Browsers Detecting Both LE and Self Assigned Certs


#1

This is a weird one. We were using a self assigned cert while developing a new site. Apache2 is running on Ubuntu 16.04. At some point we wanted to switch to a Let’s Encrypt cert, so I installed certbot from the ppa, ran sudo certbot --apache -d beta.santa-ana.org and everything went ok. Restarted apache2. Going to the main page of my site it looked like it picked up on the cert, but on some deeper down or backend links it seems to still be detecting my self-assigned cert.

So detective work I went. I made sure to disable the old default-ssl.conf file I was using for the site, I removed the keys themselves. I ran sudo apache2ctl -S to get my configs and the output is just as expected:
VirtualHost configuration:
*:443 beta.santa-ana.org (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80 <internal_ip> (/etc/apache2/sites-enabled/000-default.conf:1)
ServerRoot: “/etc/apache2”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/var/log/apache2/error.log”
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/lock/apache2" mechanism=fcntl
Mutex mpm-accept: using_defaults

And of course the config file being served *:443 was the one generated by Let’s Encrypt and all the files point to the keys generated therein.

So what gives? How should I proceed? I’ve cleared my cache, I’ve the restarted apache2 several times.

Thanks for the help.


#2

Hi @MCDELTAT

this is really terrible. Firefox - first try - self signed, next try - Letsencrypt with mixed content warnings - next try - again MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT.

Own .NET Tool: Two times, difference 1 second:

D:\temp>download https://beta.santa-ana.org/ -h
SystemDefault
SSL-Zertifikat is valide
Link: https://beta.santa-ana.org/home; rel=“alternate”; hreflang=“en”,; rel=“canonical”,</node/40>; rel=“shortlink”,; rel=“revision”
X-UA-Compatible: IE=edge
Content-language: en
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding
X-Generator: Drupal 8 (https://www.drupal.org)
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Cache-Control: must-revalidate, no-cache, private
Content-Type: text/html; charset=UTF-8
Date: Fri, 28 Sep 2018 21:25:36 GMT
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Server: Apache/2.4.18 (Ubuntu)

Status: 200 OK

1802,47 milliseconds
1,80 seconds

D:\temp>download https://beta.santa-ana.org/ -h
SystemDefault
Only SslPolicyErrors.RemoteCertificateChainErrors found
Self-signed root
X-Drupal-Dynamic-Cache: MISS
Link: https://beta.santa-ana.org/home; rel=“alternate”; hreflang=“en”,; rel=“canonical”,</node/40>; rel=“shortlink”,; rel=“revision”
X-UA-Compatible: IE=edge
Content-language: en
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Vary: Accept-Encoding
X-Generator: Drupal 8 (https://www.drupal.org)
X-Drupal-Cache: MISS
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Cache-Control: must-revalidate, no-cache, private
Content-Type: text/html; charset=UTF-8
Date: Fri, 28 Sep 2018 21:25:38 GMT
Expires: Sun, 19 Nov 1978 05:00:00 GMT
Server: Apache/2.4.18 (Ubuntu)

Status: 200 OK

1707,79 milliseconds
1,71 seconds

First is ok, second is self signed.

But: There is one difference:

X-Drupal-Dynamic-Cache: MISS

This header is sent with the self signed certificate. Looks like there is a Drupal-function you should deactivate or check.


#3

Thanks, that actually gives me a lot to look for. I attempted to flush my Drupal cache but the same problem persists. I might have to ask over there why it’s caching a cert that doesn’t even exist on my server anymore.


#4

I think this is resolved. knocks on the oldest tree in the forest. After clearing my application cache and restarting apche2 a number of times didn’t do anything I just decided to reboot the entire server and it now appears to be fine. ?


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.