Certificate mismatch generate ssl for www or non-www first?


#1

Hi,

I have a strange problem with all the domain-names on my server. When visiting the domain-names url with https://www.sitename.someting they are now all matched to the latest added ssl domain (hocom-advies.nl).
Before they were working fine. Also before adding the new hocom-advies.nl ssl, the server ip-address was resolving tot a standard html-page living in /var/www/ or to phpmyadmin. piwik location
like this: 129.210.186.277/phpmyadmin/ now ending up at hocom-advies.nl ?

So for instance if you visit https://www.pizzajolly.nl it says not secure and the certificate is matched to:
www.hocom-advies.nl . just www.pizzajolly.nl or https://pizzajolly.nl or pizzajolly.nl are fine!

HocomAdvies is the latest ssl certificate generated. Searching for a solution or something that causes this behaviour some questions came up:

I’m sure my vhosts in apache2 are all good. Could there be an problem in the DNS record? For hocom-advies.nl there is an A record holding: *.hocom-advies.nl
Can that make the other domains redirect to hocom-advies.nl ? giving the certificate error?

Also I am wondering if the order of domain names when creating the ssl certificate matters?

This is what I used for generating the latest domain-name and for all the others generated before:
certbot certonly --webroot -w /var/www/www.hocom-advies.nl/www -d hocom-advies.nl -d www.hocom-advies.nl

My apache2 vhosts 80 are holding a redirect to https://

So what is the problem here? The DNS setting? Any idea how to solve this en having the url for all individual domains working again without matching to the wrong certificate! :grinning:


#2

What’s this show?

apachectl -t -D DUMP_VHOSTS

It seems like you have your virtual hosts split up in a strange way.

Also:

certbot certificates

#3

Hi @mr_certbot

you use this certonly option. So you must install the certificate manual.

Checking pizzajolly.nl:

CN=pizzajolly.nl
19.11.2018
17.02.2019
kerstpizza.nl, pizzajolly.nl, winterpizza.nl, www.kerstpizza.nl, www.pizzajolly.nl, www.winterpizza.nl - 6 entries

it’s good.

So your vHost with www.pizzajolly.nl is wrong or missing. Do you have a ServerAlias directive in your pizzajolly.nl - block?

Your www version uses the other certificate. That may be the standard configuration.


#4

Thanks @az and @JuergenAuer your reply put me in the right direction. So if I am right, than the problem is caused because of the missing “server alias” in the *:443 Vhosts. Since the one with the alias in it is working fine :slight_smile: Will adapt the others and see what’s happening next.

result of certbot certificates:
https://pastebin.com/Rbxf0p5q

And the result of apachectl -t -D DUMP_VHOSTS:
https://pastebin.com/uQGAVj6f



#5

I agree, that is probably the solution.

If you added ServerAlias www.pizzajolly.nl under the following vhost, I think your original problem should be solved:

port 443 namevhost pizzajolly.nl (/etc/apache2/sites-enabled/pizzajolly.nl-ssl.conf:1)

#6

Hi, your help solved most of my problems. And creating some new one which have nothing to do with the ssl certificate but with TYPOs cms :slight_smile: Which has also some internal rewriting. So have to sort that out next. Thanks for your help. At least now the domain url-s are pointing tot the right certificate.