Apache vhost Results in A Self Signed Cert instead of LetsEncrypt Cert Being Used

thwutype · April 24, 2017, 10:32am

OS Env:

Apache version: Apache/2.4.6 (CentOS 7.3.1611)
Apache built: Apr 12 2017 21:03:28
Box: 2 core Xeon E5-V4 + 2 GB memory VPS

#### Symptom ####

I got 4 virtual hosts in a CentOS 7.3 + Apache 2.4 VPS,
just ran certbot --apache

(1) Always got SEC_ERROR_CA_CERT_INVALID failed at specific host, say "example-failed.com"
failed as well in Google Chrome & Firefox latest.

(2) However, the other 3 hosts looks just perfect, say “example-good.com”

#### Have tried ####

(a) restart httpd
(b) re-issue or re-install by certbot ==> Looks not working
© MD5sum good vs. failed chain ==> These chain.pem are exact the same

(d) awk -v cmd=‘openssl x509 -noout -subject’ ‘/BEGIN/{close(cmd)};{print | cmd}’ < /etc/letsencrypt/live/example-failed.com/cert.pem
awk -v cmd=‘openssl x509 -noout -issuer’ ‘/BEGIN/{close(cmd)};{print | cmd}’ < /etc/letsencrypt/live/example-failed.com/cert.pem

The openssl-awk result just looked as normal as those in example-good.com

==> subject= /CN=example-failed.com
==> issuer= /C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3

Log

curl -v https://example-failed.com

* About to connect() to example-failed.com port 443 (#0)
*   Trying ipv6...
* Connected to example-failed.com (ipv6) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Server certificate:
*       subject: E=root@example-failed.com,CN=example-failed.com,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=--
*       start date:  Apr 24 04:57:32 2017 GMT
*       expire date:  Apr 24 04:57:32 2018 GMT
*       common name: example-failed.com
*       issuer: E=root@example-failed.com,CN=example-failed.com,OU=SomeOrganizationalUnit,O=SomeOrganization,L=SomeCity,ST=SomeState,C=--
* NSS error -8156 (SEC_ERROR_CA_CERT_INVALID)
* Issuer certificate is invalid.
* Closing connection 0

It seemed that “subject / issuer” fields by curl -v are WRONG,
which differed from OpenSSL command line,
Any advise?

Thank you

Osiris · April 24, 2017, 10:59am

Firstly, you can just input the whole certificate into openssl x509, no need for all those awk stuff. You can even pipe the output of openssl s_client to openssl x509 and it will ignore all the other output and filter out the certificate automatically;)

Secondly, the certificate is probably fine, but your Apache configuration probably isn’t. Can you verify your Apache configuration for example-failed.com to see the SSLCertificateFile points to the right symbolic link in /etc/letsencrypt/live/example-failed.com/? And can you double or perhaps triple check if there’s only one VirtualHost for example-failed.com (HTTPS)?

thwutype · April 27, 2017, 7:41pm

Dear Osiris,

Thanks for the feedback.

I didn’t touch the SSLCertificateFile directives generated by certbot
and double-checked and triple-reinstalled, (e.g. now cert4)

still no luck so far.

Apr 28 03:26 /etc/letsencrypt/live/example-failed.com/cert.pem -> …/…/archive/example-failed.com/cert4.pem

file /etc/letsencrypt/archive/example-failed.com/cert?*.pem
/etc/letsencrypt/archive/example-failed.com/cert1.pem: PEM certificate
/etc/letsencrypt/archive/example-failed.com/cert2.pem: PEM certificate
/etc/letsencrypt/archive/example-failed.com/cert3.pem: PEM certificate
/etc/letsencrypt/archive/example-failed.com/cert4.pem: PEM certificate

schoen · April 27, 2017, 8:58pm

It would be great if you could tell us the domain name in question and/or post the content of cert4.pem. (While private keys should never be posted to a forum, certificates can be posted because they contain only public information.)

thwutype · April 28, 2017, 3:06am

Thank you for the quick support,

sahsanu · April 28, 2017, 7:13am

Hi @thwutype,

The certificate you pasted is fine, it was issued yesterday 27th April and is valid for your domain example-failed.com (I will respect your privacy and will use example-failed.com instead of your real domain).

I’ve checked your site vía ipv4 and ipv6 and your https version always presents the same certificate, a self-signed certificate issued on 24th April and valid during a year and only for your domain example-failed.com.

Also, the https version of your site points to a Centos Apache default webpage. You should double check the https Apache conf for your example-failed.com domain.

Cheers,
sahsanu

thwutype · May 1, 2017, 8:01am

Dear Team,

Thank you, resolved.
A vhost in conf.d/ssl.conf generated automatically leads to such issue.

this only happened in CentOS,
looks fine on Ubuntu server which already enabled SSL manually