Website showing as insecure by Chrome, Firefox


#21

Not www.* but www.outrightsoftware.com.
As long as there is no other VirtualHost which occupies that name, yes :slight_smile:

As a general rule of thumb: all names which the certificate is valid for should be listed as ServerAlias, one of them as ServerName.


#22

Thanks for taking out time to reply.

Its still working on with www. Please advise.

<VirtualHost *:443>
DocumentRoot /opt/bitnami/apps/wordpress/htdocs
ServerName outrightsoftware.com
ServerAlias wwww.outrightsoftware.com
SSLEngine on
SSLCertificateFile /opt/bitnami/apps/wordpress/letsencrypt/live/outrightsoftware.com/fullchain.pem
SSLCertificateKeyFile /opt/bitnami/apps/wordpress/letsencrypt/live/outrightsoftware.com/private.pem

Include “/opt/bitnami/apps/wordpress/conf/httpd-app.conf”

<FilesMatch “.(cgi|shtml|phtml|php)$”>
SSLOptions +StdEnvVars

BrowserMatch “MSIE [2-6]”
nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
BrowserMatch “MSIE [17-9]” ssl-unclean-shutdown


#23

Try commenting out ServerAlias and restarting / reloading Apache


#24

I am trying to fix www issue by adding ServerAlias, will that solve the purpose if I remove that?


#25

So you want your site to only respond on https://outrightsoftware.com/ and not https://www.outrightsoftware.com/ ??

Then take out ServerAlias in the Port 443 config and do a redirect on the port 80 for both to redirect to https://outrightsoftware.com/

<VirtualHost *:80>
ServerName outrightsoftware.com
ServerAlias www.outrightsoftware.com
Redirect permanent / https://outrightsoftware.com/
</VirtualHost>

You can also redirect the SSL www site to the non www by adding another vhost configuration

<IfModule mod_ssl.c>
<VirtualHost *:443>
ServerName www.outrightsoftware.com
SSLEngine on
SSLCertificateFile /opt/bitnami/apps/wordpress/letsencrypt/live/outrightsoftware.com/fullchain.pem
SSLCertificateKeyFile /opt/bitnami/apps/wordpress/letsencrypt/live/outrightsoftware.com/private.pem
Include “/opt/bitnami/apps/wordpress/conf/httpd-app.conf”
Redirect permanent / https://outrightsoftware.com/
</VirtualHost>

#26

Great, the last section with SSL redirect worked. Thanks a ton for your time and support.


#27

Excellent and no problem at all, through our combined efforts @bytecamp glad you are up and running now :+1:


#28

You still offer the wrong certificate when retrieving https://www.outrightsoftware.com/


#29

Expanding ssl certs to domain with www will help you in this situation.
certbot --expand -d outrightsoftware.com -d www.outrightsoftware.com


#30

The certificate is already valid for both domain names. The OP just doesn’t have configured Apache to offer it on www.outrightsoftware.com, too.


#31

This cannot work as there are no SSL* statements.


#32

LOL … you got me … my brain is really not with it at the moment … (updated it)


#33

I tried by adding ServerAlias, is there any other method?


#34

That was right, but you put a typo in the name:

ServerAlias wwww.outrightsoftware.com


#35

Ooops, Great, this works. Thanks a ton. Is there any way to remove the 2nd certificate as SSLLabs showing 2nd certificate as bad.


#36

Have a look into your configuration. There must be another VirtualHost which references this certificate. I would recommend deleting the whole VirtualHost which uses it - just to clean up your configuration.

Try to find with grep:

$ grep -r SSLCertificateFile /etc/apache2


#37

Great, Thanks a ton for the support. I found that in one of the bitnami files. Really helpful.


#38

BTW. I had the same problem.

  • on Ubuntu 17.10 with the default apache2 config where all I added was a ServerName directive
  • certbot found the domain and created a new SSL apache config
  • Chrome didn’t trust that site because it couldn’t validate the owner.

The fix was to change SSLCertificateFile from fullcert.pem to cert.pem and add a SSLCertificateChainFile with chain.pem.

My question is why didn’t certbot do the right thing by default?

version 0.19.0


#39

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.