443 conflicts using three LE certificates

kosimek · October 11, 2019, 4:09am

I added three Let’sEncrypt certificates for three domains with their own distinct websites.
The certificates show as follows:

Found the following certs:
Certificate Name: mydomain1.info
Domains: mydomain1.info
Expiry Date: 2020-01-08 13:49:13+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/mydomain1.info/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mydomain1.info/privkey.pem
Certificate Name: www.mydomain2.com
Domains: www.mydomain2.com mydomain2.com
Expiry Date: 2020-01-08 15:12:43+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.mydomain2.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.mydomain2.com/privkey.pem
Certificate Name: www.mydomain3.ca
Domains: www.mydomain3.ca mydomain3.ca
Expiry Date: 2020-01-08 15:12:43+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.mydomain3.ca/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.mydomain3.ca/privkey.pem

Unfortunately, when I test mydomain2.com or mydomain3.ca on www.ssllabs.com I get the following errors for both

Certificate name mismatch

Try these other domain names (extracted from the certificates): mydomain1.info

The web site does not use SSL, but shares an IP address with some other site that does
[…]

Something seems to have a problem identifying the correct certificates and wonder why the respective certificates of mydomain2 and mydomain3 are not recognized.
It seems to indicate that LetsEncrypt cannot handle more than one certificate per IP address, although I find that unlikely. I am by no means a Linux administrator, but from what I have researched, I understand that the issue of dealing with multiple domains on a single IP address and even the same port has long been resolved and applies to the versions of the packages installed on my server

CentOS 6.10
httpd v2.2.15-60.el6.6vm
mod_ssl v2.2.15-60.el6.6vm
openssl v1.0.1e-58.el6_10
libcurl v7.19.7-53.el6_9

There are also errors when I restart httpd

[Thu Oct 10 13:54:50 2019] [warn] VirtualHost xx.xxx.xxx.xx:443 overlaps with VirtualHost xx.xxx.xxx.xx:443, the first has precedence, perhaps you need a NameVirtualHost directive
[Thu Oct 10 13:54:50 2019] [warn] VirtualHost xx.xxx.xxx.xx:443 overlaps with VirtualHost xx.xxx.xxx.xx:443, the first has precedence, perhaps you need a NameVirtualHost directive

The httpd.conf file already contains the NameVirtualHost directive ahead of the < VirtualHost > statements

Any explanations, and especially suggestions on how to correct this issue, are most welcome.

_az · October 11, 2019, 5:37am

Your post is basically spot on - it sounds like a configuration issue.

NameVirtualHost was deprecated in Apache 2.4.

But since you are on Apache 2.2, could you confirm that you have both these lines:

NameVirtualHost *:80 
NameVirtualHost *:443

and that your virtualhosts are bound to the wildcard address (<VirtualHost *:443>) rather than to a specific IP?

kosimek · October 11, 2019, 6:16pm

@_az Thanks once again. I checked the httpd.conf file and found that all the < VirtualHosts > had an IP address in them. I tried setting that to *.80 and got error messages, probably because the NameVirtualHost still referred to it. I also found a ServerName directive (which was set to “off”) with the same IP address so I commented that out. After all were changed to *:80 and *.443 everything worked fine. Thanks for the suggestion.

Unfortunately … when I tested one of the domains on ssllabs.com I got the following warning
“This server uses SSL 3” even though sslv3 actually fails, which is good, and is not mentioned in the httpd.conf file nor the ssl.conf file

3078235884:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:

But sslv2 (deprecated since the mid 90’s I gather) did not give me a failure message and I don’t think that I can comment out the SSLProtocol all -SSLv2 directive in the httpd.conf file because sslv2 is also mentioned in an SSLCipherSuite directive, the content of which goes way over my head and the specification of which does not match the one in the ssl.conf file for the default localhost certificate, which is the only one in there.

I’d like to hear what steps I can take to resolve this, keeping in mind that I am still running CentOS 6 for the time being.

_az · October 11, 2019, 9:38pm

Most straightforward thing you can do is to visit https://ssl-config.mozilla.org/#server=apache&server-version=2.2.15&config=intermediate&openssl-version=1.0.1e&hsts=false (preconfigured for CentOS 6 package versions) and copy those three SSLProtocol, SSLCipherSuite and SSLHonorCipherOrder options into your config.

kosimek · October 12, 2019, 3:30am

@_az Thanks for the link. Included that and everything still works.

system · November 11, 2019, 3:30am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.