Apache SSL chrome error: NET::ERR_CERT_AUTHORITY_INVALID

0
votes

I am trying to install a letsencrypt ssl certificate on my (wamp) apache server. Running on a Windows Server 2012 x64 machine.

These are the exact steps I did:

Step 1. openssl genrsa -out privatekeyfilename.key 2048 openssl req -new -key privatekeyfilename.key -sha256 -config myconf.cnf -out csrfilename.csr

Step 2. generated letsencrypt certificates on https://www.sslforfree.com/ with csrfilename.csr

Step 3: Renamed privatekeyfilename.key > my-domain.key and placed in: C:\wamp\bin\apache\apache2.4.9\conf\certificate\
Letsencrypt Certificate placed in same folder and named: my-domain.crt
Letsencrypt CA Bundle placed in same folder and named: my-domain.ca-bundle

Step 4: Adjusted the httpd-ssl configurations:
C:\wamp\bin\apache\apache2.4.9\conf\extra\httpd-ssl.conf, C:\wamp\bin\apache\apache2.4.9\conf\original\extra\httpd-ssl.conf

Added these lines to the configs and commented out the old ones:

SSLCertificateFile c:/wamp/bin/apache/apache2.4.9/conf/certificate/my-domain.crt SSLCertificateKeyFile c:/wamp/bin/apache/apache2.4.9/conf/certificate/my-domain.key SSLCertificateChainFile c:/wamp/bin/apache/apache2.4.9/conf/certificate/my-domain.ca-bundle

(myconf.cnf)

[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
C = NL
ST = Noord-holland
L = Amsterdam
O = JDJ
OU = IT
CN = *.my-domain.com
[v3_req]
keyUsage = critical, digitalSignature, keyAgreement
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = my-domain.com
DNS.2 = *.my-domain.com

I expected the ssl certficicate to be working but it is giving errors:
https://i.imgur.com/syuuVoy.png
https://i.imgur.com/2jA2aTB.png
Does anyone have any idea what is going wrong? Thank you.

Edit: Since apache 2.4.8 SSLCertificateChainFile is obsoleted.
I added the content of my-domain.ca-bundle to my-domain.crt and commented out the SSLCertificateChainFile in the conf files. Still the same error.

Also ssl_error.log is showing: 

[Fri Aug 16 11:21:06.642778 2019] [ssl:warn] [pid 5256:tid 364] AH01909: my-domain.com:443:0 server certificate does NOT include an ID which matches the server name    
[Fri Aug 16 11:21:06.814657 2019] [ssl:warn] [pid 5256:tid 364] AH01909: my-domain.com:443:0 server certificate does NOT include an ID which matches the server name
1
apachesslhttpsopensslwamp
In short: SSLCertificateChainFile gets ignored which als shows up likely as problem if you look into your log files.Steffen Ullrich
@SteffenUllrich I don't think that is the problem. ssl_error.log: [ssl:warn] [pid 3312:tid 464] AH01909: my-domain:443:0 server certificate does NOT include an ID which matches the server nameJeroen
@SteffenUllrich and the obsoleted SSLCertificateChainFile does not help. Added the bundle file below in the jay-dz.crt file but did not change anything.Jeroen
OK, it is not a duplicate. But the certificate one gets when accessing the server is a self-signed certificate issued for SRV01. My guess is that you have such a certificate configured somewhere in the parts of the config you did not show and that this takes preference (or maybe the part you show does not get included at all). This also explains the warning in error.log.Steffen Ullrich
@SteffenUllrich Thanks for the answer. Here is my full httpd-ssl.conf file: pastebin.com/raw/yT5nd9eP, its the only place i defined the SSLCertificateFile. And there are no other certificates in the installation folder.Jeroen

1 Answers

0
votes

Had another program running on 443. This caused the error. Removed that from the router settings and the ssl worked.