Expired Let's Encrypt certificate for hostname

Discussion in 'Installation/Configuration' started by lonerunner, Dec 1, 2021.

  1. lonerunner

    lonerunner Member

    I still have trouble showing cert expired, it wouldn't be annoying but it ask me every time if I'm sure i want to accept it in Thunderbird.
    After these steps do I need to do something else to renew the certs?
    I don't know if it's ok or not to post all details so I blurred some parts of the screenshot.

    Annotation 2021-12-01 013111.png
     
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Sounds like a client side issue, not server. Try searching for Thunderbird specific methods, it seems like Mozilla had is own certificate store, Thunderbird very well may as well.
     
  3. lonerunner

    lonerunner Member

    Looking further more I am not sure that everything is correct on the server side. The server ns is ns3.domain.tld and ns4.domain.tld and for some reason it seems that ns3.domain.tld have self signed certificate which is incorrect
     
  4. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Does that server have two hostnames and you want both included in the certificate?
    In what way is it incorrect?
     
  5. lonerunner

    lonerunner Member

    Yes the server have two hostnames and i want them both to be included in certificate and working properly (so when i want to connect via ftp i can use either of hostnames, or when i access /webmail or ispconfig, and so on...

    The certificate on ns3 is invalid, it's self signed and it says that the certificate issuer is ns1.domain.tld, something seems to be wrong there.

    The server hostnames are ns3.domain.tld and ns4.domain.tld ns1 and ns2 don't exist.
    When I open one of these:
    domain.tld, domain.tld/webmail, domain.tld/phpmyadmin, ns4.domain.tld, ns4.domain.tld/webmail, ns4.domain.tld/phpmyadmin everything works fine, certificate is valid.
    However when I open these:
    ns3.domain.tld, ns3.domain.tld/webmail, ns3.domain.tld/phpmyadmin certificate is not valid and it opens apache default page. Annotation 2021-12-05 022628.png Annotation 2021-12-05 022542.png Annotation 2021-12-05 022409.png
     
  6. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    What shows
    Code:
    hostname
    hostname -f
    Are all of ns3.domain.tld, ns4.domain.tld and domain.tld pointing in name service to the same IP?
    Perhaps create website ns3.domain.tld and LE certificate for that? This may prevent using ns3 with /webmail and /phpmyadmin.
     
  7. lonerunner

    lonerunner Member

    ns3 and ns4 have different IP addresses
    Both
    Code:
    hostname
    hostname -f
    return ns3.domain.tld

    /etc/hosts have both ns3.domain.tld and ns4.domain.tld with their IP's included
    /etc/hostname have ns3.domain.tld but shouldn't that one have just ns3 text in there without domain.tld ?
    Under ispconfig interface i added both ns3 and ns4 as subdomains to the domain.tld there's even one alias domain added there and it's working fine.
    I checked the /.acme.sh/domain.tld/domain.tld.conf file and they are all there
    Code:
    Le_Domain='domain.tld'
    Le_Alt='www.domain.tld,ns3.domain.tld,ns4.domain.tld,domain.rs'
    
     
  8. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    So your host is multi homed host and has two IP-addresses?
     
  9. lonerunner

    lonerunner Member

    Yes
     
  10. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    I'm out of ideas. I assume your setup should work.
    Have you examined acme.sh log to see what certificate with which domains it renews?
    Have you examined the certificates, is your host using one certificate for ns3 and another for ns4?
     
  11. lonerunner

    lonerunner Member

    The certificate is one for all of the following: domain.tld, www.domain.tld, ns3.domain.tld, ns4.domain.tld, aliasdomain.tld
    acme.sh logs show everything fine and certificate renews.
    It looks like the host could be using 2 different certificates for ns3 and ns4.

    Looking further i have found there is .conf file under "/etc/apache2/sites-available/default-ssl.conf" which is in use, and there is specific line pointing to self signed certificate

    Code:
            #   Enable/Disable SSL for this virtual host.
            SSLEngine on
    
            #   A self-signed (snakeoil) certificate can be created by installing
            #   the ssl-cert package. See
            #   /usr/share/doc/apache2/README.Debian.gz for more info.
            #   If both key and certificate are stored in the same file, only the
            #   SSLCertificateFile directive is needed.
            SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
            SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
    So by changing the SSLCertificateFile line to point to different pem file

    Code:
    SSLCertificateFile    /usr/local/ispconfig/interface/ssl/ispserver.pem
    
    This seems to make the certificate valid, the ispserver.pem file is generated from /.acme.sh/domain.tld/fullchain.cer and /.acme.sh/domain.tld/domain.tld.key files

    However this looks like a complete mess and one more thing is confusing.
    While services like ns3.domain.tld/webmail ns3.domain.tld/phpmyadmin or ispconfig interface works and certificate is now valid under ns3.domain.tld.
    When I browse ns3.domain.tld it shows default apache page but when I open ns4.domain.tld it loads the domain.tld website. And i still have the error invalid root certificate with filezilla, thunderbird, atom.io ...
     
  12. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    It sounds like you don't have any sites with the name/alias of ns3; 'apachectl -S' could confirm that.
     
  13. lonerunner

    lonerunner Member

    The content of apachectl -S

    Code:
    [email protected] ~ # apachectl -S
    AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/000-ispconfig.vhost:7
    VirtualHost configuration:
    *:8080                 ns3.domain.tld (/etc/apache2/sites-enabled/000-ispconfig.vhost:9)
    *:80                   is a NameVirtualHost
             default server ns3.domain.tld (/etc/apache2/sites-enabled/000-default.conf:1)
             port 80 namevhost ns3.domain.tld (/etc/apache2/sites-enabled/000-default.conf:1)
             port 80 namevhost domain.tld (/etc/apache2/sites-enabled/100-domain.tld.vhost:7)
                     alias www.domain.tld
                     alias ns3.domain.tld
                     alias ns4.domain.tld
                     alias aliasdomain.tld
    *:443                  is a NameVirtualHost
             default server ns3.domain.tld (/etc/apache2/sites-enabled/1.conf:2)
             port 443 namevhost ns3.domain.tld (/etc/apache2/sites-enabled/1.conf:2)
             port 443 namevhost domain.tld (/etc/apache2/sites-enabled/100-domain.tld.vhost:132)
                     alias www.domain.tld
                     alias ns3.domain.tld
                     alias ns4.domain.tld
                     alias aliasdomain.tld
    ServerRoot: "/etc/apache2"
    Main DocumentRoot: "/var/www/html"
    Main ErrorLog: "/var/log/apache2/error.log"
    Mutex ssl-stapling: using_defaults
    Mutex proxy: using_defaults
    Mutex ssl-cache: using_defaults
    Mutex default: dir="/var/run/apache2/" mechanism=default
    Mutex fcgid-pipe: using_defaults
    Mutex authdigest-opaque: using_defaults
    Mutex watchdog-callback: using_defaults
    Mutex rewrite-map: using_defaults
    Mutex ssl-stapling-refresh: using_defaults
    Mutex authdigest-client: using_defaults
    Mutex fcgid-proctbl: using_defaults
    PidFile: "/var/run/apache2/apache2.pid"
    Define: DUMP_VHOSTS
    Define: DUMP_RUN_CFG
    Define: MODPERL2
    Define: ENABLE_USR_LIB_CGI_BIN
    1.conf is symlink to before mentioned /sites-available/default-ssl.conf

    I guess i could just symlink /etc/ssl/certs/ssl-cert-snakeoil.pem to valid one that is ispconfig using /usr/local/ispconfig/interface/ssl/ispserver.pem and this could solve the invalid cert ?
     
  14. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    You have two sites with the name "ns3.domain.tld", and the certificate you see presented is from the first, while what you want is that of the second. I'm a little surprised that's not an error that would prevent apache from starting.
     

Share This Page