Apache Delivering Wrong Cert


#1

Hey everybody,

This may be more of an apache configuration issue, but I am hoping one of you smart people can help me anyway.

We have about 30+ clients who have pointed a (sub)domain at our server with an A record at the IP address. We have grown significantly and needed to migrate to a better server setup; therefore, we had our clients change from an A record to a CNAME record pointed to our central domain so that we could control all of that traffic by changing the @ record for the central domain.

Most of these changes happened over a month ago but within the last week we have had two separate clients using modern browsers (chrome, FF) receive the wrong cert from the server. As far as I can tell they are not working through the SNI protocol correctly, and I don’t know how to fix it on my end.

Necessary Info:
Ubuntu 16.04.02 LTS (AWS)
Apache 2.4.18
Certbot is up to date

Example VHost file:

<VirtualHost *:443>
        ServerName sub.domain.com
        DocumentRoot /var/www/html
        SSLEngine on
        SSLCertificateFile /etc/letsencrypt/live/sub.domain.com/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/sub.domain.com/privkey.pem
        SSLCertificateChainFile /etc/letsencrypt/live/sub.domain.com/chain.pem
</VirtualHost>

Output of cat /var/log/apache/error.log | grep ssl:

PHP Warning:  PHP Startup: Unable to load dynamic library '/usr/lib/php/20151012/php_openssl.dll' - /usr/lib/php/20151012/php_openssl.dll: cannot open shared object file: No such file or directory in Unknown on line 0
[Wed Apr 19 06:25:01.896352 2017] [ssl:warn] [pid 28010] AH01906: our-central-domain.com:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Apr 19 06:25:01.896374 2017] [ssl:warn] [pid 28010] AH01909: our-central-domain.com:8080:0 server certificate does NOT include an ID which matches the server name

Any sugguestions?


#2

I’m not sure this is the root of your problem, but for Apache 2.4 you should use SSLCertificateFile [...]/fullchain.pem and omit the SSLCertificateChainFile directive.


#3

Hey @schoen , Thank you for the suggestion, but that did not fix the issue. I will update the other VHost files anyway.


#4

That looks pretty weird to me, since you are apparently running Ubuntu and the path is *nix-like, but the same time it’s complaining about php_openssl.dll rather than .so.

Check your php.ini, you might have something like

[PHP_OPENSSL]
extension=php_openssl.dll

in it …

And then of course there are errors about the certificate, which look like another misconfiguration - perhaps issuer’s certificate is used instead of the domain one in Apache config?


#5

You were absolutely correct on that. There were several php extensions un-commented that had .dll extensions. Comments were re-applied and apache restarted. Thank you!

To your second point, that has been in the back of my mind the whole time, but it has been several different clients on very different domains.

If they are running an internal DNS host could it have cached the wrong cert? What steps would you take to troubleshoot it on the client side? ( I cannot replicate the errors, so I am relying on other people to check if my attempts are working )


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.