Checking an SSL website - two tools give very different results

I own the domains kirkbymicrowave.co.uk and kirbymicrowave.co.uk. The former is my surname, the latter is a common mis-spelling. I want to redirect any of these 4 mis-spelt ways of calling the site (with/without www, with/without SSL)

http://kirbymicrowave.co.uk (works okay)
http://www.kirbymicrowave.co.uk (fails)
https://kirbymicrowave.co.uk (works okay)
https://www.kirbymicrowave.co.uk (fails)

to https://www.kirkbymicrowave.co.uk/ (i.e, correct spelling, SSL, with the www)

I am unsure of the best way to do this in Apache, but what I currently have in all four virtual hosts is the line

Redirect "/" "https://www.kirkbymicrowave.co.uk/"

I believe this virtual host is working okay.

<VirtualHost 109.228.58.153:80>
	ServerName kirbymicrowave.co.uk
	ServerAdmin drkirkby@kirkbymicrowave.co.uk
	DocumentRoot /var/www/html/kirkbymicrowave.co.uk

	ErrorLog ${APACHE_LOG_DIR}/error-KIRBYMICROWAVE.co,uk-80.log
	CustomLog ${APACHE_LOG_DIR}/access-KIRBYMICROWAVE.co.uk-80.log combined
        Redirect "/" "https://www.kirkbymicrowave.co.uk/"
</VirtualHost>

but this one is not.

<VirtualHost 109.228.58.153:80>
	ServerName www.kirbymicrowave.co.uk
	ServerAdmin drkirkby@kirkbymicrowave.co.uk
	ErrorLog ${APACHE_LOG_DIR}/error-www.KIRBYMICROWAVE.co.uk-80.log
	CustomLog ${APACHE_LOG_DIR}/access-www.KIRBYMICROWAVE.co.uk-80.log combined
	DocumentRoot /var/www/html/kirkbymicrowave.co.uk
        Redirect "/" "https://www.kirkbymicrowave.co.uk/"
</VirtualHost>

Checking the domain with two online tools, gives two very different results.

https://check-your-website.server-daten.de/?q=kirbymicrowave.co.uk says No Trusted Certificate
https://www.ssllabs.com/ssltest/analyze.html?d=kirbymicrowave.co.uk gives the domain a Grade A

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:kirbymicrowave.co.uk

I ran this command:
Accessed two different sites which are supposed to check SSL certifacates
https://www.ssllabs.com/ssltest/analyze.html?d=kirbymicrowave.co.uk

It produced this output:

https://check-your-website.server-daten.de/?q=kirbymicrowave.co.uk says No Trusted Certificate
https://www.ssllabs.com/ssltest/analyze.html?d=kirbymicrowave.co.uk gives the domain a Grade A.

I believe the issue may be how I am redirecting the site, as this site is intended only to catch a common mis-spelling of Kirkby. The second K is often ommitted, so this domain was purchased to catch those cases.

My web server is (include version): Apache

The operating system my web server runs on is (include version): Debian 9

My hosting provider, if applicable, is:1 and 1

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):0.28.0

It seems to be working (for me).

All four names are redirecting:

curl -Iki http://kirbymicrowave.co.uk/
HTTP/1.1 302 Found
Date: Fri, 22 Nov 2019 23:33:12 GMT
Server: Apache/2.4.25 (Debian)
Location: https://www.kirkbymicrowave.co.uk/

curl -Iki http://www.kirbymicrowave.co.uk/
HTTP/1.1 302 Found
Date: Fri, 22 Nov 2019 23:33:21 GMT
Server: Apache/2.4.25 (Debian)
Location: https://www.kirkbymicrowave.co.uk/

curl -Iki http://kirkbymicrowave.co.uk/
HTTP/1.1 302 Found
Date: Fri, 22 Nov 2019 23:33:25 GMT
Server: Apache/2.4.25 (Debian)
Location: https://www.kirkbymicrowave.co.uk/

curl -Iki http://www.kirkbymicrowave.co.uk/
HTTP/1.1 302 Found
Date: Fri, 22 Nov 2019 23:33:32 GMT
Server: Apache/2.4.25 (Debian)
Location: https://www.kirkbymicrowave.co.uk/

OK: I don’t know where your problem is nor why it is happening…
[although I do have some theories…]

But I do have a highly likely “workaround”.
Try changing the “default” server name to match the name you want to end up at:
from: kirbymicrowave.co.uk
to: www.kirkbymicrowave.co.uk
[in the main file]
[whatever “leak” is occurring may continue to occur but may pour into the right place]

ADDENDUM:
When anyone accesses any of the names or just the IP, they should see the end name.
For the direct IP, they are now getting served by the vhost with a cert for: kirbymicrowave.co.uk.
See for yourself:
openssl s_client -connect 109.228.58.153:443 | grep subject

I’m not sure what you mean by the “main file”.

What determines that kirbymicrowave.co.uk is served if just an IP address is given? Alphabetically it is neither the first or last domain.

I’d be a bit concerned if any misconfigured domain happens to go to my company website, as Google might see it as spamming.

Dave

The main conf is: /etc/apache2/apache2.conf
Changing the “servername” there won’t affect any of the sites nor your Google ratings.
[You could use “localhost” there without any issue]
[each vhost has its’ own “servername” directive]
[this change should not affect your email system]

You could also include a directive “default” in the vhost for “www.kirkbymicrowave.co.uk
ServerName _default_

I’m thinking it may be more of an alphabetized conf file ordering…
Please show:
ls -l /etc/apache2/sites-enabled/

Hi @drkirkby

read the output.

Ssllabs checks only kirbymicrowave.co.uk.

Check-your-website checks both domain names, non-www and www. And the www has the wrong certificate:

Domainname Http-Status redirect Sec. G
http://kirbymicrowave.co.uk/ 109.228.58.153 302 https://www.kirkbymicrowave.co.uk/ Html is minified: 100,00 % 0.073 E
http://www.kirbymicrowave.co.uk/ 109.228.58.153 302 https://www.kirkbymicrowave.co.uk/ Html is minified: 100,00 % 0.074 E
https://kirbymicrowave.co.uk/ 109.228.58.153 302 https://www.kirkbymicrowave.co.uk/ Html is minified: 100,00 % 3.503 B
https://www.kirbymicrowave.co.uk/ 109.228.58.153 302 https://www.kirkbymicrowave.co.uk/ Html is minified: 100,00 % 3.520 N
Certificate error: RemoteCertificateNameMismatch

The www version uses (part connections and certificates)

CN=kirbymicrowave.co.uk
	22.11.2019
	20.02.2020
expires in 89 days	kirbymicrowave.co.uk - 1 entry

so that certificate has only one domain name without www -> Certificate Error.

The last configuration file in the following list, does not contain vhosts associated with kirbymicrowave.co.uk, but instead with kirkbymicrowave.co.uk.

root@localhost:/etc/apache2/sites-enabled# ls -l /etc/apache2/sites-enabled/
total 4
lrwxrwxrwx 1 root root 35 Jun 9 2018 000-default.conf -> …/sites-available/000-default.conf
lrwxrwxrwx 1 root root 36 Jul 1 2018 dhars.org.uk.conf -> …/sites-available/dhars.org.uk.conf
lrwxrwxrwx 1 root root 35 Nov 21 21:12 g8wrb.co.uk.conf -> …/sites-available/g8wrb.co.uk.conf
lrwxrwxrwx 1 root root 44 Jun 16 14:26 KIRBYMICROWAVE.co.uk.conf -> …/sites-available/KIRBYMICROWAVE.co.uk.conf
lrwxrwxrwx 1 root root 61 Nov 22 19:47 KIRBYMICROWAVE.co.uk-le-ssl.conf -> /etc/apache2/sites-available/KIRBYMICROWAVE.co.uk-le-ssl.conf
lrwxrwxrwx 1 root root 43 Jun 16 14:12 kirkbymicrowave.com.conf -> …/sites-available/kirkbymicrowave.com.conf
lrwxrwxrwx 1 root root 55 Jun 16 00:11 kirkbymicrowave.co.uk.conf -> /etc/apache2/sites-available/kirkbymicrowave.co.uk.conf

What are you suggesting I change in
/etc/apache2/apache2.conf ? I don’t see any default server name there.

I do see this line. I’m not sure what it does, but it looks like it might be relevant.

######## Try SNI
SSLStrictSNIVHostCheck off

PS: And the solution is simple:

You have certificates with one domain name:

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2019-11-22 2020-02-20 kirbymicrowave.co.uk - 1 entries duplicate nr. 2
Let’s Encrypt Authority X3 2019-11-22 2020-02-20 www.kirbymicrowave.co.uk - 1 entries duplicate nr. 3
Let’s Encrypt Authority X3 2019-11-22 2020-02-20 www.kirbymicrowave.co.uk - 1 entries duplicate nr. 2
Let’s Encrypt Authority X3 2019-11-22 2020-02-20 kirbymicrowave.co.uk - 1 entries duplicate nr. 1
Let’s Encrypt Authority X3 2019-11-18 2020-02-16 www.kirbymicrowave.co.uk - 1 entries duplicate nr. 1
Let’s Encrypt Authority X3 2019-10-13 2020-01-11 www.kirbymicrowave.co.uk - 1 entries

So create vHosts with two domain names (non-www + www) and certificates with two domain names (non-www + www).

That reduces the number of vHosts you have.

If there is any line with "servername"

The "first file" in that folder becomes the default:

when no default is explicitly defined.

Not 100% certain how to explicitly define one...
The simplest solution is to chose the file that contains the servername you want to be the default and rename the link to that file as something that would come alphabetically before 000-default.conf
[keeping the .conf ending]

If I put two virtual hosts in the one certificate, how does one reduce the number of virtual hosts? I just assumed two of them would both use the one certificate. Can one virtual host be used for both the www and the non-www ServerName?

Probably this one:

If so, you can use:

unlink /etc/apache2/sites-enabled/kirkbymicrowave.co.uk.conf
ln -s /etc/apache2/sites-enabled/00000-kirkbymicrowave.co.uk.conf /etc/apache2/sites-available/kirkbymicrowave.co.uk.conf

If you use two "servername" directives in one file.
ServerName domain.com
ServerName www.domain.com
[both in one file]
Then get one cert with both names in it.

You can do that for all 4 names if you like
Or for the 3 names you don't want to use. And send those to the one name you do want.

Yes. That reduces the number of vHosts. One vHost -> one certificate.

ServerName non-www
ServerAlias www

(or changed).

Use

apachectl -S

to check that configuration.

I still feel there is some… “unspoken” problem here.
How is this system on memory? CPU? Swap?

I use

https://www.downnotifier.com/?ref=653838

to monitor the server. There are no high-traffic sites on there. The load average is rarely as high as 0.05. I very much doubt that the memory is being stressed too much, but it is a virtual host, which if memory serves me correctly has 1 GB RAM.

https://www.downnotifier.com/?ref=653838

is configured to check a few websites once/minute. Most of the activity on the server is responding to https://www.downnotifier.com/?ref=653838 None of the sites have much traffic.

run top and take a screenshot

I am going to need to do some other things for a few days, so these web server issues will have to be put on hold. But I do use

https://www.downnotifier.com/?ref=653838

to check the site is responding correctly. That also checks for SSL certificates about for expire. Recently, they have in beta a “metric” which allows one to grab just about anything about the server that one can write a scrpt to produce. They have an example of a load average script, so I actually run that. Here’s a graph. Also a capture from “top” as you asked.

I’ve convinced any issues are not a result of an overloaded server.

Since 95% of my companies customers are outside the UK, I am actually regretting getting a UK domain name. I might transition to the website to a .com later, but I know there can be issues doing that in a way to not upset Mr. Google or Mrs. Customers.

I think I will leave this issue for now. Once thing I do know, is that I’m paying £10/month for this VPS with one CPU. The same company are now offering 2 CPUs, at £5/month for 6 months, then £10/month. I’m seriously thinking of just getting a server from them hosted in the USA, which will save me some money, give me an extra CPU, and also get the server where more of my customers are.

Of course, it takes time to set up new servers, and at the moment the main company website is working fine. There have been 39 outages in 2019 - some my fault, but the overall uptime is 99.99%, so I don’t think it’s working too badly.

I would like to resolve this SSL / redirect related issues, but at the minute, it is not the highest priority thing to do. Getting my company accounts in on time is a bit more important than worrying out how to react if someone misspells the domain name.

Screenshot-80

The top results look good.

There is no real need to change the domain name, if all you need is better hosting.

Now that would be "better hosting" and closer to your customer base :slight_smile:

I thought the “top” result is good.

I don’t think there’s anything much wrong with the hosting - a 99.99% uptime is not bad for a small company where there’s no dedicated IT department. I am the director, loo cleaner, chief scientist, webmaster…etc.

But I am not keen on the fact that the same hosting company is offering new customers a better specification for less cost. That is what is partially tempting me to change.

I realise that there’s no need to change domain name just to change the hosting. But I think having a .com would be more suitable for my customer base (mainly USA), and would do better on Google.com if it was hosted in the USA with a .com domain name.

Dave.

Well you do already have a dot com:

Maybe you could transition that one name to the new US hosting and move the others slow and easy (over time) so your Googleness doesn't "break".