This may be more of an apache configuration issue, but I am hoping one of you smart people can help me anyway.
We have about 30+ clients who have pointed a (sub)domain at our server with an A record at the IP address. We have grown significantly and needed to migrate to a better server setup; therefore, we had our clients change from an A record to a CNAME record pointed to our central domain so that we could control all of that traffic by changing the @ record for the central domain.
Most of these changes happened over a month ago but within the last week we have had two separate clients using modern browsers (chrome, FF) receive the wrong cert from the server. As far as I can tell they are not working through the SNI protocol correctly, and I don’t know how to fix it on my end.
Ubuntu 16.04.02 LTS (AWS)
Certbot is up to date
Example VHost file:
<VirtualHost *:443> ServerName sub.domain.com DocumentRoot /var/www/html SSLEngine on SSLCertificateFile /etc/letsencrypt/live/sub.domain.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/sub.domain.com/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/sub.domain.com/chain.pem </VirtualHost>
cat /var/log/apache/error.log | grep ssl:
PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib/php/20151012/php_openssl.dll' - /usr/lib/php/20151012/php_openssl.dll: cannot open shared object file: No such file or directory in Unknown on line 0 [Wed Apr 19 06:25:01.896352 2017] [ssl:warn] [pid 28010] AH01906: our-central-domain.com:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Wed Apr 19 06:25:01.896374 2017] [ssl:warn] [pid 28010] AH01909: our-central-domain.com:8080:0 server certificate does NOT include an ID which matches the server name