Website says not a trusted site

My domain is: www.newkiddintown.com and newkiddintown.com

I ran this commands listed in Certbot - Debianbuster Apache

It produced this output: saying it was successful.

My web server is (include version): a Raspberry Pi with Buster using Apache webservices

My hosting provider, if applicable, is: Apache

I can login to a root shell on my machine (yes)

ISSUE:

I recently moved houses and the website got pretty messed up. I have resolved all other issues except one. There is a certificate issue i am unable to fix. It shows that my site is not a trusted site and that i have a certificate name mismatch. ( domain names listed in it do not match the domain name you requested us to inspect)- ssllabs.com

I have renewed the cert using cert bot, i have completely redone the cert, which shows it was done successfully but the site still says its untrusted.

The public IP for the site is
47.184.10.80
Which is reachable without issue. But when attempting to connect to either
www.newkiddintown.com
or
newkiddintown.com

I recieve the above errors.

Could someone please point me in the right direction as to where my cert is misconfigured?

Thank you.

1 Like

pi@raspberrypi:~ $ sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?


1: newkiddintown.com
2: www.newkiddintown.com


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1,2
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/www.newkiddintown.com.conf)

What would you like to do?


1: Attempt to reinstall this existing certificate
2: Renew & replace the certificate (may be subject to CA rate limits)


Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for newkiddintown.com and www.newkiddintown.com
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/000-default-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/000-default-le-ssl.conf
Enhancement redirect was already set.
Enhancement redirect was already set.


Your existing certificate has been successfully renewed, and the new certificate
has been installed.

The new certificate covers the following domains: https://newkiddintown.com and
https://www.newkiddintown.com


IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
1 Like

Nevermind, the post I just missed tells me enough.

Please not that choosing "2" at the option provided does NOT help at all: you got a perfectly fine certificate previously.. Getting new ones doesn't help if the installation part (option 1) doesn't work properly.

It's kinda weird it's not working, I have a feeling the issue lies with your Apache configuration. Please show the output of:

apachectl -S

1 Like

Here is the reply from Certbot Certificates:
Found the following certs:
Certificate Name: www.newkiddintown.com
Serial Number: 4100f4f9c65ffbbc72fbaf1ac2fd1a3e25a
Key Type: RSA
Domains: newkiddintown.com www.newkiddintown.com
Expiry Date: 2021-08-20 17:50:15+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.newkiddintown.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.newkiddintown.com/privkey.pem

Please see my reply to the main post to see what commands i inputted for Certbot

1 Like

Yeah, sorry, our posts must have crossed, I didn't see your second post. Please see my edited post above. The output of certbot certificates looks fine, you've got a perfectly good certificate there :slight_smile: Now only Apache needs to use it.

1 Like

H00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443 www.newkiddintown.com (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80 127.0.1.1 (/etc/apache2/sites-enabled/000-default.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

Hm, this is weird.. There's only a single hostname configured (www.newkiddintown.com), but for some reason the certbot apache plugin actually managed to retrieve www.newkiddintown.com and newkiddintown.com from your Apache configuration? Not sure where it got that from..

Anyway, you should fix your Apache configuration. The <VirtualHost> sections in both 000-default.conf and 000-default-le-ssl.conf should have a ServerName newkiddintown.com and ServerAlias www.newkiddintown.com directive. After you've fixed that, please show the output of apachectl -S again.

Also, please show the contents of both those files, just to be sure.

1 Like

Here is 000-default.conf
sudo cat 000-default.conf

<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf

RewriteEngine on
RewriteCond %{SERVER_NAME} =newkiddintown.com [OR]
RewriteCond %{SERVER_NAME} =www.newkiddintown.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

Here is 000-default-le-ssl.conf

# The ServerName directive sets the request scheme, hostname and port that # the server uses to identify itself. This is used when creating # redirection URLs. In the context of virtual hosts, the ServerName # specifies what hostname must appear in the request's Host: header to # match this virtual host. For the default virtual host (this file) this # value is not decisive as it is used as a last resort host regardless. # However, you must set it for any further virtual host explicitly. #ServerName www.example.com
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf

ServerName www.newkiddintown.com
Include /etc/letsencrypt/options-ssl-apache.conf
ServerAlias newkiddintown.com
SSLCertificateFile /etc/letsencrypt/live/www.newkiddintown.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.newkiddintown.com/privkey.pem

Could you please tell me where i need to fix these files, and how to do so?

Have any updates? @Osiris

Anyone? Let me know if there’s different opinions also.

Where it says:

It should say:

ServerName newkiddintown.com
ServerAlias www.newkiddintown.com

And:

Where it says:

You should change it into:

ServerName newkiddintown.com
ServerAlias www.newkiddintown.com

Strictly speaking you could also use the www as ServerName and the "bare" domain as alias, but I like to keep things the same among configuration files :slight_smile:

That said the configuration files you've presented do not refer to any self signed certificate! So that's very weird.. Could you, after you've made the above changes, paste the output of:

grep -Ri sslcertificatefile /etc/apache2/

1 Like

I have made the applied changes.

here is the response from grep -Ri sslcertificatefile /etc/apache2/

sudo grep -Ri sslcertificatefile /etc/apache2/

/etc/apache2/sites-available/default-ssl.conf: # SSLCertificateFile directive is needed.
/etc/apache2/sites-available/default-ssl.conf: SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
/etc/apache2/sites-available/default-ssl.conf: # the referenced file can be the same as SSLCertificateFile
/etc/apache2/sites-available/000-default-le-ssl.conf:SSLCertificateFile /etc/letsencrypt/live/www.newkiddintown.com/fullchain.pem
/etc/apache2/sites-enabled/000-default-le-ssl.conf:SSLCertificateFile /etc/letsencrypt/live/www.newkiddintown.com/fullchain.pem

sudo apachectl -S

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
*:443 www.newkiddintown.com (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80 newkiddintown.com (/etc/apache2/sites-enabled/000-default.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

1 Like

I don't understand what's going wrong.. Your grep command doesn't show any active references to a self signed certificate (the snakeoil.pem is only in sites-available and not in sites-enabled). And I would have thought the ServerAlias directives would also show in the apachectl -S command, but they don't?

I've have ran out of ideas, maybe someone else can pitch in?

2 Likes

000.default.conf

<VirtualHost *:80>
# The ServerName directive sets the request scheme, hostname and port t$
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
ServerName newkiddintown.com
ServerAlias www.newkiddintown.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

000-default-le-ssl.conf

# The ServerName directive sets the request scheme, hostname and port that # the server uses to identify itself. This is used when creating # redirection URLs. In the context of virtual hosts, the ServerName # specifies what hostname must appear in the request's Host: header to # match this virtual host. For the default virtual host (this file) this # value is not decisive as it is used as a last resort host regardless. # However, you must set it for any further virtual host explicitly.
    ServerName newkiddintown.com
    ServerAlias www.newkiddintown.com
    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/www.newkiddintown.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.newkiddintown.com/privkey.pem

Anyone able to pitch in here?

What does the command openssl x509 -noout -text -in /etc/ssl/certs/ssl-cert-snakeoil.pem give?

2 Likes

openssl x509 -noout -text -in /etc/ssl/certs/ssl-cert-snakeoil.pem
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
39:bc:d0:18:f5:8c:58:a1:df:4b:8f:72:fd:eb:bd:17:46:a6:32:ca
Signature Algorithm: sha256WithRSAEncryption
Issuer: CN = arm-build.pitowers.org
Validity
Not Before: Dec 2 12:47:00 2020 GMT
Not After : Nov 30 12:47:00 2030 GMT
Subject: CN = arm-build.pitowers.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b2:b0:43:e4:a9:e4:f6:89:1d:e0:25:01:0a:b3:
fa:19:41:54:3b:bf:4c:d0:81:1c:b5:70:a7:ac:91:
2f:9a:3c:d3:0c:0b:29:9f:44:e9:7d:dd:41:13:f9:
2c:95:b9:5d:2e:65:5a:e6:99:57:e0:95:52:fe:bb:
70:14:e6:bf:6b:6b:67:13:34:7c:da:df:1c:50:3e:
51:99:00:aa:6a:0e:48:a5:5b:00:50:89:42:34:6a:
c7:9b:98:ba:92:11:81:8f:91:f9:89:68:ae:c0:52:
69:1c:ba:8a:08:6e:79:57:a0:cd:64:77:f2:37:46:
87:04:62:8b:9c:a3:5a:5a:6f:90:b0:f4:86:e5:2b:
14:43:bb:18:17:d6:d0:19:0e:8f:e5:91:4a:b3:27:
c1:aa:1f:c6:04:8d:16:e4:9a:b0:9b:d0:8e:0d:53:
7a:31:a7:d6:ea:23:f7:a8:db:e3:d1:af:49:bc:78:
ba:79:da:78:3b:80:c1:3c:db:c9:a7:30:b0:e4:16:
75:54:41:fb:90:56:3a:99:ec:6f:cf:12:79:fc:a7:
7a:e2:bf:84:4d:12:4b:3a:44:e4:f5:06:0f:d0:1e:
7e:ef:16:cf:75:bf:82:0d:4e:81:ba:70:60:28:b1:
df:f9:ee:81:ac:4e:ba:b4:8f:65:82:4c:6b:e2:70:
bd:4b
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
X509v3 Subject Alternative Name:
DNS:arm-build.pitowers.org
Signature Algorithm: sha256WithRSAEncryption
1f:e3:03:53:49:00:7f:b1:96:f2:d4:4f:e4:7b:29:5b:97:65:
63:40:5f:5d:01:e1:fc:08:7d:21:49:d6:89:1b:4a:ca:4e:ef:
c3:aa:f0:e3:10:ec:22:82:d2:a8:3c:45:7d:1e:2e:fa:61:52:
ed:57:f6:b3:1b:2c:84:fa:09:39:4f:b7:41:6f:2a:1a:08:46:
0b:ee:e5:18:63:c7:19:07:97:42:e3:a9:82:0a:78:d8:df:d8:
3e:bd:9a:1d:5b:d3:9b:e8:3f:d3:a7:ef:71:91:9f:39:87:ea:
2e:d0:d3:06:39:63:70:8b:62:53:fc:01:38:c2:db:c8:37:01:
44:4c:7d:2e:ba:e0:2c:1a:cb:e0:3c:6f:18:e1:4e:78:2e:51:
a6:6d:62:99:ab:1e:07:55:46:c6:dc:fa:96:de:13:8c:f8:45:
d5:2e:f5:57:40:29:b7:46:77:2e:f8:c9:b7:67:ee:7e:c9:7b:
44:19:43:c5:44:ba:be:25:26:67:e9:9f:18:d2:73:bb:c6:f4:
83:c4:f4:98:42:2f:9b:35:c3:3d:26:09:dd:8f:ff:19:f7:1f:
e7:18:1e:74:e5:d1:ca:8a:9b:df:ce:f6:48:9f:bb:ea:26:3a:
b5:0e:4d:2b:76:e3:b1:02:1d:5e:91:95:49:69:21:f7:67:a5:
3d:d9:86:7b

When I am connecting to https://www.newkiddintown.com/ I got the following self-signed certificate: subject: C=US; ST=MA; L=Lowell; O=Arris Group, Inc.; OU=Telco CPE; CN=dsldevice-168188803076192.domain_not_set.invalid.

Your DSL modem does not forward properly the HTTPS connection to your Raspberry Pi. Before dealing with the certificate issue, please check first the basic connectivity to your website.

2 Likes

I have the website port forwarded to the raspberry pi on port 80. I see there is a frontier(My ISP) login after continuing the "website cert not trusted" webpage. I figured that since the cert isnt correct, that my ISP is blocking the site. Could this be a correct assumption?