The new SSL certificate is not working

Keywords: OpenEdX - Google Cloud Platform - Technical issue - Secure Connections (SSL/HTTPS)

bnsupport ID: 25b872c5-0614-a85d-ea30-6e3f42af1b24

bndiagnostic output:

? Apache: Found possible issues
https://docs.bitnami.com/general/apps/wordpress/troubleshooting/debug-errors-apache/
https://docs.bitnami.com/bch/apps/moodle/troubleshooting/deny-connections-bots-apache/

bndiagnostic failure reason: The tool did not find the SSL certificate related issue.

Description:
Hi,
I followed the below link to install SSL certificate and secure the web application https://youtu.be/pV7_mXOJiKU?list=PLGgVZHi3XQNm-dQwUU0K83kMKIdCILGy7

But still its not secure. So when I checked the ‘error_log’ file from path ‘/opt/bitnami/apache2/logs’ I found below

[Tue Aug 03 11:57:17.076650 2021] [mpm_prefork:notice] [pid 3059] AH00169: caught SIGTERM, shutting down

[ N 2021-08-03 11:57:17.1182 3074/T9 age/Cor/CoreMain.cpp:671 ]: Signal received. Gracefully shutting down… (send signal 2 more time(s) to force shutdown)
[ N 2021-08-03 11:57:17.1183 3074/T1 age/Cor/CoreMain.cpp:1246 ]: Received command to shutdown gracefully. Waiting until all clients have disconnected…
[ N 2021-08-03 11:57:17.1184 3074/Ta Ser/Server.h:902 ]: [ServerThr.2] Freed 0 spare client objects
[ N 2021-08-03 11:57:17.1184 3074/Ta Ser/Server.h:558 ]: [ServerThr.2] Shutdown finished
[ N 2021-08-03 11:57:17.1186 3074/T9 Ser/Server.h:902 ]: [ServerThr.1] Freed 0 spare client objects
[ N 2021-08-03 11:57:17.1186 3074/T9 Ser/Server.h:558 ]: [ServerThr.1] Shutdown finished
[ N 2021-08-03 11:57:17.1186 3074/Td Ser/Server.h:902 ]: [ApiServer] Freed 0 spare client objects
[ N 2021-08-03 11:57:17.1186 3074/Td Ser/Server.h:558 ]: [ApiServer] Shutdown finished
[ E 2021-08-03 11:57:17.3588 3074/T1 age/Cor/TelemetryCollector.h:455 ]: Error contacting anonymous telemetry server: error setting certificate verify locations: CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none
[ N 2021-08-03 11:57:17.3901 3074/T1 age/Cor/CoreMain.cpp:1325 ]: Passenger core shutdown finished
[Tue Aug 03 11:57:22.986231 2021] [ssl:warn] [pid 4183] AH01909: 35.200.200.118:443:0 server certificate does NOT include an ID which matches the server name
[Tue Aug 03 11:57:22.986783 2021] [ssl:warn] [pid 4183] AH01909: example.com:443:0 server certificate does NOT include an ID which matches the server name
[ N 2021-08-03 11:57:23.0130 4185/T1 age/Wat/WatchdogMain.cpp:1373 ]: Starting Passenger watchdog…
[ N 2021-08-03 11:57:23.0342 4188/T1 age/Cor/CoreMain.cpp:1340 ]: Starting Passenger core…
[ N 2021-08-03 11:57:23.0344 4188/T1 age/Cor/CoreMain.cpp:256 ]: Passenger core running in multi-application mode.
[ N 2021-08-03 11:57:23.0432 4188/T1 age/Cor/CoreMain.cpp:1015 ]: Passenger core online, PID 4188

[ N 2021-08-03 11:57:23.0584 4188/T9 age/Cor/CoreMain.cpp:671 ]: Signal received. Gracefully shutting down… (send signal 2 more time(s) to force shutdown)
[ N 2021-08-03 11:57:23.0585 4188/T1 age/Cor/CoreMain.cpp:1246 ]: Received command to shutdown gracefully. Waiting until all clients have disconnected…
[ N 2021-08-03 11:57:23.0585 4188/Ta Ser/Server.h:902 ]: [ServerThr.2] Freed 0 spare client objects
[ N 2021-08-03 11:57:23.0585 4188/Ta Ser/Server.h:558 ]: [ServerThr.2] Shutdown finished
[ N 2021-08-03 11:57:23.0586 4188/T9 Ser/Server.h:902 ]: [ServerThr.1] Freed 0 spare client objects
[ N 2021-08-03 11:57:23.0586 4188/T9 Ser/Server.h:558 ]: [ServerThr.1] Shutdown finished
[ N 2021-08-03 11:57:23.0588 4188/Tc Ser/Server.h:902 ]: [ApiServer] Freed 0 spare client objects
[ N 2021-08-03 11:57:23.0588 4188/Tc Ser/Server.h:558 ]: [ApiServer] Shutdown finished
[Tue Aug 03 11:57:23.101240 2021] [ssl:warn] [pid 4208] AH01909: 35.200.200.118:443:0 server certificate does NOT include an ID which matches the server name
[Tue Aug 03 11:57:23.102124 2021] [ssl:warn] [pid 4208] AH01909: example.com:443:0 server certificate does NOT include an ID which matches the server name
[ N 2021-08-03 11:57:23.1371 4220/T1 age/Wat/WatchdogMain.cpp:1373 ]: Starting Passenger watchdog…
[ N 2021-08-03 11:57:23.1576 4223/T1 age/Cor/CoreMain.cpp:1340 ]: Starting Passenger core…
[ N 2021-08-03 11:57:23.1577 4223/T1 age/Cor/CoreMain.cpp:256 ]: Passenger core running in multi-application mode.
[ N 2021-08-03 11:57:23.1656 4223/T1 age/Cor/CoreMain.cpp:1015 ]: Passenger core online, PID 4223
[Tue Aug 03 11:57:23.242061 2021] [mpm_prefork:notice] [pid 4208] AH00163: Apache/2.4.48 (Unix) OpenSSL/1.1.1k PHP/7.4.20 mod_wsgi/4.6.7 Python/3.8 Phusion_Passenger/6.0.5 configured – resuming normal operations
[Tue Aug 03 11:57:23.242143 2021] [core:notice] [pid 4208] AH00094: Command line: ‘/opt/bitnami/apache2/bin/httpd.bin -f /opt/bitnami/apache2/conf/httpd.conf -D DISABLE_BANNER’
[ E 2021-08-03 11:57:23.2863 4188/T1 age/Cor/TelemetryCollector.h:455 ]: Error contacting anonymous telemetry server: error setting certificate verify locations: CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none
[ N 2021-08-03 11:57:23.3176 4188/T1 age/Cor/CoreMain.cpp:1325 ]: Passenger core shutdown finished
[ E 2021-08-03 11:57:25.3710 4223/T5 age/Cor/SecurityUpdateChecker.h:507 ]: Security update check failed: Problem with the SSL CA cert (path? access rights?) while connecting to https://securitycheck.phusionpassenger.com/v1/check.json ; this might happen if the nss backend is installed for libcurl instead of GnuTLS or OpenSSL. If the problem persists, you can also try upgrading or reinstalling Phusion Passenger (next check in 24 hours)

Hi @alpesh,

Instead of the video, could you run the bncert tool. It automates the creation and the configuration of the SSL certificate:

https://docs.bitnami.com/aws/how-to/understand-bncert/

Regards,
Michiel

Hi @michiel,
Thank you for replying.

I have already followed the Video and Approach B of below documentation https://docs.bitnami.com/general/apps/edx/administration/enable-https-ssl-apache/

So will it be fine or will it conflict if I run the bncert tool ?

Thank you so much in advance,
Alpesh

FYI, I have bought the SSL certificate from Godaddy and trying to install for edx-LMS.
Also I already bought the Domain name from Godaddy and configured with google VM instance.

Hi @alpesh,

If you have an existing certificate you can follow the steps in this guide:

https://docs.bitnami.com/general/infrastructure/lamp/administration/enable-https-ssl-apache/

Can you check if it works for you?

Regards,
Michiel

Hi @michiel,
Thank you for reply.
As I mentioned above, yes I have already followed the steps from below guide (Approach B ) https://docs.bitnami.com/general/infrastructure/lamp/administration/enable-https-ssl-apache/

But it did not worked for me and when I restart the Apache server it throws

[Tue Aug 03 11:57:23.101240 2021] [ssl:warn] [pid 4208] AH01909: 35.200.200.118:443:0 server certificate does NOT include an ID which matches the server name
[Tue Aug 03 11:57:23.102124 2021] [ssl:warn] [pid 4208] AH01909: example.com:443:0 server certificate does NOT include an ID which matches the server name
[ N 2021-08-03 11:57:23.1371 4220/T1 age/Wat/WatchdogMain.cpp:1373 ]: Starting Passenger watchdog…
[ N 2021-08-03 11:57:23.1576 4223/T1 age/Cor/CoreMain.cpp:1340 ]: Starting Passenger core…
[ N 2021-08-03 11:57:23.1577 4223/T1 age/Cor/CoreMain.cpp:256 ]: Passenger core running in multi-application mode.
[ N 2021-08-03 11:57:23.1656 4223/T1 age/Cor/CoreMain.cpp:1015 ]: Passenger core online, PID 4223
[Tue Aug 03 11:57:23.242061 2021] [mpm_prefork:notice] [pid 4208] AH00163: Apache/2.4.48 (Unix) OpenSSL/1.1.1k PHP/7.4.20 mod_wsgi/4.6.7 Python/3.8 Phusion_Passenger/6.0.5 configured – resuming normal operations

Now should run the bncert tool ?

Thank you
Alpesh

Hi @alpesh,

Did you rename your Godaddy certificate and key to server.crt and server.key? It seems to still be using a self signed certificate.

 curl -LI https://DOMAIN
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

Regards,
Michiel

Hi @michiel

Yes I have already renamed both certificate and key to server.crt and server.key and restarted the Apache server. Also there were ‘gd_bundle-g2-g1.crt’ file GoDaddy which I have already renamed to server-ca.crt

Hi @alpesh,

Can you check the certificate and key using the procedure described in this guide?

https://docs.bitnami.com/google/apps/wordpress/administration/check-ssl-certificate/

Regards,

Michiel

Hello
I have resolved the Issue. Root cause:

httpd-vhost has different path for certificate instead of the Conf directory of Apache server as mentioned in

https://docs.bitnami.com/general/infrastructure/lamp/administration/enable-https-ssl-apache/.

yes @michiel have already tested and the check sum is identical. The root cause was with path in http-Vhost config file, as I have elaborated above paragraph.

Thank you so much @michiel for co-operation.
Regards
Alpesh

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.