtualHost>
</IfModule>

Could you show the output of the command:

openssl x509 -noout -text </etc/letsencrypt/live/noorirubbers.in/fullchain.pem

Note that fullchain.pem is publicly available, so no privacy issues there. (privkey.pem on the other hand should always be kept private!)

2 Likes

/etc/letsencrypt/live/noorirubbers.in# ls -al
total 28
drwxr-xr-x 2 root root 4096 Feb 25 09:40 .
drwx------ 23 root root 4096 Feb 25 09:37 ..
lrwxrwxrwx 1 root root 44 Feb 25 09:28 cert.pem -> ../../archive/noorirubbers.in-0008/cert1.pem
lrwxrwxrwx 1 root root 45 Feb 25 09:28 chain.pem -> ../../archive/noorirubbers.in-0008/chain1.pem
lrwxrwxrwx 1 root root 49 Feb 25 09:28 fullchain.pem -> ../../archive/noorirubbers.in-0008/fullchain1.pem
-rw------- 1 root root 7300 Feb 25 09:32 fullchain-privkey1.pem
-rw------- 1 root root 7304 Feb 25 09:40 fullchain-privkey.pem
lrwxrwxrwx 1 root root 47 Feb 25 09:28 privkey.pem -> ../../archive/noorirubbers.in-0008/privkey1.pem
-rw-r--r-- 1 root root 692 Feb 25 09:28 README

:/etc/letsencrypt/live/noorirubbers.in-0009# ls -al
total 12
drwxr-xr-x 2 root root 4096 Apr 26 14:07 .
drwx------ 23 root root 4096 Feb 25 09:37 ..
lrwxrwxrwx 1 root root 44 Apr 26 14:07 cert.pem -> ../../archive/noorirubbers.in-0009/cert2.pem
lrwxrwxrwx 1 root root 45 Apr 26 14:07 chain.pem -> ../../archive/noorirubbers.in-0009/chain2.pem
lrwxrwxrwx 1 root root 49 Apr 26 14:07 fullchain.pem -> ../../archive/noorirubbers.in-0009/fullchain2.pem
lrwxrwxrwx 1 root root 47 Apr 26 14:07 privkey.pem -> ../../archive/noorirubbers.in-0009/privkey2.pem
-rw-r--r-- 1 root root 692 Feb 25 09:35 README

actually in /etc/letsencrypt/live i have noorirubbers.in and noorirubbers.in-0009
not understandig which one will it take.

openssl x509 -noout -text </etc/letsencrypt/live/noorirubbers.in/fullchain.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:80:db:d6:95:8b:c6:0c:79:a1:80:98:22:31:11:36:7e:4d
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = US, O = Let's Encrypt, CN = R3
Validity
Not Before: Feb 25 08:28:01 2022 GMT
Not After : May 26 08:28:00 2022 GMT
Subject: CN = noorirubbers.in
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:bf:b5:dc:db:5a:41:30:72:50:ed:09:11:9f:e4:
d7:97:51:50:01:7f:67:00:59:af:ae:b8:24:74:60:
5d:fd:11:5c:6b:8c:8c:97:21:72:c3:c4:77:0e:55:
e0:1e:df:38:38:cc:67:25:c9:ee:dc:36:ea:41:2d:
01:c7:09:b0:94:65:21:ea:30:12:23:78:32:9c:1b:
a5:9b:0a:bf:5a:43:37:52:7a:69:99:eb:95:b5:21:
50:d9:77:c3:00:77:c6:c0:cb:1b:9c:6c:24:94:0a:
84:8a:a8:df:fc:e1:23:dc:20:58:9a:f5:ff:9d:f6:
11:4e:fe:33:e9:89:76:72:2d:94:ca:5a:d3:b9:11:
e6:07:eb:01:35:be:fd:31:ef:56:2d:d9:0d:bd:ce:
5a:f1:5f:be:d0:08:ae:19:97:04:24:69:8d:93:1c:
22:cf:b6:bc:b7:c9:1d:d8:cf:68:9c:95:e3:87:75:
2b:2d:9f:42:7c:75:9b:7b:35:2e:0e:0e:dc:1f:5d:
82:6b:a4:69:d0:b4:66:73:01:3b:15:d0:5a:c5:b2:
c2:f8:c5:98:7b:2a:dc:cb:dd:31:95:db:42:e3:f3:
d0:53:3e:e8:37:56:c1:14:a8:54:8e:fd:60:31:b7:
a5:89:fc:ee:38:6b:4f:9d:2f:da:d9:ae:53:a5:92:
78:99
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
EF:AA:4B:32:A2:BD:D8:1E:AD:D9:53:D7:DB:D6:74:2F:AF:2B:0D:56
X509v3 Authority Key Identifier:
keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6

        Authority Information Access: 
            OCSP - URI:http://r3.o.lencr.org
            CA Issuers - URI:http://r3.i.lencr.org/

        X509v3 Subject Alternative Name: 
            DNS:noorirubbers.in
        X509v3 Certificate Policies: 
            Policy: 2.23.140.1.2.1
            Policy: 1.3.6.1.4.1.44947.1.1.1
              CPS: http://cps.letsencrypt.org

        CT Precertificate SCTs: 
            Signed Certificate Timestamp:
                Version   : v1 (0x0)
                Log ID    : 41:C8:CA:B1:DF:22:46:4A:10:C6:A1:3A:09:42:87:5E:
                            4E:31:8B:1B:03:EB:EB:4B:C7:68:F0:90:62:96:06:F6
                Timestamp : Feb 25 09:28:01.720 2022 GMT
                Extensions: none
                Signature : ecdsa-with-SHA256
                            30:46:02:21:00:8B:A0:DE:FD:45:BA:2B:F2:98:DA:B5:
                            BE:E1:E0:39:21:80:F9:E6:3F:65:0B:54:50:C4:DF:6E:
                            38:25:D2:13:2C:02:21:00:9E:00:63:53:74:EA:1B:11:
                            9B:88:1F:03:FA:B3:04:08:7C:B8:14:2C:89:02:C8:60:
                            16:F3:F2:D5:D4:9A:48:9B
            Signed Certificate Timestamp:
                Version   : v1 (0x0)
                Log ID    : 29:79:BE:F0:9E:39:39:21:F0:56:73:9F:63:A5:77:E5:
                            BE:57:7D:9C:60:0A:F8:F9:4D:5D:26:5C:25:5D:C7:84
                Timestamp : Feb 25 09:28:01.688 2022 GMT
                Extensions: none
                Signature : ecdsa-with-SHA256
                            30:45:02:21:00:8C:52:9D:BD:49:D9:9F:0B:12:D5:BE:
                            94:D6:2A:0C:BD:81:3E:87:9B:72:BE:FC:7A:A3:FA:24:
                            DB:41:B5:76:0D:02:20:19:B7:9D:03:32:92:0D:D2:DD:
                            71:AE:17:1A:B2:91:22:65:BD:BC:04:20:B3:C9:FF:F8:
                            DE:EA:B0:5E:61:6B:7B
Signature Algorithm: sha256WithRSAEncryption
     9d:22:be:ed:cd:5a:e3:ef:a7:ae:db:94:59:a2:8a:13:57:24:
     2c:0f:6a:f6:29:5f:03:4f:24:a1:a8:c3:1b:34:4a:8a:74:89:
     fc:03:98:2b:8f:f6:f7:8c:35:86:32:33:41:b7:92:9a:b4:93:
     7b:2f:7e:68:b2:9f:50:a9:52:40:9e:d0:c6:9f:23:65:53:5d:
     51:b0:df:2a:b2:ac:21:0a:ea:02:c3:a7:02:f5:7f:6e:4e:64:
     9b:60:1e:a7:c9:a3:b4:d9:c5:f9:07:9b:77:81:a4:56:0d:27:
     3a:16:ff:bf:fc:5c:f4:d6:7f:e4:53:a2:c1:eb:0d:e1:85:e6:
     a9:f3:af:7d:ff:1c:6d:ab:fa:ab:e3:06:c1:4b:18:dc:99:5d:
     e4:10:2a:d5:52:06:10:17:1f:b1:fb:dc:a2:a2:8f:1c:f2:f3:
     ff:c0:e5:52:e8:f9:2c:c7:f4:df:0f:4f:dd:38:47:89:9e:6d:
     93:ec:6b:f0:e5:d5:56:de:7d:f9:a9:f8:ee:6a:f6:d8:e9:81:
     31:aa:5a:96:a1:b0:d7:74:59:0c:3b:c8:54:73:6f:37:df:83:
     92:a7:81:97:e8:6d:84:b4:fa:32:3c:a4:7a:af:2c:39:5a:b3:
     fe:e1:fe:f8:20:f6:b6:8a:69:ed:49:8e:24:d1:60:f8:1c:72:
     f9:17:88:d4

What shows?:
certbot certificates

1 Like

This is BAD.. The symbolic links in /live/ should ALWAYS "point" to the corresponding (i.e.: identical in name) directory in /archive/. Here, we see the /live/noorirubbers.in/ being mixed with /archive/noorirubbers.in-0008. This is NOT something Certbot would do.

Did you or maybe a collegue modify anything manually in /etc/letsencrypt/live/ and/or /etc/letsencrypt/archive/? I can't imagine Saltsomething would have done this.. And Certbot certainly didn't either.

So that's the old certificate. You might want to check other directories (e.g. /etc/letsencrypt/live/noorirubbers.in-0009/ for the up to date one.

2 Likes

what i have do now.
which certificate i can delete?

You need to find out which certificate available in /etc/letsencrypt/ is not expired.

2 Likes