Apache - Configuration File Order Means Incorrect Certificates Are Used

dhuyvetter · June 5, 2017, 11:06am

I can renew my certificates with certbot-auto, everything seems to work fine and I can see a new certificate is issued: https://crt.sh/?q=zonk.be

Yet the the old, expired certificate is used: https://www.ssllabs.com/ssltest/analyze.html?d=zonk.be

It seems related to Certbot - Certificate Issued from Let’s Encrypt but Live Certificates Pointing At Previous Versions and Certbot - Live Symlinks Not Updating As Expected - New Certificate Available But Not Used so I checked the symlinks, but those seem correct:

root@zonk:/etc/letsencrypt/live/zonk.be# ls -la
total 8
drwxr-xr-x  2 root root   88 Jun  5 06:14 .
drwx------ 10 root root 4096 Jun  4 18:37 ..
-rw-r--r--  1 root root  543 Jun  4 18:37 README
lrwxrwxrwx  1 root root   31 Jun  5 06:14 cert.pem -> ../../archive/zonk.be/cert2.pem
lrwxrwxrwx  1 root root   32 Jun  5 06:14 chain.pem -> ../../archive/zonk.be/chain2.pem
lrwxrwxrwx  1 root root   36 Jun  5 06:14 fullchain.pem -> ../../archive/zonk.be/fullchain2.pem
lrwxrwxrwx  1 root root   34 Jun  5 06:14 privkey.pem -> ../../archive/zonk.be/privkey2.pem

Symlinks are pointing to the certificates generated today:

root@zonk:/etc/letsencrypt/archive/zonk.be# ls -la
total 36
drwxr-xr-x  2 root root  152 Jun  5 06:14 .
drwx------ 10 root root 4096 Jun  4 18:37 ..
-rw-r--r--  1 root root 1773 Jun  4 18:37 cert1.pem
-rw-r--r--  1 root root 1874 Jun  5 06:14 cert2.pem
-rw-r--r--  1 root root 1647 Jun  4 18:37 chain1.pem
-rw-r--r--  1 root root 1647 Jun  5 06:14 chain2.pem
-rw-r--r--  1 root root 3420 Jun  4 18:37 fullchain1.pem
-rw-r--r--  1 root root 3521 Jun  5 06:14 fullchain2.pem
-rw-r--r--  1 root root 1704 Jun  4 18:37 privkey1.pem
-rw-r--r--  1 root root 1704 Jun  5 06:14 privkey2.pem

So I’m not sure where things are going haywire…

Using certbot version: 0.14.2 on Ubuntu 14.04.5 LTS

sahsanu · June 5, 2017, 11:09am

Hi @dhuyvetter,

Did you restart/reload your web server?.

Cheers,
sahsanu

dhuyvetter · June 5, 2017, 11:10am

Yes, I just did restart Apache, didn’t help.

I’m on Ubuntu 14.04.5 LTS

sahsanu · June 5, 2017, 11:12am

@dhuyvetter, I’ve just checked your site and the certificate used by zonk.be is the one where the common name is dhuyvetter.eu so, are you sure that your VirtualHost for zonk.be is pointing to the right cert?

dhuyvetter · June 5, 2017, 11:12am

My Apache config looks correct to me (/etc/apache2/sites-available/zonk.conf):

    SSLCertificateFile /etc/letsencrypt/live/zonk.be/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/zonk.be/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateChainFile /etc/letsencrypt/live/zonk.be/chain.pem

sahsanu · June 5, 2017, 11:16am

Please, show the output of the following commands:

openssl x509 -in /etc/letsencrypt/live/zonk.be/cert.pem -noout -dates

openssl x509 -in /etc/letsencrypt/live/zonk.be/cert.pem -noout -text | grep 'DNS:'

dhuyvetter · June 5, 2017, 11:18am

notBefore=Jun  5 05:15:00 2017 GMT
notAfter=Sep  3 05:15:00 2017 GMT

DNS:barrio.zonk.be, DNS:psi36.zonk.be, DNS:psylo.zonk.be, DNS:upset.zonk.be, DNS:www.zonk.be, DNS:zonk.be

sahsanu · June 5, 2017, 11:22am

It looks fine, so, you should double check your web server conf because the cert loaded for zonk.be is not the one you are showing.

Are you sure your conf file /etc/apache2/sites-available/zonk.conf is already in sites-enabled dir /etc/apache2/sites-enabled/zonk.conf?

dhuyvetter · June 5, 2017, 11:28am

Unless I am overlooking something here, in /etc/apache2/sites-enabled/:

lrwxrwxrwx 1 root root   28 Dec 29  2015 zonk.conf -> ../sites-available/zonk.conf

And my full zonk.conf in sites-available:

<VirtualHost *:433>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        ServerName zonk.be
        ServerAlias www.zonk.be

        ServerAdmin webmaster@zonk.be
        DocumentRoot /var/www/zonk.be/DEFAULT
        <Directory /var/www/zonk.be/DEFAULT>
        Options Indexes FollowSymLinks MultiViews
        AllowOverride All
        Order allow,deny
        allow from all
    </Directory>

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf

        SSLCertificateFile /etc/letsencrypt/live/zonk.be/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/zonk.be/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf
        SSLCertificateChainFile /etc/letsencrypt/live/zonk.be/chain.pem
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

sahsanu · June 5, 2017, 11:31am

If this is not a typo, then your problem is that you are starting apache in port 433 instead of 443 for domain zonk.be

<VirtualHost *:433>.<-- this should be 443

dhuyvetter · June 5, 2017, 11:40am

Thanks! I’ve updated that, but no change, I reloaded Apache.

I’ve got the feeling it’s using my default config (/etc/apache2/sites-available/000-default-le-ssl.conf) which points to certificates in /etc/letsencrypt/live/www.zonk.be/ which are from Mar 5th, so that must be what’s wrong.

#ls -la /etc/letsencrypt/live/www.zonk.be/        
total 4
drwxr-xr-x  2 root root   75 Mar  5 06:06 .
drwx------ 10 root root 4096 Jun  4 18:37 ..
lrwxrwxrwx  1 root root   36 Mar  5 06:06 cert.pem -> ../../archive/www.zonk.be/cert15.pem
lrwxrwxrwx  1 root root   37 Mar  5 06:06 chain.pem -> ../../archive/www.zonk.be/chain15.pem
lrwxrwxrwx  1 root root   41 Mar  5 06:06 fullchain.pem -> ../../archive/www.zonk.be/fullchain15.pem
lrwxrwxrwx  1 root root   39 Mar  5 06:06 privkey.pem -> ../../archive/www.zonk.be/privkey15.pem

sahsanu · June 5, 2017, 11:49am

Then you need to load the VirtualHost for zonk.be before the default one, or you put the conf in 000-default-le-ssl.conf or you change the name of the zonk.conf file to be for example 000-a-zonk.conf or 0000-zonk.conf to be loaded before the default one.

dhuyvetter · June 5, 2017, 12:04pm

Thanks! Updated my 000-default-le-ssl.conf to point to the certs in /etc/letsencrypt/live/zonk.be/ and now everything is peachy!

system · July 6, 2017, 5:08am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certbot reports renewal OK but Browser reports old cert still in use Server	12	2357	December 18, 2018
Still old certificate after using renwe Help	4	4256	March 19, 2017
Renewed certificate reported as expired Help	26	4451	August 8, 2020
Strange certificate renewal issue Help	6	57	September 6, 2024
Linking to wrong certificate Help	11	2207	August 10, 2018

Apache - Configuration File Order Means Incorrect Certificates Are Used

Related topics