Certificate returned is same for all subdomain

Xarkam · February 15, 2017, 4:51pm

Hello,

today, I try to make certificate for my server with sub domain.
I’ve 4 subdomain: chat, issues, confluence, repositories

For each subdomain, I make this command
letsencrypt certonly --agree-tos --rsa-key-size 4096 -m webmaster@osames.org -d <DOMAIN>.osames.org --renew-by-default

In apache 2.4, each virtualhost contains
SSLEngine On SSLCertificateFile /etc/letsencrypt/live/<DOMAIN>.osames.org/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/<DOMAIN>.osames.org/privkey.pem SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS SSLHonorCipherOrder on
But, if I use portecle (java app) to check SSL/TLS connection, the response for chat.osames.org and issues.osames.org is the certificate for confluence.osames.org
(here picture: http://i.imgur.com/TjmdzAh.png)

How to make the certificate for each subdomain match the one requested ?

Thanks

serverco · February 15, 2017, 5:06pm

There is something odd with the way you are testing I suspect. For me all look OK …

user@serverco:~$ certinfo confluence.osames.org  
getting cert from server - confluence.osames.org

Certificate chain
 0 s:/CN=confluence.osames.org
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Certificate:
Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Not Before: Feb 15 15:33:00 2017 GMT
Not After : May 16 15:33:00 2017 GMT
Subject: CN=confluence.osames.org
Public Key Algorithm: rsaEncryption
DNS:confluence.osames.org


user@serverco:~$ certinfo issues.osames.org  
getting cert from server - issues.osames.org

Certificate chain
 0 s:/CN=issues.osames.org
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Certificate:
Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Not Before: Feb 15 15:32:00 2017 GMT
Not After : May 16 15:32:00 2017 GMT
Subject: CN=issues.osames.org
Public Key Algorithm: rsaEncryption
DNS:issues.osames.org


user@serverco:~$ certinfo chat.osames.org  
getting cert from server - chat.osames.org

Certificate chain
 0 s:/CN=chat.osames.org
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Certificate:
Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Not Before: Feb 15 15:33:00 2017 GMT
Not After : May 16 15:33:00 2017 GMT
Subject: CN=chat.osames.org
Public Key Algorithm: rsaEncryption
DNS:chat.osames.org

pfg · February 15, 2017, 5:11pm

This seems to indicate that portecle does not support SNI prior to version 1.10 (released 2016-02-04). Without SNI, you’re effectively limited to one certificate per IP address.

SNI support is pretty good nowadays. If you really need to use software that does not support SNI, you can instead obtain one certificate that covers all your domain names (often called a multi-SAN certificate). You can do that by simply passing multiple -d arguments to the client, i.e. -d confluence.osames.org -d issues.osames.org ..., or alternatively get additional IP addresses and use one per certificate.

serverco · February 15, 2017, 5:17pm

I’d agree - the odd thing is if you check the IP (without SNI) then the cert is for cloud.osames.org

Xarkam · February 15, 2017, 5:51pm

Ok, I tested with KeyExplorer and i’ts correct.

I see with Atlassian why have one error:
2017-02-15 18:05:03,272 http-bio-8443-exec-4 ERROR anonymous 1085x566x1 - 213.47.56.124,0:0:0:0:0:0:0:1 / [c.a.g.r.internal.http.HttpClientFetcher] Unable to perform a request to: https://issues.osames.org/rest/gadgets/1.0/g/messagebundle/und/gadget.common%2Cgadget.project javax.net.ssl.SSLPeerUnverifiedException: Host name 'issues.osames.org' does not match the certificate subject provided by the peer (CN=cloud.osames.org)

Because I verified my java keystore and he have the good informations.

Thanks.

system · March 17, 2017, 5:51pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Separated Certs Issue for same Domain (Different Sub Domains)	3	2039	November 12, 2015
Let's Encrypt Certificates for multiple domains and sub-domains on same server Help	3	6805	April 6, 2017
Using LetsEncrypt on multiple domains Server	8	11144	May 8, 2016
Sub-Domain ok but not those with other SSL port Help	2	581	March 4, 2020
Several subdomains (and domains) on same IP Server	3	3570	August 19, 2018

Certificate returned is same for all subdomain

Related topics