2 certs, 2nd cert has CN of first unrelated cert/domain?

Hi

I’m on freebsd 11 with certbot, I’m trying to have 2 different, unrelated domains on the same apache 2.4 install. This is on a vps, and I’ve got root.

My setup is a jailed apache, and I run certbot on the host. I do run 2 distinct lines:

   certbot certonly --webroot \
   --webroot-path /usr/jails/www/usr/local/www/domain1 \
   -d www.domain1.org -d domain1.org \
   --webroot-path /usr/jails/www/usr/local/www/baikal/html \
   -d dav.domain1.org

   certbot certonly --webroot \
   --webroot-path /usr/jails/www/usr/local/www/domain2 \
   -d www.domain2.org -d domain2.org

and this works, in the sense that I get no errors, and I get certs back.

But, when I query domain2.org I get

$ openssl s_client -connect domain2.org:443
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = www.domain1.org
verify return:1
---
Certificate chain
 0 s:/CN=www.domain1.org
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
...snip...

And I don’t really understand why that would be?
It should not matter both domains resolve to same ip, and I did get the domain1 cert first? or does it?

any help appreciated

Hi @jyrki,

Use -servername directive:

openssl s_client -connect domain2.org:443 -servername domain2.org

Cheers,
sahsanu

That was fast. thanks
Unfortunately I get the exact same output…

@jyrki, please show the output of command certbot certificates and the conf of Apache for your VirtualHosts.

Here you go:

certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Found the following certs:
  Certificate Name: www.domain1.org
    Domains: www.domain1.org,dav.domain1.org,domain1.org
    Expiry Date: 2017-11-28 20:17:00+00:00 (VALID: 89 days)
    Certificate Path: /usr/local/etc/letsencrypt/live/www.domain1.org/fullchain.pem
    Private Key Path: /usr/local/etc/letsencrypt/live/www.domain1.org/privkey.pem
  Certificate Name: dav.domain1.org
    Domains: dav.domain1.org
    Expiry Date: 2017-10-18 18:59:00+00:00 (VALID: 48 days)
    Certificate Path: /usr/local/etc/letsencrypt/live/dav.domain1.org/fullchain.pem
    Private Key Path: /usr/local/etc/letsencrypt/live/dav.domain1.org/privkey.pem
  Certificate Name: www.domain2.org
    Domains: www.domain2.org,domain2.org
    Expiry Date: 2017-11-28 20:33:00+00:00 (VALID: 89 days)
    Certificate Path: /usr/local/etc/letsencrypt/live/www.domain2.org/fullchain.pem
    Private Key Path: /usr/local/etc/letsencrypt/live/www.domain2.org/privkey.pem
-------------------------------------------------------------------------------


<VirtualHost *:80>
   ServerName www.domain1.org
   ServerAlias domain1.org
   ServerAdmin admin@domain1.org
   Redirect / https://www.domain1.org/
   CustomLog "/var/log/www/080.www_1.common.log" common
</VirtualHost>

<VirtualHost *:443>
   DocumentRoot "/usr/local/www/domain1.org/"
   ServerName www.domain1.org:443
   ServerAdmin admin@domain1.org
   CustomLog "/var/log/www/443.www_1.common_log" common
   SSLEngine on
   SSLCertificateFile "/usr/local/etc/apache24/certs/1/fullchain.pem"
   SSLCertificateKeyFile "/usr/local/etc/apache24/certs/1/privkey.pem"
   <FilesMatch "\.(cgi|shtml|phtml|php)$">
       SSLOptions +StdEnvVars
   </FilesMatch>
   <Directory "/usr/local/www/apache24/cgi-bin">
       SSLOptions +StdEnvVars
   </Directory>
   BrowserMatch "MSIE [2-5]" \
            nokeepalive ssl-unclean-shutdown \
            downgrade-1.0 force-response-1.0
</VirtualHost>

<VirtualHost *:80>
   ServerName www.domain2.org
   ServerAlias domain2.org
   ServerAdmin admin@domain2.org
   Redirect / https://www.domain2.org/
   CustomLog "/var/log/www/080.2.common.log" common
</VirtualHost>

<VirtualHost *:443>
   DocumentRoot "/usr/local/www/2/"
   ServerName www.domain2.org:443
   ServerAdmin admin@domain2.org
   CustomLog "/var/log/www/443.2.common.log" common
   SSLEngine on
   SSLCertificateFile "/usr/local/etc/apache24/certs/2/fullchain.pem"
   SSLCertificateKeyFile "/usr/local/etc/apache24/certs/2/privkey.pem"
   <FilesMatch "\.(cgi|shtml|phtml|php)$">
       SSLOptions +StdEnvVars
   </FilesMatch>
   <Directory "/usr/local/www/apache24/cgi-bin">
       SSLOptions +StdEnvVars
   </Directory>
   BrowserMatch "MSIE [2-5]" \
            nokeepalive ssl-unclean-shutdown \
            downgrade-1.0 force-response-1.0
</VirtualHost>


<VirtualHost *:80>
   DocumentRoot "/usr/local/www/baikal/html/"
   ServerName dav.domain1.org
   Redirect / https://dav.domain1.org/
   RewriteEngine On
   RewriteRule /.well-known/carddav /dav.php [R,L]
   RewriteRule /.well-known/caldav /dav.php [R,L]
   <Directory "/usr/local/www/baikal/html">
       Options None
       Options +FollowSymlinks
       AllowOverride All
       Require all granted
   </Directory>
</VirtualHost>

<VirtualHost *:443>
   DocumentRoot "/usr/local/www/baikal/html/"
   ServerName dav.domain1.org:443
   ServerAdmin admin@domain1.org
   CustomLog "/var/log/www/443.dav_1.common_log" common
   SSLEngine on
   SSLCertificateFile "/usr/local/etc/apache24/certs/1/fullchain.pem"
   SSLCertificateKeyFile "/usr/local/etc/apache24/certs/1/privkey.pem"
   <FilesMatch "\.(cgi|shtml|phtml|php)$">
       SSLOptions +StdEnvVars
   </FilesMatch>
   <Directory "/usr/local/www/apache24/cgi-bin">
       SSLOptions +StdEnvVars
   </Directory>
   BrowserMatch "MSIE [2-5]" \
            nokeepalive ssl-unclean-shutdown \
            downgrade-1.0 force-response-1.0
</VirtualHost>

thanks for your help.
It’s close to 1am here, and tomorrow a work day awaits me :slight_smile:
I’ll check tomorrow morning again
Thanks!

Same time here :wink: I’ll take a look to your conf tomorrow morning… but maybe some of our colleagues will give an answer today :stuck_out_tongue:

Ensure that
Path: /usr/local/etc/letsencrypt/live/www.domain1.org/fullchain.pem
equals
SSLCertificateFile “/usr/local/etc/apache24/certs/1/fullchain.pem”

and also that
Path: /usr/local/etc/letsencrypt/live/www.domain2.org/fullchain.pem
equals
SSLCertificateFile “/usr/local/etc/apache24/certs/2/fullchain.pem”

Thanks for the reply,
I do manually copy the cert files.
As stated on the README on /usr/local/etc/letsencrypt/live/www.domain1.org, I do avoid the cert.pem file.
So I only copy the three other files to apache to use.
Thanks

Morning @jyrki :wink:

You have not defined a ServerName nor ServerAlias for domain2.org on your VirtualHost, only for www.domain2.org. The same occurs for www.domain1.org but as it is the first VirtualHost, Apache uses it as the default for non defined domain names.

If you add a ServerAlias for non www domains in your <VirtualHost *:443> sections you should have no problem.

Note: Next time, when you paste code or conf in your message, select it and press the icon </> and this forum won't remove lines nor will try to add titles, bold, etc.

Cheers,
sahsanu

1 Like

Never saw that!
but you are right of course.
Will try later on the day and come back with results…
Thanks!

2 Likes

Hi Sahsanu

Unfortunately, this has not worked.
I keep having the exact same problem.
On the bright side, it has made me realise I have a redirection issue on domain1
As you can see, I have a ‘redirect / https:www.domain?.org’ for each domain.
Interestingly it only works for domain2. Domain1 is still displayed as a ‘naked’ domain. It does redirect to https thou…
I don’t really understand the problem, (yet…) but I have a hunch this is related to why my domains are mixed up on the cert for domain2.

Any hints VERY appreciated indeed.
TIA!

@jyrki, please, paste the current conf. Also, it would be useful to know your real domain names.

1 Like

Hi @sahsanu

Thanks for the reply
Yes, real domains would help indeed. I guess it was just a force of habit, to be a bit too paranoid…
Anyways, here the unedited vhosts.conf.
Just to streamline things if you are going to take a look, ‘domain2.org’ is caridaduniversal.eu.
You can see the issue with:

openssl s_client -connect caridaduniversal.eu:443

Mind you, I did try what you suggested about adding ServerAlias statements and with those in, renewed the certs. Same result as earlier, as stated earlier.
But since then, it has been heavily tweaked trying to pinpoint the reason of the failing 301 redirection.
Hope you can dispense the mess it is right now.

Thanks!

cat vhosts.conf
<VirtualHost *:443>
   ServerName www.gnosis-sevilla.es:443
   ServerAdmin admin@gnosis-sevilla.es
   DocumentRoot "/usr/local/www/sevilla_834/"
   CustomLog "/var/log/www/443.gsev.common_log" common
   SSLEngine on
   SSLCertificateFile "/usr/local/etc/apache24/certs/gsev/fullchain.pem"
   SSLCertificateKeyFile "/usr/local/etc/apache24/certs/gsev/privkey.pem"
   <FilesMatch "\.(cgi|shtml|phtml|php)$">
       SSLOptions +StdEnvVars
   </FilesMatch>
   <Directory "/usr/local/www/apache24/cgi-bin">
       SSLOptions +StdEnvVars
   </Directory>
   BrowserMatch "MSIE [2-5]" \
            nokeepalive ssl-unclean-shutdown \
            downgrade-1.0 force-response-1.0
</VirtualHost>

<VirtualHost *:443>
   ServerName www.caridaduniversal.eu:443
#   ServerAlias caridaduniversal.eu:443
   ServerAdmin admin@caridaduniversal.eu
   DocumentRoot "/usr/local/www/icu_834/"
   CustomLog "/var/log/www/443.icu.common.log" common
   SSLEngine on
   SSLCertificateFile "/usr/local/etc/apache24/certs/icu/fullchain.pem"
   SSLCertificateKeyFile "/usr/local/etc/apache24/certs/icu/privkey.pem"
   <FilesMatch "\.(cgi|shtml|phtml|php)$">
       SSLOptions +StdEnvVars
   </FilesMatch>
   <Directory "/usr/local/www/apache24/cgi-bin">
       SSLOptions +StdEnvVars
   </Directory>
   BrowserMatch "MSIE [2-5]" \
            nokeepalive ssl-unclean-shutdown \
            downgrade-1.0 force-response-1.0
</VirtualHost>

<VirtualHost *:80>
   ServerName www.caridaduniversal.eu
   ServerAlias caridaduniversal.eu
   ServerAdmin admin@caridaduniversal.eu
   Redirect permanent / https://www.caridaduniversal.eu
   CustomLog "/var/log/www/080.icu.common.log" common
</VirtualHost>

<VirtualHost *:80>
   ServerName www.gnosis-sevilla.es
   ServerAlias gnosis-sevilla.es
   ServerAdmin admin@gnosis-sevilla.es
   RedirectMatch permanent ^/(.*) https://www.gnosis-sevilla.es/$1
#   Redirect permanent / https://www.gnosis-sevilla.es
   CustomLog "/var/log/www/080.gsev.common.log" common
</VirtualHost>

<VirtualHost *:80>
   ServerName dav.gnosis-sevilla.es
   Redirect / https://dav.gnosis-sevilla.es/
#   DocumentRoot "/usr/local/www/baikal/html/"
#   RewriteEngine On
#   RewriteRule /.well-known/carddav /dav.php [R,L]
#   RewriteRule /.well-known/caldav /dav.php [R,L]
#   <Directory "/usr/local/www/baikal/html">
#       Options None
#       Options +FollowSymlinks
#       AllowOverride All
#       Require all granted
#   </Directory>
</VirtualHost>

<VirtualHost *:443>
   ServerName dav.gnosis-sevilla.es:443
   ServerAdmin admin@gnosis-sevilla.es
   DocumentRoot "/usr/local/www/baikal/html/"
   CustomLog "/var/log/www/443.dav_gsev.common_log" common
   SSLEngine on
   SSLCertificateFile "/usr/local/etc/apache24/certs/gsev/fullchain.pem"
   SSLCertificateKeyFile "/usr/local/etc/apache24/certs/gsev/privkey.pem"
   <FilesMatch "\.(cgi|shtml|phtml|php)$">
       SSLOptions +StdEnvVars
   </FilesMatch>
   <Directory "/usr/local/www/apache24/cgi-bin">
       SSLOptions +StdEnvVars
   </Directory>
   BrowserMatch "MSIE [2-5]" \
            nokeepalive ssl-unclean-shutdown \
            downgrade-1.0 force-response-1.0
</VirtualHost>

That is not correct, you can't use :443 in ServerAlias directive, you can use it in ServerName (although you don't need it) but you can't use it in ServerAlias.

So, uncomment ServerAlias and use only the domain as parameter.

ServerAlias caridaduniversal.eu

Restart Apache and try again.

Note: Remember to use -servername when using openssl s_client:

openssl s_client -connect caridaduniversal.eu:443 -servername caridaduniversal.eu

Un saludo,
sahsanu

Hi again @sahsanu

You’re right yes, it’s kinda pointless for aliases to have the port specified. Probably there because the lines were yanked from a redirection line. Changing them made no difference though.

But adding the ‘servername’ parameter sure fixes the issue, but without it’s still mixed. Which makes me realise it’s not something coming from the certificate (as my mind made it to be…), but rather it’s a live response from the server. So the problem here is the server cfg!, not the cert!. I’m sorry if that was obvious to you, but it certainly was news to me.

As I just want to understand what is going on at this point… I tried putting caridaduniversal.eu first.
And just changing the <VirtualHost *:443> block for caridaduniversal before the other one, makes the other one have a mixed response to the openssl line. Also ffox shows a ‘Insecure connection’ for the naked domain, (gnosis-sevilla.es) as it claims the cert is for caridaduniversal…

Never knew the order of the blocks would matter!.

So I need to read on this, because clearly something major is wrong in this configuration.

Thanks for you help @sahsanu

Best Regards

PS my spanish is rubbish according to my spanish speaking wife :slight_smile:

Of course they do. Before the change in ServerAlias you got the incorrect cert for your domain:

$ echo | openssl s_client -connect caridaduniversal.eu:443 -servername caridaduniversal.eu 2>/dev/null | grep subject
subject=/CN=www.gnosis-sevilla.es

After the fix for ServerAlias it returns the right cert:

$ echo | openssl s_client -connect caridaduniversal.eu:443 -servername caridaduniversal.eu 2>/dev/null | grep subject
subject=/CN=www.caridaduniversal.eu

The servername parameter doesn't "fix" it because there is nothing to fix ;), the issue here is that the web server needs to use something called Server Name Indicator to serve the right certificate for the requested domain. A few years ago SNI didn't exist and you only could serve one certificate per IP so in your case you would need 3 different public IPs to server your 3 certs. But now, using SNI you can have multiple certificates using the same IP and that is the reason you need to specify the -servername parameter to let know the web server what domain you want to reach. That is the same that your browser (Firefox, Chrome, Opera, etc.) does.

You receive this "error" because you have not defined a ServerAlias for gnosis-sevilla.es you only have defined this ServerName:

ServerName www.gnosis-sevilla.es:443

and you need to add one more line:

ServerName www.gnosis-sevilla.es:443
ServerAlias gnosis-sevilla.es

Fix the ServerAlias for gnosis-sevilla.es and you are done, there is nothing wrong in your conf, that is how web servers work today :wink:

Eso se soluciona practicando :wink:

Un saludo,
sahsanu

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.