Certbot https not working for example.com, only for www.example.com

https ssl httpd certbot cpanel

[UPDATE] - I have posted it into the wrong site, so I will copy-paste this topic into the Unix/Linux community. So please delete this topic!

I have installed SSL certificate on my webserver and enabled redirection of all http requests to https. So far this works when I try to open www.example.com but not with example.com. Just for the record I have changed my domain.com with example.com. I have checked my access_log and error.log and all of them doesn't show any new entries when I try to open example.com in a browser. 

curl https://example.com

curl: (60) Issuer certificate is invalid.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

When I execute the same curl command with www.example.com I got to my website. I am using 

-bash-4.2$ hostname
example
-bash-4.2$ hostname -f
example.com

My hostname in /etc/sysconfig/network is example. I am also using vhost file: 

cat /etc/httpd/sites-available/example.conf
<VirtualHost *:80>

    ServerName www.example.com
    ServerAlias example.com
    DocumentRoot /var/www/html
    ErrorLog /var/www/html/error.log
    CustomLog /var/www/html/requests.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =www.example.com [OR]
RewriteCond %{SERVER_NAME} =example.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>

and in the httpd.conf I have set to load configuration files from /etc/httpd/sites-available/*.conf

The other problem is that when I try to install Cpanel it gives me the following error: 

2017-03-15 14:10:39  501 ( INFO): Validating that the system hostname ('example') is a FQDN...
2017-03-15 14:10:39  507 (ERROR):
2017-03-15 14:10:39  508 (ERROR): ********************* ERROR *********************
2017-03-15 14:10:39  509 (ERROR):
2017-03-15 14:10:39  510 (ERROR): Your hostname (example) is invalid, and must be
2017-03-15 14:10:39  511 (ERROR): set to a fully qualified domain name before installing cPanel.
2017-03-15 14:10:39  512 (ERROR):
2017-03-15 14:10:39  513 (ERROR): A fully qualified domain name must contain two dots, and consists of two parts: the hostname and the domain name.
2017-03-15 14:10:39  514 (ERROR): You can update your hostname by running `hostname your-hostname.example.com`, then re-running the installer.
2017-03-15 14:10:39  516 (ERROR): ********************* ERROR *********************
2017-03-15 14:10:39  517 (FATAL): Exiting...
Removing /root/installer.lock.

And this is my SSL VHOST file which was automatically generated by let's encrypt:

    <IfModule mod_ssl.c>
<VirtualHost *:443>

    ServerName www.example.com
    ServerAlias example.com
    DocumentRoot /var/www/html
    ErrorLog /var/www/html/error.log
    CustomLog /var/www/html/requests.log combined
RewriteEngine on
SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem
</VirtualHost>
</IfModule>

A bit more debugging information: 

curl -l example.com
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://example.com/">here</a>.</p>
</body></html>

curl https://example.com
curl: (60) Issuer certificate is invalid.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

curl -l www.example.com
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved <a href="https://www.example.com/">here</a>.</p>
</body></html>

And when I run curl -l https://www.example.com my website is loading, which means that it is passing the SSL certificate check and the problem is only with the example.com certificate. So I guess my VHOST files are completely messed up. I tried to reinstall them but I think it didn't work.


Solution 1:

After deep investigation it appeared that the problem was that the requests to example.com was using the default ssl certificate which was defined in the /etc/httpd/conf.d/ssl.conf, so I have commented the three lines containing the key, certificate itself and the chain file and added the path to the let's encrypt certificates 

SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/example.com/chain.pem

Then I have reloaded the httpd service and checked the status using:

https://www.ssllabs.com/ssltest/analyze.html?d=example.com https://www.ssllabs.com/ssltest/analyze.html?d=www.example.com

you can check your SSL certificates also using: 

openssl rsa -in privateKey.key -check
openssl x509 -in certificate.crt -text -noout

And you can check your SSL certificates using: 

openssl s_client -connect www.example.com:443
openssl s_client -connect example.com:443

So when I have compared both certificates I saw that the example.com is using the localhost.crt certificate and then I issued a find command to find where this certificate was configured and found out that it was in the ssl.conf file only configured, so this is how I fixed the problem.

Related

Any reason not to use 512-bytes clusters for NTFS?
SQL developer refine connections view
Eclipse always Building workspace
What are Solidity Events
Pause an outlook vba code for 5-10 seconds and after run the script
Nginx gzip compression not working despite following official Nginx documentation / online research
How do I make a collision in pygame with 2 images? [duplicate]
What is PHP's equivalent of JavaScript's "array.every()"?
Different outputs for normal distribution [closed]
ASP.Net Chart Control not displaying chart image
IBM Java get defaults (to mitigate CVE-2021-44228 AKA Log4Shell vulnerability)
How to call an rest api while bootstrapping angular 2 app