AWS LAMP BNCert fails with "curl failed to verify the legitimacy of the server"

[tooliedotter]

bncert-202407290610.log

Platform

AWS

bndiagnostic ID know more about bndiagnostic ID

8b0fda1c-dc65-ae16-f483-ad2881313efc

bndiagnostic output

[Connectivity]

Server ports 22, 80 and/or 443 are not publicly accessible. Please check the following guide to open server ports for remote access:

https://docs.bitnami.com/general/faq/administration/use-firewall/

✓ Processes: No issues found
✓ Mariadb: No issues found
? Connectivity: Found possible issues
✓ Php: No issues found
? Apache: Found possible issues
✓ Resources: No issues found

[Connectivity]

Server ports 22, 80 and/or 443 are not publicly accessible. Please check the following guide to open server ports for remote access:

https://docs.bitnami.com/general/faq/administration/use-firewall/

[Apache]

Found recent error or warning messages in the Apache error log. Press [Enter] to continue:

[Mon Jul 29 06:15:56.414238 2024] [proxy_fcgi:error] [pid 9498:tid
140215951767232] [client **ip_address**:36912] AH01071: Got error 'PHP message:
PHP Warning: Undefined property: stdClass::$image_intro in
/opt/bitnami/apache/htdocs/grantcountybeat.com/templates/ja_athena/html/com_conte
nt/article/default.php on line 37; PHP message: PHP Warning: Undefined property:
stdClass::$image_fulltext in
/opt/bitnami/apache/htdocs/grantcountybeat.com/templates/ja_athena/html/com_conte
nt/article/default.ph [Mon Jul 29 06:16:01.405625 2024] [proxy_fcgi:error] [pid
9066:tid 140216312522432] [client **ip_address**:61923] AH01071: Got error 'PHP
message: PHP Warning: Undefined property: stdClass::$image_intro in
/opt/bitnami/apache/htdocs/grantcountybeat.com/templates/ja_athena/html/com_conte
nt/article/default.php on line 37; PHP message: PHP Warning: Undefined property:
stdClass::$image_fulltext in
/opt/bitnami/apache/htdocs/grantcountybeat.com/templates/ja_athena/html/com_conte
nt/article/default.ph [Mon Jul 29 06:16:18.267639 2024] [proxy_fcgi:error] [pid
10279:tid 140215741982400] [client **ip_address**:35908] AH01071: Got error 'PHP
message: PHP Warning: Undefined property: stdClass::$image_intro in
/opt/bitnami/apache/htdocs/grantcountybeat.com/templates/ja_athena/html/com_conte
nt/article/default.php on line 37; PHP message: PHP Warning: Undefined property:
stdClass::$image_fulltext in
/opt/bitnami/apache/htdocs/grantcountybeat.com/templates/ja_athena/html/com_conte
nt/article/default.p

bndiagnostic was not useful. Could you please tell us why?

None of the above addresses the BNCert Issue

Describe your issue as much as you can

This is literally the last step in a months-long transfer of an enormous website from one EC2 instance to another. All I did was change the Elastic IP address from one server to another, update some paths to make the Joomla instance work, then try BNCert.

I have tried to apply a Let's Encrypt SSL Certificate using the BNCert script 4 times, and it has failed every time. What appears to be the key issue is this section.

Executing curl -L 'https://grantcountybeat.com/.well-known/7c35bdf943' -o '/tmp/7c35bdf943'
Script exit code: 60
Script output:
Script stderr:
   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed

  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (60) SSL certificate problem: self-signed certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Error running curl -L 'https://grantcountybeat.com/.well-known/7c35bdf943' -o '/tmp/7c35bdf943'

The script seems to get all the way to the end, then it chokes on the above error. The certificates are created, the bitnami.conf, bitnami-ssl.conf and my vhosts files are all updated with the usual BEGIN|END blocks of htaccess instructions, but the process fails.

I've reset these files 4 times without success. What's going wrong? My client's visitors are skittish and will avoid the site without the certificate and I'm desperate to finish this thing up.

Help!

[jotamartos]

Hi,

I can see you commented out the lines to use the new certificate in the apache/conf/vhosts/gcb-vhosts-ssl.conf file. Could you please let us know why? I can see that the symlink is properly created and you only need to update this file and restart Apache.

<VirtualHost *:443>
  ServerName grant***.com
  ServerAlias www.grant***.com
  SSLEngine on
  SSLCertificateFile "/opt/bitnami/apache/conf/bitnami/certs/server.crt"
  SSLCertificateKeyFile "/opt/bitnami/apache/conf/bitnami/certs/server.key"
#  SSLCertificateFile "/opt/bitnami/apache/conf/grant***.com.crt"
#  SSLCertificateKeyFile "/opt/bitnami/apache/conf/grant***.com.key"

[tooliedotter]

The presence of the Let's Encrypt keys (commented-out lines) are a result of multiple failures of the BNCert script running. Every time it failed, I had to remove all the blocks inserted by the script in bitnami.conf, bitnami-ssl.conf, and my vhosts files. I simply left the LE lines in there to save time. And no, simply enabling those lines after restarting does NOT make it work.

As mentioned, and as you can see in the log file, the script runs all the way to the cURL command and then fails. All those blocks of added configuration by the LE script are achieved. but the cURL command fails. So to reset and try again, I had to REVOKE the certificate, remove those blocks, comment out the certificate lines, and then the script would restart as though for the first time.

Does this have anything to do with the fact that I simply switched the IP address in AWS/EC2 from the old server to the new server? Is there a residual configuration that's causing the BNCert script to be suspicious and not validate the domain, as shown in the script?

[jotamartos]

We can review the configuration later if needed and check if there is any problem with that. In the meantime, and in order to solve the issue you are running into, you can manually generate the SSL certificate by directly using the lego tool and configure Apache to use it

https://docs.bitnami.com/general/how-to/generate-install-lets-encrypt-ssl/#alternative-approach

As you already generated valid SSL certs (check the letsencrypt folder), the lego command will probably warn you about that but you can follow the rest of the guide to configure the auto-renewal process.

Let us know if you have any questions

[tooliedotter]

OK, following the alternative approach, the certificate IS working! I still need to check the redirections from https://domain to https://www.domain but thanks for helping me get the certificate up and running. Readers of the site have been squawking all week.

[JonathanStevanka143]

Getting this issue as well on a brand new LAMP stack off amazon. The HOTFIX for the cert works but only when on the main page. navigating to anything else breaks everything.

if it helps with your debugging I read this was related to an issue in the new "CURL" version something to do with a hotfix for a hotfix.. some like broken code made it to the release version etc... I have seen some people mention rolling back has fixed this issue.

https://github.com/curl/curl/issues/11475

[jotamartos]

That issue is old and shouldn't be affecting the configuration. We proceed to close this ticket as @tooliedotter could configure the certs following the alternative approach.

[github-actions[bot]]

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

[github-actions[bot]]

Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.