Checking an SSL website - two tools give very different results

I’m not sure what you mean by the “main file”.

What determines that kirbymicrowave.co.uk is served if just an IP address is given? Alphabetically it is neither the first or last domain.

I’d be a bit concerned if any misconfigured domain happens to go to my company website, as Google might see it as spamming.

Dave

The main conf is: /etc/apache2/apache2.conf
Changing the “servername” there won’t affect any of the sites nor your Google ratings.
[You could use “localhost” there without any issue]
[each vhost has its’ own “servername” directive]
[this change should not affect your email system]

You could also include a directive “default” in the vhost for “www.kirkbymicrowave.co.uk
ServerName _default_

I’m thinking it may be more of an alphabetized conf file ordering…
Please show:
ls -l /etc/apache2/sites-enabled/

Hi @drkirkby

read the output.

Ssllabs checks only kirbymicrowave.co.uk.

Check-your-website checks both domain names, non-www and www. And the www has the wrong certificate:

Domainname Http-Status redirect Sec. G
http://kirbymicrowave.co.uk/ 109.228.58.153 302 https://www.kirkbymicrowave.co.uk/ Html is minified: 100,00 % 0.073 E
http://www.kirbymicrowave.co.uk/ 109.228.58.153 302 https://www.kirkbymicrowave.co.uk/ Html is minified: 100,00 % 0.074 E
https://kirbymicrowave.co.uk/ 109.228.58.153 302 https://www.kirkbymicrowave.co.uk/ Html is minified: 100,00 % 3.503 B
https://www.kirbymicrowave.co.uk/ 109.228.58.153 302 https://www.kirkbymicrowave.co.uk/ Html is minified: 100,00 % 3.520 N
Certificate error: RemoteCertificateNameMismatch

The www version uses (part connections and certificates)

CN=kirbymicrowave.co.uk
	22.11.2019
	20.02.2020
expires in 89 days	kirbymicrowave.co.uk - 1 entry

so that certificate has only one domain name without www -> Certificate Error.

The last configuration file in the following list, does not contain vhosts associated with kirbymicrowave.co.uk, but instead with kirkbymicrowave.co.uk.

root@localhost:/etc/apache2/sites-enabled# ls -l /etc/apache2/sites-enabled/
total 4
lrwxrwxrwx 1 root root 35 Jun 9 2018 000-default.conf -> …/sites-available/000-default.conf
lrwxrwxrwx 1 root root 36 Jul 1 2018 dhars.org.uk.conf -> …/sites-available/dhars.org.uk.conf
lrwxrwxrwx 1 root root 35 Nov 21 21:12 g8wrb.co.uk.conf -> …/sites-available/g8wrb.co.uk.conf
lrwxrwxrwx 1 root root 44 Jun 16 14:26 KIRBYMICROWAVE.co.uk.conf -> …/sites-available/KIRBYMICROWAVE.co.uk.conf
lrwxrwxrwx 1 root root 61 Nov 22 19:47 KIRBYMICROWAVE.co.uk-le-ssl.conf -> /etc/apache2/sites-available/KIRBYMICROWAVE.co.uk-le-ssl.conf
lrwxrwxrwx 1 root root 43 Jun 16 14:12 kirkbymicrowave.com.conf -> …/sites-available/kirkbymicrowave.com.conf
lrwxrwxrwx 1 root root 55 Jun 16 00:11 kirkbymicrowave.co.uk.conf -> /etc/apache2/sites-available/kirkbymicrowave.co.uk.conf

What are you suggesting I change in
/etc/apache2/apache2.conf ? I don’t see any default server name there.

I do see this line. I’m not sure what it does, but it looks like it might be relevant.

######## Try SNI
SSLStrictSNIVHostCheck off

PS: And the solution is simple:

You have certificates with one domain name:

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2019-11-22 2020-02-20 kirbymicrowave.co.uk - 1 entries duplicate nr. 2
Let’s Encrypt Authority X3 2019-11-22 2020-02-20 www.kirbymicrowave.co.uk - 1 entries duplicate nr. 3
Let’s Encrypt Authority X3 2019-11-22 2020-02-20 www.kirbymicrowave.co.uk - 1 entries duplicate nr. 2
Let’s Encrypt Authority X3 2019-11-22 2020-02-20 kirbymicrowave.co.uk - 1 entries duplicate nr. 1
Let’s Encrypt Authority X3 2019-11-18 2020-02-16 www.kirbymicrowave.co.uk - 1 entries duplicate nr. 1
Let’s Encrypt Authority X3 2019-10-13 2020-01-11 www.kirbymicrowave.co.uk - 1 entries

So create vHosts with two domain names (non-www + www) and certificates with two domain names (non-www + www).

That reduces the number of vHosts you have.

If there is any line with "servername"

The "first file" in that folder becomes the default:

when no default is explicitly defined.

Not 100% certain how to explicitly define one...
The simplest solution is to chose the file that contains the servername you want to be the default and rename the link to that file as something that would come alphabetically before 000-default.conf
[keeping the .conf ending]

If I put two virtual hosts in the one certificate, how does one reduce the number of virtual hosts? I just assumed two of them would both use the one certificate. Can one virtual host be used for both the www and the non-www ServerName?

Probably this one:

If so, you can use:

unlink /etc/apache2/sites-enabled/kirkbymicrowave.co.uk.conf
ln -s /etc/apache2/sites-enabled/00000-kirkbymicrowave.co.uk.conf /etc/apache2/sites-available/kirkbymicrowave.co.uk.conf

If you use two "servername" directives in one file.
ServerName domain.com
ServerName www.domain.com
[both in one file]
Then get one cert with both names in it.

You can do that for all 4 names if you like
Or for the 3 names you don't want to use. And send those to the one name you do want.

Yes. That reduces the number of vHosts. One vHost -> one certificate.

ServerName non-www
ServerAlias www

(or changed).

Use

apachectl -S

to check that configuration.

I still feel there is some… “unspoken” problem here.
How is this system on memory? CPU? Swap?

I use

https://www.downnotifier.com/?ref=653838

to monitor the server. There are no high-traffic sites on there. The load average is rarely as high as 0.05. I very much doubt that the memory is being stressed too much, but it is a virtual host, which if memory serves me correctly has 1 GB RAM.

https://www.downnotifier.com/?ref=653838

is configured to check a few websites once/minute. Most of the activity on the server is responding to https://www.downnotifier.com/?ref=653838 None of the sites have much traffic.

run top and take a screenshot

I am going to need to do some other things for a few days, so these web server issues will have to be put on hold. But I do use

https://www.downnotifier.com/?ref=653838

to check the site is responding correctly. That also checks for SSL certificates about for expire. Recently, they have in beta a “metric” which allows one to grab just about anything about the server that one can write a scrpt to produce. They have an example of a load average script, so I actually run that. Here’s a graph. Also a capture from “top” as you asked.

I’ve convinced any issues are not a result of an overloaded server.

Since 95% of my companies customers are outside the UK, I am actually regretting getting a UK domain name. I might transition to the website to a .com later, but I know there can be issues doing that in a way to not upset Mr. Google or Mrs. Customers.

I think I will leave this issue for now. Once thing I do know, is that I’m paying £10/month for this VPS with one CPU. The same company are now offering 2 CPUs, at £5/month for 6 months, then £10/month. I’m seriously thinking of just getting a server from them hosted in the USA, which will save me some money, give me an extra CPU, and also get the server where more of my customers are.

Of course, it takes time to set up new servers, and at the moment the main company website is working fine. There have been 39 outages in 2019 - some my fault, but the overall uptime is 99.99%, so I don’t think it’s working too badly.

I would like to resolve this SSL / redirect related issues, but at the minute, it is not the highest priority thing to do. Getting my company accounts in on time is a bit more important than worrying out how to react if someone misspells the domain name.

Screenshot-80

The top results look good.

There is no real need to change the domain name, if all you need is better hosting.

Now that would be "better hosting" and closer to your customer base :slight_smile:

I thought the “top” result is good.

I don’t think there’s anything much wrong with the hosting - a 99.99% uptime is not bad for a small company where there’s no dedicated IT department. I am the director, loo cleaner, chief scientist, webmaster…etc.

But I am not keen on the fact that the same hosting company is offering new customers a better specification for less cost. That is what is partially tempting me to change.

I realise that there’s no need to change domain name just to change the hosting. But I think having a .com would be more suitable for my customer base (mainly USA), and would do better on Google.com if it was hosted in the USA with a .com domain name.

Dave.

Well you do already have a dot com:

Maybe you could transition that one name to the new US hosting and move the others slow and easy (over time) so your Googleness doesn't "break".

I would need to find the best way to do a transition of domain name.

My initial thought was to cope the site, change references to.com, but hide from Google, but check uptime over a month to ensure that the server is stable. Then perform a perform a permanent redirect from.co.uk to .com.

I expect that I find information on the web about the best way to do it.

Dave

1 Like

All references within a site should exclude the name [and be self-referencing].
So (for example) anything explicit:
<img src="http://my.domain/image.jpg">
becomes just:
<img src="/image.jpg">

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.