When I check my domain with
https://www.ssllabs.com/ssltest/analyze.html?d=everynoise.com
I get an "A", and "Certificate #1 " (issued 8/16 by LE) looks great. But there's also a "Certificate #2 " (issued 6/16 by LE) that expired a few days ago. Is that normal or weird? It seems weird. Is it a thing that should be fixed, and if so, do I fix it on my end or do you fix it on yours?
Here is my previous suppport thread, which might have the answer somewhere in it, if I understood all these things better...:
glenn
1 Like
rg305
September 20, 2021, 2:24pm
2
glennpmcdonald:
Is that normal or weird?
Not normal.
It seems that your config is serving two certs (RSA 4096 & RSA 2048).
Please show the output of:
sudo apachectl -t -D DUMP_VHOSTS
2 Likes
VirtualHost configuration:
*:443 everynoise.com (/etc/apache2/sites-enabled/000-default-le-ssl.conf:2)
*:80 everynoise.com (/etc/apache2/sites-enabled/000-default.conf:1)
1 Like
rg305
September 20, 2021, 2:37pm
4
OK, please show the file:
/etc/apache2/sites-enabled/000-default-le-ssl.conf
2 Likes
/etc/apache2/sites-enabled/000-default-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com
ServerName everynoise.com
ServerAdmin glennm@spotify.com
DocumentRoot /var/www/html
<Directory "/var/www/html/">
Options +ExecCGI -Indexes
AddHandler cgi-script .cgi
AllowOverride All
Require all granted
DirectoryIndex engenremap.html
</Directory>
<FilesMatch "\.py$">
Require all denied
</FilesMatch>
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.
#LogLevel info ssl:warn
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
SSLCertificateFile /etc/letsencrypt/live/everynoise.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/everynoise.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>
1 Like
rg305
September 20, 2021, 2:43pm
6
Please show the output of:
ls -l /etc/letsencrypt/live/everynoise.com/
ps -ef | grep apache | grep -v grep
2 Likes
ls -ls /etc/letsencrypt/live/everynoise.com
total 4
4 -rw-r--r-- 1 root root 692 Feb 16 2021 README
0 lrwxrwxrwx 1 root root 38 Aug 16 02:08 cert.pem -> ../../archive/everynoise.com/cert4.pem
0 lrwxrwxrwx 1 root root 39 Aug 16 02:08 chain.pem -> ../../archive/everynoise.com/chain4.pem
0 lrwxrwxrwx 1 root root 43 Aug 16 02:08 fullchain.pem -> ../../archive/everynoise.com/fullchain4.pem
0 lrwxrwxrwx 1 root root 41 Aug 16 02:08 privkey.pem -> ../../archive/everynoise.com/privkey4.pem
ps -ef | grep apache | grep -v grep
www-data 21068 26737 0 06:25 ? 00:00:15 /usr/sbin/apache2 -k start
www-data 21069 26737 0 06:25 ? 00:02:44 /usr/sbin/apache2 -k start
www-data 21127 26737 1 06:25 ? 00:07:45 /usr/sbin/apache2 -k start
root 26737 1 0 Jul11 ? 00:04:01 /usr/sbin/apache2 -k start
www-data 32366 26737 0 Jul16 ? 05:02:29 /usr/sbin/apache2 -k start
1 Like
rg305
September 20, 2021, 2:47pm
8
hmm...
Let's have a look at that public cert.
cat /etc/letsencrypt/live/everynoise.com/fullchain.pem
2 Likes
rg305
September 20, 2021, 2:48pm
9
This one does have a different date/time:
I would try killing it:
kill 32366
and then rerun SSL Labs.
2 Likes
-----BEGIN CERTIFICATE-----
MIIFIjCCBAqgAwIBAgISA1d+etxaXi4z0VL9HT1YZE7mMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMTA4MTYwMTA4NDRaFw0yMTExMTQwMTA4NDJaMBkxFzAVBgNVBAMT
DmV2ZXJ5bm9pc2UuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
zmXozfUhxTvhVrZ2C9HLwM4uWegprZDz5Fd7+3K9Uy4sdVM9sgEKA/gFosN5+2GV
o32VH2Qlb7LJ3ZgiXkJPL8yviyXNDKbShaIvGQD8RHYmtx5z/UlUoUwPi+UFduCY
OmfubxSqK6ny8JXP+pKZ+0C7rOq9YMvZStEJf+rpmgUexv8jqGuRARhSg3U6TTfc
HtdfnlvdlZfHONgiplIap+e1vo82q9pBXuY5SV0cLnaMXGGIm+I9xs2UMt/MJPPZ
dWv7zmx/8FaQMXPHOmxpzvCUTMNTyXP3IuUFid4ip5QXa4hbXln/Grh4c4fMjA89
Z3G6MJ1J7BtgwYvJlqQd2QIDAQABo4ICSTCCAkUwDgYDVR0PAQH/BAQDAgWgMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1Ud
DgQWBBSEtyrqLMwBt4n24gP2Z75XRSoE6zAfBgNVHSMEGDAWgBQULrMXt1hWy65Q
CUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0dHA6Ly9y
My5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVuY3Iub3Jn
LzAZBgNVHREEEjAQgg5ldmVyeW5vaXNlLmNvbTBMBgNVHSAERTBDMAgGBmeBDAEC
ATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNl
bmNyeXB0Lm9yZzCCAQQGCisGAQQB1nkCBAIEgfUEgfIA8AB3APZclC/RdzAiFFQY
CDCUVo7jTRMZM7/fDC8gC8xO8WTjAAABe0y34z4AAAQDAEgwRgIhAJfRWhrEs7pa
GUcjVa4Yxp2pDIh6vm5rFJxlh6KZWhRzAiEA2orE4FcRCFOKB8sTgtEGepeyg5eD
gvAKJORuJK/da/UAdQBvU3asMfAxGdiZAKRRFf93FRwR2QLBACkGjbIImjfZEwAA
AXtMt+N0AAAEAwBGMEQCIACsYa6wWiQTs1jlqK/Z9u5bB73qgHiCrpvntn6fyXzu
AiBNgZFNKlRRt8oRjVrq3gMeEL2/SFFuYWcoKz3Xigx6JDANBgkqhkiG9w0BAQsF
AAOCAQEAPUiwDdK/jXlUU4xobrhuN0JcaAVMWQRxqJ+QqTcVaF5rfrHpXWJo8fgB
UydGbZJi2zHzO5rnOuBdChuz+d2DfSnfVyZKW1i3gnKcrndhawZvScK3MnqyMD3N
CU2gXTyBE0H9+HZhkwICLlX/LiPdivAgA56odEjVNiwBOLIXzBqaz8e5qczHIYZp
su0gjpVK69ehlBqf2SC6DPGaT/BnPSvd8OAbKS5gI281Arvcjg7s1unty4DwgaPM
YwFpjcvFwt1bcjBVFc1Y8rFMpsdy9I4HNCIStL8tAkbK6w6JbjW78V2nwa1g08qG
6K9a7d4SWWWidrvAIYYMpoz2rpz5kg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----
1 Like
rg305
September 20, 2021, 2:53pm
12
The certs are a correct; so the problem is not there.
2 Likes
Yes, after killing that old process I no longer see Cert #2 in the SSL Labs report.
So the theory is that the current config is all fine, but I had a long-running apache process left over that still knew about an old one?
1 Like
rg305
September 20, 2021, 2:55pm
14
Exactly.
One process was still stuck with an old(er) cert.
The other processes have the newest one.
SSL Labs (makes multiple connections and) saw, and listed, them both.
2 Likes
Awesome. Thanks for your help. Now I know another thing to check. Ignorance erodes!
3 Likes
rg305
September 20, 2021, 3:13pm
16
That's another reason for me NOT to use Apache
- LOL
Glad I could help
Cheers form Miami
#FreeCUBA
2 Likes
system
Closed
October 20, 2021, 3:13pm
17
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.