CAA record & Certificate does not match name wo-lar.com


#1

First question is arround CAA. I updated my BIND zone files (reverse and forward) with
"wo-lar.com. IN CAA 0 issue “letsencrypt.org”, but the SSL tests still show : DNS CAA No

The 2nd question is related to how to fix that the domain name does not match the certificate common name or SAN! I googled quite a bit, but cannot find a fix

My domain is: wo-lar.com (dynamic IP)

I ran this command:
https://www.ssllabs.com/ssltest/analyze.html?d=wo-lar.com

It produced this output:
Subject wolar-lhs
Fingerprint SHA256: a424212ba07dda51cc7bfb7ee2a4a5b52468443deb4488089898707703d8a227
Pin SHA256: nQeuKBb5webV2z0v0dHN0XIuIsA9geRwoBt43x+p62c=
Common names wolar-lhs
Alternative names - INVALID

I also tried to replace the certificate by running:
certbot --apache -d wo-lar.com -d www.wo-lar.com --expand

My web server is (include version): httpd 2.4

The operating system my web server runs on is (include version): CentOS Linux release 7.6.1810

My hosting provider, if applicable, is: Home Server

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Command line

Thanks for helping, Wolfgang


#2

Did you update the authorative Internet nameservers for your domain (wo-lar.com)?:
dns1.zoneedit.com
dns2.zoneedit.com
dns3.zoneedit.com

The cert in use is NOT from LetsEncrypt (it is self-signed).
Please show:
The config file that covers server name “wo-lar.com” for port 443.
certbot certificates


#3

dns1.zoneedit.com. No, I did not update4 that. Thanks.

[root@home sites-available]# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: wo-lar.com
Domains: wo-lar.com www.wo-lar.com
Expiry Date: 2019-03-11 11:27:20+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/wo-lar.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/wo-lar.com/privkey.pem

The config file that covers wo-lar.com on port 443:

<VirtualHost *:443>
ServerAdmin root@wo-lar.com
ServerName www.wo-lar.com
ServerAlias wo-lar.com
DocumentRoot /var/www/wo-lar.com/html

ErrorLog  /var/log/httpd/wo-lar_error.log
CustomLog /var/log/httpd/wo-lar_requests.log combined

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/wo-lar.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/wo-lar.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/wo-lar.com/chain.pem


#4

That is a good cert

and the vhost config appears to be using those same files:

Have you restarted the web service?
If not, please restart it.
If so, please show:
grep -Eri 'virtualhost|443|servername|serveralias|sslcert' /etc/apache2/
or maybe
grep -Eri 'virtualhost|443|servername|serveralias|sslcert' /etc/httpd/


#5

The mistake must be the two lines in …/ssl.conf that are not commented out.
Thaks for pointing me tot hat. Wolfgang

/etc/httpd/conf/httpd.conf:ServerName www.wo-lar.com:80
/etc/httpd/conf.d/ssl.conf:Listen 443 https
/etc/httpd/conf.d/ssl.conf:
/etc/httpd/conf.d/ssl.conf:SSLCertificateFile /etc/pki/tls/certs/localhost.crt
/etc/httpd/conf.d/ssl.conf:SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
/etc/httpd/conf.d/ssl.conf:
/etc/httpd/sites-available/wo-lar.com.conf:<VirtualHost *:80>
/etc/httpd/sites-available/wo-lar.com.conf: ServerName www.wo-lar.com
/etc/httpd/sites-available/wo-lar.com.conf: ServerAlias wo-lar.com
/etc/httpd/sites-available/wo-lar.com.conf:
/etc/httpd/sites-available/wo-lar.com-le-ssl.conf:<VirtualHost *:443>
/etc/httpd/sites-available/wo-lar.com-le-ssl.conf: ServerName www.wo-lar.com
/etc/httpd/sites-available/wo-lar.com-le-ssl.conf: ServerAlias wo-lar.com
/etc/httpd/sites-available/wo-lar.com-le-ssl.conf:SSLCertificateFile /etc/letsencrypt/live/wo-lar.com/cert.pem
/etc/httpd/sites-available/wo-lar.com-le-ssl.conf:SSLCertificateKeyFile /etc/letsencrypt/live/wo-lar.com/privkey.pem
/etc/httpd/sites-available/wo-lar.com-le-ssl.conf:SSLCertificateChainFile /etc/letsencrypt/live/wo-lar.com/chain.pem
/etc/httpd/sites-available/wo-lar.com-le-ssl.conf:


#6

This looks wonky:

Please show the entire file:
/etc/httpd/conf/httpd.conf


#7

ServerRoot “/etc/httpd”

Listen 80

Include conf.modules.d/*.conf

User apache
Group apache

ServerAdmin root@wo-lar.com

ServerName www.wo-lar.com:80

AllowOverride none Require all denied

DocumentRoot “/var/www/html”

<Directory “/var/www”>
AllowOverride None
# Allow open access:
Require all granted

<Directory “/var/www/html”>
AllowOverride None
Require all granted

DirectoryIndex index.html index.htm index.php

<Files “.ht*”>
Require all denied

ErrorLog “logs/error_log”

LogLevel warn

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common
<IfModule logio_module>
  # You need to enable mod_logio.c to use %I and %O
  LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>

CustomLog "logs/access_log" combined
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

<Directory “/var/www/cgi-bin”>
AllowOverride None
Options None
Require all granted

TypesConfig /etc/mime.types AddType application/x-compress .Z AddType application/x-gzip .gz .tgz
AddType text/html .shtml
AddOutputFilter INCLUDES .shtml

AddDefaultCharset UTF-8

MIMEMagicFile conf/magic

EnableSendfile on

ServerTokens Prod
ServerSignature Off

IncludeOptional conf.d/.conf
IncludeOptional sites-enabled/
.conf

Include /etc/httpd/sites-available/wo-lar.com-le-ssl.conf


#8

Sorry, this is the file with the problem:
/etc/httpd/conf.d/ssl.conf


#9

But what is the problem?
I commented out
/etc/httpd/conf.d/ssl.conf:SSLCertificateFile /etc/pki/tls/certs/localhost.crt
/etc/httpd/conf.d/ssl.conf:SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
But not apache does not start anymore.

wolfgan


#10

Please show the file:
/etc/httpd/conf.d/ssl.conf
Commenting out the lines that load the cert only makes that portion of the config fail.


#11

Here are all uncommented lines opf the file.
Btw, I reran the cerboot procedure for a new certificate again. But no change
Listen 443 https

SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog

SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300

SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

SSLEngine on

SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

<Files ~ “.(cgi|shtml|phtml|php3?)$”>
SSLOptions +StdEnvVars

<Directory “/var/www/cgi-bin”>
SSLOptions +StdEnvVars

BrowserMatch “MSIE [2-5]”
nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x “%r” %b”

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
Header always set Strict-Transport-Security “max-age=63072000; includeSubdomains”
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
SSLCompression off
SSLUseStapling on
SSLStaplingCache “shmcb:logs/stapling-cache(150000)”


#12

I ran a find on my hard disk on search for the common name in the certificate.
This has nothing to do with the certificates, or???

[root@home wp.rauchholz]# find /etc -type f -print0 | xargs -0 grep -i wolar-lhs
/etc/default/grub:GRUB_CMDLINE_LINUX=“crashkernel=auto rd.lvm.lv=centos_wolar-lhs/root rd.lvm.lv=centos_wolar-lhs/swap rhgb quiet”
/etc/lvm/archive/centos_wolar-lhs_00000-571393968.vg:creation_host = “wolar-lhs” # Linux wolar-lhs 3.10.0-957.el7.x86_64 #1 SMP Thu Nov 8 23:39:32 UTC 2018 x86_64
/etc/lvm/archive/centos_wolar-lhs_00000-571393968.vg:centos_wolar-lhs {
/etc/lvm/archive/centos_wolar-lhs_00000-571393968.vg: creation_host = “wolar-lhs”
/etc/lvm/archive/centos_wolar-lhs_00000-571393968.vg: creation_host = “wolar-lhs”
/etc/lvm/archive/centos_wolar-lhs_00000-571393968.vg: creation_host = “wolar-lhs”
/etc/lvm/backup/centos_wolar-lhs:creation_host = “wolar-lhs” # Linux wolar-lhs 3.10.0-957.el7.x86_64 #1 SMP Thu Nov 8 23:39:32 UTC 2018 x86_64
/etc/lvm/backup/centos_wolar-lhs:centos_wolar-lhs {
/etc/lvm/backup/centos_wolar-lhs: creation_host = “wolar-lhs”
/etc/lvm/backup/centos_wolar-lhs: creation_host = “wolar-lhs”
/etc/lvm/backup/centos_wolar-lhs: creation_host = “wolar-lhs”


#13

Please show:
ls -l /etc/httpd/sites-available/
ls -l /etc/httpd/sites-enabled/
/etc/httpd/sites-available/wo-lar.com-le-ssl.conf

In the meantime remove the comments to the ssl.conf cert files and also modify the line
<virtualhost _default_:443>
to
<virtualhost 127.0.0.1:443>


#14

Thank you!!!
It was <virtualhost default:443> that caused this.
Now, I did not set it like that. Why is this in the standard config?

Thak you very much. Wolfgang


#15

I’m glad it is working… But…

I’m pretty certain that your config is still not 100%.
The only reason that made it work is that now you only have one vhost serving *.443
So ALL https traffic goes there.
As soon as you try to add another site things will go bad again.


#16

Ok, here we go.

[root@home wp.rauchholz]# ls -l /etc/httpd/sites-available/
total 8
-rw-r–r-- 1 root root 912 Dec 11 15:45 wo-lar.com.conf
-rw-r–r-- 1 root root 1014 Dec 11 15:45 wo-lar.com-le-ssl.conf
[root@home wp.rauchholz]# ls -l /etc/httpd/sites-enabled/
total 0
lrwxrwxrwx 1 root root 42 Dec 11 09:59 wo-lar.com.conf -> /etc/httpd/sites-available/wo-lar.com.conf


#17
ServerAdmin root@wo-lar.com ServerName www.wo-lar.com ServerAlias wo-lar.com DocumentRoot /var/www/wo-lar.com/html ErrorLog /var/log/httpd/wo-lar_error.log CustomLog /var/log/httpd/wo-lar_requests.log combined

#RewriteEngine on
#RewriteCond %{SERVER_NAME} =wo-lar.com [OR]
#RewriteCond %{SERVER_NAME} =www.wo-lar.com
#RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/wo-lar.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/wo-lar.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/wo-lar.com/chain.pem


#18

Maybe you can upload the file: /etc/httpd/sites-available/wo-lar.com-le-ssl.conf
The text shown is missing the “virtualhost” and maybe more.


#19

Not sure why, but I get this message when trying to upload: Sorry, new users can not upload attachments.

Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost 127.0.0.1:443>
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
<Files ~ “.(cgi|shtml|phtml|php3?)$”>
SSLOptions +StdEnvVars

<Directory “/var/www/cgi-bin”>
SSLOptions +StdEnvVars

BrowserMatch “MSIE [2-5]”
nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x “%r” %b”

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
Header always set Strict-Transport-Security “max-age=63072000; includeSubdomains”
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
SSLCompression off
SSLUseStapling on
SSLStaplingCache “shmcb:logs/stapling-cache(150000)”


#20

That doesn’t seem like the right file.
Try using paste.bin or anything like that.