CAA record & Certificate does not match name wo-lar.com

First question is arround CAA. I updated my BIND zone files (reverse and forward) with
"wo-lar.com. IN CAA 0 issue “letsencrypt.org”, but the SSL tests still show : DNS CAA No

The 2nd question is related to how to fix that the domain name does not match the certificate common name or SAN! I googled quite a bit, but cannot find a fix

My domain is: wo-lar.com (dynamic IP)

I ran this command:
https://www.ssllabs.com/ssltest/analyze.html?d=wo-lar.com

It produced this output:
Subject wolar-lhs
Fingerprint SHA256: a424212ba07dda51cc7bfb7ee2a4a5b52468443deb4488089898707703d8a227
Pin SHA256: nQeuKBb5webV2z0v0dHN0XIuIsA9geRwoBt43x+p62c=
Common names wolar-lhs
Alternative names - INVALID

I also tried to replace the certificate by running:
certbot --apache -d wo-lar.com -d www.wo-lar.com --expand

My web server is (include version): httpd 2.4

The operating system my web server runs on is (include version): CentOS Linux release 7.6.1810

My hosting provider, if applicable, is: Home Server

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Command line

Thanks for helping, Wolfgang

Did you update the authorative Internet nameservers for your domain (wo-lar.com)?:
dns1.zoneedit.com
dns2.zoneedit.com
dns3.zoneedit.com

The cert in use is NOT from LetsEncrypt (it is self-signed).
Please show:
The config file that covers server name "wo-lar.com" for port 443.
certbot certificates

dns1.zoneedit.com. No, I did not update4 that. Thanks.

[root@home sites-available]# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

---

Found the following certs:
Certificate Name: wo-lar.com
Domains: wo-lar.com www.wo-lar.com
Expiry Date: 2019-03-11 11:27:20+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/wo-lar.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/wo-lar.com/privkey.pem

The config file that covers wo-lar.com on port 443:

<VirtualHost *:443>
ServerAdmin root@wo-lar.com
ServerName www.wo-lar.com
ServerAlias wo-lar.com
DocumentRoot /var/www/wo-lar.com/html

ErrorLog  /var/log/httpd/wo-lar_error.log
CustomLog /var/log/httpd/wo-lar_requests.log combined

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/wo-lar.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/wo-lar.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/wo-lar.com/chain.pem

That is a good cert

and the vhost config appears to be using those same files:

Have you restarted the web service?
If not, please restart it.
If so, please show:
grep -Eri 'virtualhost|443|servername|serveralias|sslcert' /etc/apache2/
or maybe
grep -Eri 'virtualhost|443|servername|serveralias|sslcert' /etc/httpd/

The mistake must be the two lines in ../ssl.conf that are not commented out.
Thaks for pointing me tot hat. Wolfgang

/etc/httpd/conf/httpd.conf:ServerName www.wo-lar.com:80
/etc/httpd/conf.d/ssl.conf:Listen 443 https
/etc/httpd/conf.d/ssl.conf:
/etc/httpd/conf.d/ssl.conf:SSLCertificateFile /etc/pki/tls/certs/localhost.crt
/etc/httpd/conf.d/ssl.conf:SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
/etc/httpd/conf.d/ssl.conf:
/etc/httpd/sites-available/wo-lar.com.conf:<VirtualHost *:80>
/etc/httpd/sites-available/wo-lar.com.conf: ServerName www.wo-lar.com
/etc/httpd/sites-available/wo-lar.com.conf: ServerAlias wo-lar.com
/etc/httpd/sites-available/wo-lar.com.conf:
/etc/httpd/sites-available/wo-lar.com-le-ssl.conf:<VirtualHost *:443>
/etc/httpd/sites-available/wo-lar.com-le-ssl.conf: ServerName www.wo-lar.com
/etc/httpd/sites-available/wo-lar.com-le-ssl.conf: ServerAlias wo-lar.com
/etc/httpd/sites-available/wo-lar.com-le-ssl.conf:SSLCertificateFile /etc/letsencrypt/live/wo-lar.com/cert.pem
/etc/httpd/sites-available/wo-lar.com-le-ssl.conf:SSLCertificateKeyFile /etc/letsencrypt/live/wo-lar.com/privkey.pem
/etc/httpd/sites-available/wo-lar.com-le-ssl.conf:SSLCertificateChainFile /etc/letsencrypt/live/wo-lar.com/chain.pem
/etc/httpd/sites-available/wo-lar.com-le-ssl.conf:

This looks wonky:

Please show the entire file:
/etc/httpd/conf/httpd.conf

ServerRoot “/etc/httpd”

Listen 80

Include conf.modules.d/*.conf

User apache
Group apache

ServerAdmin root@wo-lar.com

ServerName www.wo-lar.com:80

AllowOverride none Require all denied

DocumentRoot “/var/www/html”

<Directory “/var/www”>
AllowOverride None
# Allow open access:
Require all granted

<Directory “/var/www/html”>
AllowOverride None
Require all granted

DirectoryIndex index.html index.htm index.php

<Files “.ht*”>
Require all denied

ErrorLog “logs/error_log”

LogLevel warn

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined LogFormat "%h %l %u %t \"%r\" %>s %b" common

<IfModule logio_module>
  # You need to enable mod_logio.c to use %I and %O
  LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
</IfModule>

CustomLog "logs/access_log" combined

ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"

<Directory “/var/www/cgi-bin”>
AllowOverride None
Options None
Require all granted

TypesConfig /etc/mime.types AddType application/x-compress .Z AddType application/x-gzip .gz .tgz

AddType text/html .shtml
AddOutputFilter INCLUDES .shtml

AddDefaultCharset UTF-8

MIMEMagicFile conf/magic

EnableSendfile on

ServerTokens Prod
ServerSignature Off

IncludeOptional conf.d/.conf
IncludeOptional sites-enabled/.conf

Include /etc/httpd/sites-available/wo-lar.com-le-ssl.conf

Sorry, this is the file with the problem:
/etc/httpd/conf.d/ssl.conf

But what is the problem?
I commented out
/etc/httpd/conf.d/ssl.conf:SSLCertificateFile /etc/pki/tls/certs/localhost.crt
/etc/httpd/conf.d/ssl.conf:SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
But not apache does not start anymore.

wolfgan

Please show the file:
/etc/httpd/conf.d/ssl.conf
Commenting out the lines that load the cert only makes that portion of the config fail.

Here are all uncommented lines opf the file.
Btw, I reran the cerboot procedure for a new certificate again. But no change
Listen 443 https

SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog

SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300

SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

SSLEngine on

SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

<Files ~ “.(cgi|shtml|phtml|php3?)$”>
SSLOptions +StdEnvVars

<Directory “/var/www/cgi-bin”>
SSLOptions +StdEnvVars

BrowserMatch “MSIE [2-5]”
nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0

CustomLog logs/ssl_request_log
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x “%r” %b”

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
Header always set Strict-Transport-Security “max-age=63072000; includeSubdomains”
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
SSLCompression off
SSLUseStapling on
SSLStaplingCache “shmcb:logs/stapling-cache(150000)”

I ran a find on my hard disk on search for the common name in the certificate.
This has nothing to do with the certificates, or???

[root@home wp.rauchholz]# find /etc -type f -print0 | xargs -0 grep -i wolar-lhs
/etc/default/grub:GRUB_CMDLINE_LINUX=“crashkernel=auto rd.lvm.lv=centos_wolar-lhs/root rd.lvm.lv=centos_wolar-lhs/swap rhgb quiet”
/etc/lvm/archive/centos_wolar-lhs_00000-571393968.vg:creation_host = “wolar-lhs” # Linux wolar-lhs 3.10.0-957.el7.x86_64 #1 SMP Thu Nov 8 23:39:32 UTC 2018 x86_64
/etc/lvm/archive/centos_wolar-lhs_00000-571393968.vg:centos_wolar-lhs {
/etc/lvm/archive/centos_wolar-lhs_00000-571393968.vg: creation_host = “wolar-lhs”
/etc/lvm/archive/centos_wolar-lhs_00000-571393968.vg: creation_host = “wolar-lhs”
/etc/lvm/archive/centos_wolar-lhs_00000-571393968.vg: creation_host = “wolar-lhs”
/etc/lvm/backup/centos_wolar-lhs:creation_host = “wolar-lhs” # Linux wolar-lhs 3.10.0-957.el7.x86_64 #1 SMP Thu Nov 8 23:39:32 UTC 2018 x86_64
/etc/lvm/backup/centos_wolar-lhs:centos_wolar-lhs {
/etc/lvm/backup/centos_wolar-lhs: creation_host = “wolar-lhs”
/etc/lvm/backup/centos_wolar-lhs: creation_host = “wolar-lhs”
/etc/lvm/backup/centos_wolar-lhs: creation_host = “wolar-lhs”

Please show:
ls -l /etc/httpd/sites-available/
ls -l /etc/httpd/sites-enabled/
/etc/httpd/sites-available/wo-lar.com-le-ssl.conf

In the meantime remove the comments to the ssl.conf cert files and also modify the line
<virtualhost _default_:443>
to
<virtualhost 127.0.0.1:443>

Thank you!!!
It was <virtualhost default:443> that caused this.
Now, I did not set it like that. Why is this in the standard config?

Thak you very much. Wolfgang

I'm glad it is working... But...

I'm pretty certain that your config is still not 100%.
The only reason that made it work is that now you only have one vhost serving *.443
So ALL https traffic goes there.
As soon as you try to add another site things will go bad again.

Ok, here we go.

[root@home wp.rauchholz]# ls -l /etc/httpd/sites-available/
total 8
-rw-r--r-- 1 root root 912 Dec 11 15:45 wo-lar.com.conf
-rw-r--r-- 1 root root 1014 Dec 11 15:45 wo-lar.com-le-ssl.conf
[root@home wp.rauchholz]# ls -l /etc/httpd/sites-enabled/
total 0
lrwxrwxrwx 1 root root 42 Dec 11 09:59 wo-lar.com.conf -> /etc/httpd/sites-available/wo-lar.com.conf

ServerAdmin root@wo-lar.com ServerName www.wo-lar.com ServerAlias wo-lar.com DocumentRoot /var/www/wo-lar.com/html ErrorLog /var/log/httpd/wo-lar_error.log CustomLog /var/log/httpd/wo-lar_requests.log combined

#RewriteEngine on
#RewriteCond %{SERVER_NAME} =wo-lar.com [OR]
#RewriteCond %{SERVER_NAME} =www.wo-lar.com
#RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/wo-lar.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/wo-lar.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/wo-lar.com/chain.pem

Maybe you can upload the file: /etc/httpd/sites-available/wo-lar.com-le-ssl.conf
The text shown is missing the “virtualhost” and maybe more.

Not sure why, but I get this message when trying to upload: Sorry, new users can not upload attachments.

Listen 443 https
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout 300
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost 127.0.0.1:443>
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
<Files ~ “.(cgi|shtml|phtml|php3?)$”>
SSLOptions +StdEnvVars

<Directory “/var/www/cgi-bin”>
SSLOptions +StdEnvVars

BrowserMatch “MSIE [2-5]”
nokeepalive ssl-unclean-shutdown
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log
“%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x “%r” %b”

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
Header always set Strict-Transport-Security “max-age=63072000; includeSubdomains”
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
SSLCompression off
SSLUseStapling on
SSLStaplingCache “shmcb:logs/stapling-cache(150000)”

That doesn’t seem like the right file.
Try using paste.bin or anything like that.