Apache2 always uses the same certificate

Gutty · May 6, 2021, 2:31pm

My domains are: costabrava.de bauland.es ag-obras.es and some more

I installed a few webs with its domains and certificate. After updating the system apache2 uses for all domains the certificate of costabrava.de

My web server is (include version):apache2

The operating system my web server runs on is (include version): debian jessie

My hosting provider, if applicable, is: vserver

I can login to a root shell on my machine (yes or no, or I don't know): yes, root

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Your system is not supported by certbot-auto anymore.
certbot-auto and its Certbot installation will no longer receive updates.
You will not receive any bug fixes including those fixing server compatibility
or security problems.
Please visit https://certbot.eff.org/ to check for other alternatives.
/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/cryptography/hazmat/bindings/openssl/binding.py:163: CryptographyDeprecationWarning: OpenSSL version 1.0.1 is no longer supported by the OpenSSL project, please upgrade. The next version of cryptography will drop support for it.
utils.CryptographyDeprecationWarning
certbot 1.9.0

At the momentI disabled https because the clients schould not see this annoying warning.

Is the only way to solve the problem updating the linux?

I hope somebody can help me. My knowledge in Linux etc. is very basic, and the guy who maintained all disappeared.

JuergenAuer · May 6, 2021, 6:28pm

Hi @Gutty

looks like your vHost configuration is buggy.

What says

apachectl -S

Gutty · May 6, 2021, 6:33pm

In the meantime I tried a lot of things and got a part working
Main problem was
<VirtualHost *:80>
instead of

Output of apachectl -S :

AH02559: The SSLCertificateChainFile directive (/etc/apache2/sites-enabled/ag-le-ssl.conf:82) is deprecated, SSLCertificateFile should be used instead
AH02559: The SSLCertificateChainFile directive (/etc/apache2/sites-enabled/bellevillas-le-ssl.conf:79) is deprecated, SSLCertificateFile should be used instead
AH02559: The SSLCertificateChainFile directive (/etc/apache2/sites-enabled/cb-immo-le-ssl.conf:42) is deprecated, SSLCertificateFile should be used instead
AH02559: The SSLCertificateChainFile directive (/etc/apache2/sites-enabled/dr-le-ssl.conf:38) is deprecated, SSLCertificateFile should be used instead
AH02559: The SSLCertificateChainFile directive (/etc/apache2/sites-enabled/fe-le-ssl.conf:81) is deprecated, SSLCertificateFile should be used instead
AH02559: The SSLCertificateChainFile directive (/etc/apache2/sites-enabled/rocagrossa-le-ssl.conf:39) is deprecated, SSLCertificateFile should be used instead
AH02559: The SSLCertificateChainFile directive (/etc/apache2/sites-enabled/urlaub-le-ssl.conf:49) is deprecated, SSLCertificateFile should be used instead
AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 212.144.102.62. Set the 'ServerName' directive globally to suppress this message
VirtualHost configuration:
212.144.102.61:443 is a NameVirtualHost
default server ag-obras.es (/etc/apache2/sites-enabled/ag-le-ssl.conf:43)
port 443 namevhost ag-obras.es (/etc/apache2/sites-enabled/ag-le-ssl.conf:43)
alias www.ag-obras.es
port 443 namevhost bauland.es (/etc/apache2/sites-enabled/bauland-le-ssl.conf:43)
alias www.bauland.es
port 443 namevhost bellevillas.com (/etc/apache2/sites-enabled/bellevillas-le-ssl.conf:39)
alias www.bellevillas.com
port 443 namevhost costabrava.de (/etc/apache2/sites-enabled/cb-le-ssl.conf:2)
alias www.bellevillas.com
alias www.costabrava.de
port 443 namevhost drdoener.com (/etc/apache2/sites-enabled/dr-le-ssl.conf:2)
alias www.drdoener.com
port 443 namevhost fincas-exclusivas.com (/etc/apache2/sites-enabled/fe-le-ssl.conf:41)
alias 5.drdoener.com
212.144.102.61:80 is a NameVirtualHost
default server ag-obras.es (/etc/apache2/sites-enabled/ag-le-ssl.conf:1)
port 80 namevhost ag-obras.es (/etc/apache2/sites-enabled/ag-le-ssl.conf:1)
alias www.ag-obras.es
port 80 namevhost bauland.es (/etc/apache2/sites-enabled/bauland-le-ssl.conf:1)
alias www.bauland.es
port 80 namevhost bellevillas.com (/etc/apache2/sites-enabled/bellevillas-le-ssl.conf:1)
alias www.bellevillas.com
port 80 namevhost costabrava.de (/etc/apache2/sites-enabled/cb.conf:1)
alias www.costabrava.de
port 80 namevhost collection-properties.com (/etc/apache2/sites-enabled/cp.conf:1)
alias www.collection-properties.com
port 80 namevhost drdoener.com (/etc/apache2/sites-enabled/dr.conf:1)
alias www.drdoener.com
port 80 namevhost video.drdoener.com (/etc/apache2/sites-enabled/drvideo.conf:1)
alias www.video.drdoener.com
port 80 namevhost fincas-exclusivas.com (/etc/apache2/sites-enabled/fe-le-ssl.conf:1)
alias www.fincas-exclusivas.com
alias 5.drdoener.com
alias 5.fincas-exclusivas.com
port 80 namevhost fincas-exclusivas.com (/etc/apache2/sites-enabled/fe.conf:1)
alias www.fincas-exclusivas.com
alias 5.drdoener.com
alias 5.fincas-exclusivas.com
port 80 namevhost fewo-lloret.com (/etc/apache2/sites-enabled/fewocom.conf:1)
alias www.fewo-lloret.com
port 80 namevhost urlaub.costabrava.de (/etc/apache2/sites-enabled/urlaub.conf:1)
alias www.fewo-lloret.de
alias fewo-lloret.de
alias www.urlaub.costabrava.de
*:80 is a NameVirtualHost
default server 212.144.102.62 (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost 212.144.102.62 (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost drdoener.com (/etc/apache2/sites-enabled/dr-le-ssl.conf:42)
alias www.drdoener.com
port 80 namevhost rocagrossa.info (/etc/apache2/sites-enabled/rocagrossa-le-ssl.conf:43)
alias www.rocagrossa.info
*:443 is a NameVirtualHost
default server cb-immo.com (/etc/apache2/sites-enabled/cb-immo-le-ssl.conf:2)
port 443 namevhost cb-immo.com (/etc/apache2/sites-enabled/cb-immo-le-ssl.conf:2)
alias www.cb-immo.com
port 443 namevhost rocagrossa.info (/etc/apache2/sites-enabled/rocagrossa-le-ssl.conf:2)
alias www.rocagrossa.info
port 443 namevhost urlaub.costabrava.de (/etc/apache2/sites-enabled/urlaub-le-ssl.conf:2)
alias www.fewo-lloret.de
alias fewo-lloret.de
alias www.urlaub.costabrava.de
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/lock/apache2" mechanism=fcntl
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: ENABLE_USR_LIB_CGI_BIN
User: name="www-data" id=33
Group: name="www-data" id=33

JuergenAuer · May 7, 2021, 1:45pm

Your configuration is buggy.

Why there are 2 vHosts with www.bellevillas.com.

One has the costabrava.de domain, so the certificate may be wrong

Gutty · May 7, 2021, 7:51pm

Thank you very much for the help. I checked in the meantime all conf files and found a lot of errors. Maybe one of the main errors was that instead of domainname.com:443 was *:443
And I renewed all certificates with certonly and edited al conf manually with the new correct path.
Now almost all works well.

griffin · May 7, 2021, 7:58pm

It should be *:443, not domainname.com:443.

https://httpd.apache.org/docs/current/vhosts/name-based.html

Gutty · May 8, 2021, 9:50am

Interesting. I will make the changes back to *:80 and *:443

Gutty · May 8, 2021, 5:42pm

I changed all back to <VirtualHost *:80> , full disaster. Then back again to resp. 443, everything works well again.
This drives me crazy

griffin · May 8, 2021, 6:58pm

Well... to state the obvious...

We can just do a rundown of one site to serve as an example.

What are the outputs of these commands?

sudo ls -lRa /etc/apache2/sites-available
sudo ls -lRa /etc/apache2/sites-enabled

What are the contents of these files?

/etc/apache2/sites-enabled/cb.conf
/etc/apache2/sites-enabled/cb-le-ssl.conf

Please put 3 backticks above and below each output and the contents of each file, like this:

```
output or contents
```

Gutty · May 8, 2021, 8:48pm

in sites-available are still a lot of unused conf

result of ls -lRa /etc/apache2/sites-available

total 200
drwxr-xr-x 2 root root 4096 May  6 22:41 .
drwxr-xr-x 9 root root 4096 May  6 20:16 ..
-rw-r--r-- 1 root root  693 May  8 19:27 000-default.conf
-rw-r--r-- 1 root root 1332 Sep 30  2019 000-default.conf.dpkg-new
-rw-r--r-- 1 root root  955 May  8 19:28 ag.conf
-rw-r--r-- 1 root root 2274 May  8 19:28 ag-le-ssl.conf
-rw-r--r-- 1 root root  807 May  8 19:28 alex.conf
-rw-r--r-- 1 root root 1088 May  8 19:28 alex-le-ssl.conf
-rw-r--r-- 1 root root  876 May  8 19:28 alx.conf
-rw-r--r-- 1 root root 1157 May  8 19:29 alx-le-ssl.conf
-rw-r--r-- 1 root root  811 May  8 19:30 arduino.conf
-rw-r--r-- 1 root root 1092 May  8 19:30 arduino-le-ssl.conf
-rw-r--r-- 1 root root  955 May  8 19:29 bauland.conf
-rw-r--r-- 1 root root 1960 May  8 19:30 bauland-le-ssl.conf
-rw-r--r-- 1 root root  795 May  8 19:29 bellevillas.conf
-rw-r--r-- 1 root root 1875 May  8 19:29 bellevillas-le-ssl.conf
-rw-r--r-- 1 root root  787 May  8 19:29 cb.conf
-rw-r--r-- 1 root root  777 May  8 19:28 cb-immo.conf
-rw-r--r-- 1 root root 1847 May  8 19:27 cb-immo-le-ssl.conf
-rw-r--r-- 1 root root 1802 May  8 19:46 cb-le-ssl.conf
-rw-r--r-- 1 root root  771 May  4 17:15 costabrava
-rw-r--r-- 1 root root  803 May  8 19:22 cp.conf
-rw-r--r-- 1 root root 2185 May  8 19:26 cp-le-ssl.conf
-rw-r--r-- 1 root root  696 May  4 17:13 default.save
-rw-r--r-- 1 root root 7257 Oct  2  2018 default-ssl.conf
-rw-r--r-- 1 root root 6437 Sep 30  2019 default-ssl.conf.dpkg-new
-rw-r--r-- 1 root root  775 May  8 19:24 dr.conf
-rw-r--r-- 1 root root 1875 May  8 19:24 dr-le-ssl.conf
-rw-r--r-- 1 root root  801 May  8 19:24 drvideo.conf
-rw-r--r-- 1 root root 1082 May  8 19:24 drvideo-le-ssl.conf
-rw-r--r-- 1 root root  849 May  8 19:25 fe.conf
-rw-r--r-- 1 root root 1991 May  8 20:40 fe-le-ssl.conf
-rw-r--r-- 1 root root  796 May  8 19:26 fewocom.conf
-rw-r--r-- 1 root root 1869 May  8 19:26 fewocom-le-ssl.conf
-rw-r--r-- 1 root root  925 May  8 19:26 fewo.conf
-rw-r--r-- 1 root root 1946 May  8 19:25 fewo-le-ssl.conf
-rw-r--r-- 1 root root 1910 May  8 19:25 pool-le-ssl.conf
-rw-r--r-- 1 root root  877 May  4 19:26 rg.conf
-rw-r--r-- 1 root root 1158 May  8 19:23 rg-le-ssl.conf
-rw-r--r-- 1 root root  786 May  8 12:06 rocagrossa
-rw-r--r-- 1 root root 2727 May  8 19:31 rocagrossa-le-ssl.conf
-rw-r--r-- 1 root root  741 May  8 19:23 sslcb.conf
-rw-r--r-- 1 root root  838 May  8 19:23 urlaub.conf
-rw-r--r-- 1 root root 1907 May  8 19:23 urlaub-le-ssl.conf
-rw-r--r-- 1 root root  791 May  8 12:06 video.rocagrossa.info
-rw-r--r-- 1 root root 1072 Oct  9  2019 video.rocagrossa.info-le-ssl.conf
-rw-r--r-- 1 root root  832 May  4 19:28 www-original.conf
-rw-r--r-- 1 root root 1080 Oct  9  2019 www-original-le-ssl.conf

result of ls -lRa /etc/apache2/sites-enabled


total 8
drwxr-xr-x 2 root root 4096 May  8 23:00 .
drwxr-xr-x 9 root root 4096 May  6 20:16 ..
lrwxrwxrwx 1 root root   35 May  4 18:29 000-default.conf -> ../sites-available/000-default.conf
lrwxrwxrwx 1 root root   43 Jan 17 13:34 ag-le-ssl.conf -> /etc/apache2/sites-available/ag-le-ssl.conf
lrwxrwxrwx 1 root root   38 Aug  8  2020 bauland-le-ssl.conf -> ../sites-available/bauland-le-ssl.conf
lrwxrwxrwx 1 root root   42 May  6 20:08 bellevillas-le-ssl.conf -> ../sites-available/bellevillas-le-ssl.conf
lrwxrwxrwx 1 root root   48 Jan 17 17:51 cb-immo-le-ssl.conf -> /etc/apache2/sites-available/cb-immo-le-ssl.conf
lrwxrwxrwx 1 root root   33 May  4 17:41 cb-le-ssl.conf -> ../sites-available/cb-le-ssl.conf
lrwxrwxrwx 1 root root   33 May  6 21:45 cp-le-ssl.conf -> ../sites-available/cp-le-ssl.conf
lrwxrwxrwx 1 root root   43 Apr 30  2020 dr-le-ssl.conf -> /etc/apache2/sites-available/dr-le-ssl.conf
lrwxrwxrwx 1 root root   33 May  6 20:17 fe-le-ssl.conf -> ../sites-available/fe-le-ssl.conf
lrwxrwxrwx 1 root root   38 May  6 22:00 fewocom-le-ssl.conf -> ../sites-available/fewocom-le-ssl.conf
lrwxrwxrwx 1 root root   35 May  6 20:50 fewo-le-ssl.conf -> ../sites-available/fewo-le-ssl.conf
lrwxrwxrwx 1 root root   35 May  6 22:45 pool-le-ssl.conf -> ../sites-available/pool-le-ssl.conf
lrwxrwxrwx 1 root root   51 Jun  5  2020 rocagrossa-le-ssl.conf -> /etc/apache2/sites-available/rocagrossa-le-ssl.conf
lrwxrwxrwx 1 root root   47 Jan 29 20:42 urlaub-le-ssl.conf -> /etc/apache2/sites-available/urlaub-le-ssl.conf

content of /etc/apache2/sites-enabled/cb.conf

<VirtualHost costabrava.de:80>
	ServerAdmin rm@costabrava.de
       ServerName costabrava.de
       ServerAlias www.costabrava.de

	DocumentRoot /var/www/urlaub
	
  <Directory />
    Order deny,allow
    deny from all
  </Directory>
    
  <Directory /var/www/urlaub/>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride all
		Order allow,deny
		allow from all
	</Directory>

	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
	<Directory "/usr/lib/cgi-bin">
		AllowOverride all
		Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
		Order allow,deny
		Allow from all
	</Directory>

	ErrorLog ${APACHE_LOG_DIR}/error.log

	# Possible values include: debug, info, notice, warn, error, crit,
	# alert, emerg.
	LogLevel warn

	CustomLog ${APACHE_LOG_DIR}/access.log combined


</VirtualHost>

content of /etc/apache2/sites-enabled/cb-le-ssl.conf

<VirtualHost costabrava.de:80>
	ServerAdmin rm@costabrava.de
       ServerName costabrava.de
       ServerAlias www.costabrava.de

	DocumentRoot /var/www/urlaub
	
  <Directory /var/www/urlaub/>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride all
		Order allow,deny
		allow from all
	</Directory>

	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
	<Directory "/usr/lib/cgi-bin">
		AllowOverride all
		Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
		Order allow,deny
		Allow from all
	</Directory>

	ErrorLog ${APACHE_LOG_DIR}/error.log

	# Possible values include: debug, info, notice, warn, error, crit,
	# alert, emerg.
	LogLevel warn

	CustomLog ${APACHE_LOG_DIR}/access.log combined


</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost costabrava.de:443>
	ServerAdmin rm@costabrava.de
       ServerName costabrava.de
       ServerAlias www.costabrava.de
		
	DocumentRoot /var/www/urlaub 
	
  <Directory />
    Order deny,allow
    deny from all
  </Directory>
    
  <Directory /var/www/urlaub/>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride all
		Order allow,deny
		allow from all
	</Directory>

	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
	<Directory "/usr/lib/cgi-bin">
		AllowOverride all
		Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
		Order allow,deny
		Allow from all
	</Directory>

	ErrorLog ${APACHE_LOG_DIR}/error.log

	# Possible values include: debug, info, notice, warn, error, crit,
	# alert, emerg.
	LogLevel warn

	CustomLog ${APACHE_LOG_DIR}/access.log combined


Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/costabrava.de/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/costabrava.de/privkey.pem
</VirtualHost>
</IfModule>

griffin · May 9, 2021, 1:35am

It looks like you disabled all of your port 80 (non "-le-ssl") conf files. Since each conf file should ideally only contain a single VirtualHost, having both the port 80 and port 443 VirtualHosts in a single file is not ideal and will greatly confuse certbot.

Make sure your DocumentRoot points to the correct directory here and use multiples of 4 spaces (don't use tab characters).

Try changing...

/etc/apache2/sites-available/cb.conf to this:

<VirtualHost *:80>
    ServerAdmin rm@costabrava.de
    ServerName costabrava.de
    ServerAlias www.costabrava.de

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn

    Redirect permanent / https://costabrava.de/
</VirtualHost>

/etc/apache2/sites-enabled/cb-le-ssl.conf to this:

<VirtualHost *:443>
    ServerAdmin rm@costabrava.de
    ServerName www.costabrava.de

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn

    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/costabrava.de/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/costabrava.de/privkey.pem

    Redirect permanent / https://costabrava.de/
</VirtualHost>

<VirtualHost *:443>
    ServerAdmin rm@costabrava.de
    ServerName costabrava.de
    DocumentRoot /var/www/urlaub

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn

    <Directory "/">
        Order deny,allow
        deny from all
    </Directory>

    <Directory "/var/www/urlaub/">
        Options Indexes FollowSymLinks MultiViews
        AllowOverride all
        Order allow,deny
        allow from all
    </Directory>

    <Directory "/usr/lib/cgi-bin">
        AllowOverride all
        Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
        Order allow,deny
        Allow from all
    </Directory>

    ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/costabrava.de/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/costabrava.de/privkey.pem
</VirtualHost>

Enable the new site and reload Apache.

sudo a2ensite cb.conf

sudo apachectl -k graceful

Acquire the correct certificate. Warning: This may cause other sites to appear unsecure if they are using the costabrava.de certificate, which they shouldn't be using. Each site should have its own functional certificate and let certbot-auto renew it as appropriate.

sudo certbot-auto certonly --cert-name costabrava.de --apache -d "costabrava.de,www.costabrava.de" --deploy-hook "apachectl -k graceful" --force-renewal

At this point, costabrava.de and www.costabrava.de should be fully working with the correct http to https redirects.

Gutty · May 10, 2021, 11:50am

Still problems with your config.
if I use <VirtualHost*:443> I get an error because the wrong certificate is used.
With nad all works well.
in http conf with <VirtualHost *:80> sometimes works well.
Strange. I try now to reconfigure another domain

edit: Now I have more domains configured. Looks good now, but the problem with the *:port instead od domain.tld:port is still there.

griffin · May 10, 2021, 5:14pm

That's because the IP:port (and domain:port) configurations (which should be *:port) are interfering due to being more specific than the wildcard. You might need to unwind the entire ball of string and simplify to see the true results.

Keep in mind that Apache finds the list of VirtualHosts with the closest matching IP address and port combination then considers the first VirtualHost in that list with a matching ServerName/ServerAlias. If a VirtualHost with a matching ServerName/ServerAlias isn't found in that list, it uses the "default" VirtualHost from that list. With IP:port VirtualHosts present, the rest of the VirtualHosts (*:port) will be ignored. By changing all of your VirtualHosts to *:port, you're correctly putting all of your VirtualHosts for a given port in the same list then letting Apache find the first VirtualHost with a matching ServerName/ServerAlias in that list. Even if you're using multiple IP addresses (which you are), by using the wildcard (*:port), you're telling Apache to only consider the port number and ServerName/ServerAlias when matching the VirtualHosts, which is desired behavior. Then, if an IP address ever changes, you don't need to reconfigure Apache.

An In-Depth Discussion of Virtual Host Matching

By using domain.tld:port, you're overriding Apache's matching protocol (to your detriment).

system · June 9, 2021, 5:15pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.