Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
It produced this output: completed successfully. I had a lot of trouble with unable to find .80 vhost.
My web server is (include version): apache 2.4.62
The operating system my web server runs on is (include version): Fedora Linux 40
My hosting provider, if applicable, is: self hosted
I can login to a root shell on my machine (yes or no, or I don't know):yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.11.0
After I was able to solve the vhost problem I restarted apache. After many restarts of apache I found through top that multiple instances of apache were running. I killed all of them using the kill -9 command. Checked /etc/httpd/conf/httpd.conf and /etc/httpd/conf/httpd-le-ssl.conf. Both seem ok. I started apache using sudo httpd -f /etc/httpd/conf/httpd.conf to ensure it was using the correct config file. When I check the certificate in the browser it shows a Issue date of 2021 and an expiration date of 2027. This is certificate I generated back in 2021 to play with. At that time I was hosting my site on Arrvixe. I have since retired and just wanted to put up a page to let folks know that I retired. I can’t' find out how to determine which certificate is being loaded. If I can determine the exact name of the loaded certificate I can disable in.
First, your domain replies to HTTP requests (port 80) but not to HTTPS (port 443) requests from the public internet. So, while it may work from your local network it isn't working at all for requests from the public internet. See for example this test tool: https://decoder.link/sslchecker/prestoncomputerservice.com/443
As for Apache, let's check its config by showing us this output
sudo httpd -t -D DUMP_VHOSTS
(I think httpd is the right one for Fedora but might be apachectl or apache2ctl)
Some good news is that I see you got several certs from Let's Encrypt in recent days. You should stop making new cert requests though or just use the LE staging system. You are close to getting rate limited on the production system.
Let's sort out your Apache config problem. We can use one of the certs you already got.
VirtualHost configuration:
*:443 is a NameVirtualHost
default server 192.168.105.60 (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost 192.168.105.60 (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost www.prestoncomputerservice.com (/etc/httpd/conf/httpd-le-ssl.conf:2)
alias prestoncomputerservice.com
*:80 is a NameVirtualHost
default server prestoncomputerservice.com (/etc/httpd/conf/httpd.conf:360)
port 80 namevhost prestoncomputerservice.com (/etc/httpd/conf/httpd.conf:360)
alias www.prestoncomputerservice.com
port 80 namevhost prestoncomputerservice.com (/etc/httpd/conf/httpd-le-ssl.conf:15)
alias www.prestoncomputerservice.com
Can you show contents of this file. It will show us the cert you have defined but also will help fix the problem with a duplicate domain:port problem for port 80. You'll notice you have the same domains listed twice for port 80 which won't produce the right results.
/etc/httpd/conf/httpd-le-ssl.conf
Also, show the VirtualHost in /etc/httpd/conf/httpd.conf that starts at line # 360
Show that whole file if you must but just need the VirtualHost itself. Need to see that to know how to move forward regarding the duplicate name problem.
And, in this same httpd-le-ssl.conf file the port 443 VirtualHost should have the SSLEngine on line un-commented. I'm not sure why this even works right with that disabled. The rest of this VHost looks okay. This one specifically:
<VirtualHost *:443>
ServerName www.prestoncomputerservice.com
#SSLEngine on
Fixed the httpd.conf file and restarted. Still to problems.
1st is it is still loading the wrong certificate file as far as I can tell. When looking at the certificate in chrome, the start date is Oct 12 2021 and expiration date of Apr 24 2027. I checked the www.prestoncomputerservice.com/fullchain.pem certificate using openssl in the path specified and it shows:
Validity
Not Before: Aug 26 07:00:52 2024 GMT
Not After : Nov 24 07:00:51 2024 GMT
2nd is the page it brings up is a 501 page stating there is a potential DNS rebind attack.
How do you recommend finding the certificate it is currently usung? And how do I make it use the fullchain.pem certificate?
The system has been rebooted ln addition to multiple web server restarts.
Your server is using the correct cert when viewed from the public internet. Use either the SSL Checker site I linked earlier or SSL Labs to check. You should check each of your domain names (the apex name and the www subdomain). I did and they were both correct. See example: SSL Server Test: prestoncomputerservice.com (Powered by Qualys SSL Labs)
Have you restarted Chrome? Because sometimes browsers cache old certs.
The DNS Rebind and the 501 http error are not related to your certs. Maybe some other volunteer will offer help with those but I don't have enough time for now. I would just check how you manage the IP when using your local network ('hosts' file?) and make sure it is correct and that you don't use any IP addresses in any HTTP(s):// links on your web pages.
Your public DNS looks fine so those are likely related to your local network config or your web app.
Great! Thank you for the help. I think I should be good from here. It probably is a cache issue. As long as it is working from the public end I am less concerned by local issues and will figure the local issues.
Those tools only check if the correct cert is used. There may be other issues with your app (like faulty href links and such).
You could try using a mobile phone with wifi disabled so you use your carrier's public network. It's always a good idea to have a way to test the full app from outside your network.
Thanks, I will do that as soon as I get a more appropriate page setup and make sure I have enabled proper security on the server. Until then I’m going to turn off the port forwarding. Thank you for your help.
Working this problem still. When I run apachectl configtest or httpd -t I get the following:
Syntax error on line 10 of /etc/httpd/conf/httpd-le-ssl.conf:
SSLCertificaatefile: file '/etc/letsencrypt/live/www.prestoncomputerservice.com/fullchain.pem' does not exist or is empty
I checked the file and found it was a link to etc/letsencrypt/archive/www.prestoncomputerservice.com/fullchain.pem
This file exists and is 2.9k and does contain a certificate.