Chrome take the first certificate of server instead of the good one

My domain is: ophtalink.com (and others)

Since 01/15/23, I changed my server and move all the certificates from a 2012 MacMini to a 2020 M1 MacMini (±180).

I host apache 2.5.54 on a MacMini M1, all works but a Chrome issue (macOS/Windows) (and Firefox sometime on windows perhaps, not seen by myself)

When I type in Chrome the first letters of the domain, it takes the first certificate of the server instead of the good one and says NET::ERR_CERT_COMMON_NAME_INVALID. When I reload the page, it takes the good one ! Sometimes, I have to quit and relaunch Chrome 3 ou 4 times to see the error, sometimes it works well the first time On Windows, it seems to be systematic.

On macOS, i see that only on Chrome (never on Safari, Brave, Firefox, Edge, Opera on macOS)

As a workaround, I put all the certificates in the first one, it works but limited to 100 domains so certains as ophtalink.com continues to have the issue

I thank it was an issue of Apple Apache M1 or Certbot but I finally have the same issue in my old server intel too, on Homebrew Apache version too.

I śaw that Chrome update last day but the issue is still there.

All the website SSL checkers says domain security is OK and I don't find anything about this issue on the web

It is a nightmare so please help

your tls config looks messy. SSL Server Test: www.ophtalink.com (Powered by Qualys SSL Labs)

check https://ssl-config.mozilla.org and see if you really need all that legacy stuff.

Thx

What do you mean to check ? as I simply do "sudo certbot --apache" to create the certificate ?

I just need that it works well

The certificates you have are fine.

I mean check if your clients are so old you need to configure your server that way

Clients ? the issue is with the last version of Chrome on macOS and Windows...

Using the online tool SSL Checker shows "It's all good. We have not detected any issues."
https://decoder.link/sslchecker/ophtalink.com/443

This is what I presently see for the Certificate

$ openssl s_client -showcerts -servername ophtalink.com -connect ophtalink.com:443 < /dev/null
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = ophtalink.fr
verify return:1
---
Certificate chain
 0 s:CN = ophtalink.fr
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 27 20:29:53 2023 GMT; NotAfter: Apr 27 20:29:52 2023 GMT
-----BEGIN CERTIFICATE-----
MIIFUzCCBDugAwIBAgISA/olCntC52Z/oxBYg2Eg7z9hMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzAxMjcyMDI5NTNaFw0yMzA0MjcyMDI5NTJaMBcxFTATBgNVBAMT
DG9waHRhbGluay5mcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANNS
At3Tugo/MGM1hS3ru2kzeZ3bFmi5qi2DtHZEiYI4s+M+9AV5ZYR6RlTD1SVvnWay
ewG1xbC+Id2M91PadpF4N0Fin8Bf4+LOMAL2BxSpaTZ40Yt2g7QN9eZRFCu+k/n4
24Ux4Y1inGBFytxy8j9NnNdenfw/0vDzb8lUgDhTVg35yH9dzN4bk+noqW+WqFgs
ktLOVF9Ur1FvuMXnQaNM0eL0OJvaoW4vXff/oT0gg2NyE4ZoKoUiBQq/FfrxjSo0
Qq81F+wIAPzB1/ehlXYFemSfPKRfr7SOjaZdRHfAy2wmvWGWLvQ9CRYmw3jXg6K5
P78YvehWsFy3t5mooR0CAwEAAaOCAnwwggJ4MA4GA1UdDwEB/wQEAwIFoDAdBgNV
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4E
FgQUHHePqeAAijgf3N7MlGqSfh2o2qgwHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA
5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMu
by5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8w
SwYDVR0RBEQwQoINb3BodGFsaW5rLmNvbYIMb3BodGFsaW5rLmZyghF3d3cub3Bo
dGFsaW5rLmNvbYIQd3d3Lm9waHRhbGluay5mcjBMBgNVHSAERTBDMAgGBmeBDAEC
ATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNl
bmNyeXB0Lm9yZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3ALc++yTfnE26dfI5
xbpY9Gxd/ELPep81xJ4dCYEl7bSZAAABhfUjD+YAAAQDAEgwRgIhAOOl+Bth4QM9
LR8dbuoGsx0ud7et29uPrj+bTi1rcj+TAiEAwnEy7k0JhJ9K7INLQkV9Ewc4YFFR
i1Ywr8jzRqgLgsIAdgB6MoxU2LcttiDqOOBSHumEFnAyE4VNO9IrwTpXo1LrUgAA
AYX1Iw/9AAAEAwBHMEUCIQC+oflEnhc5eBW2QBgdkPe4153c65XD44ODhPfYwiIr
cAIgPUmVOAEsm5il8aaMnmKntRYhiwgBjVUEzlIItrnoMsAwDQYJKoZIhvcNAQEL
BQADggEBAB9cI69Ue+vbcWbBMaYM+MUGQtF4vaOheDylFlo5fdB/gMELydY5JLxH
bn3LSGnyOSkwiFpVLvrPrv6SiBqKzJSxFmMOP5FSF+BfUl9XpKXHIkD/9TJcJYe3
Zd+7fCtVEDsCJ7ew5tDy5anrTI89+ePsWrAqcsnLmIUhqw2iSjk3b64wTX6RYZjk
oZGrtShPlQ5i4967twWY0g25T4WCispwBkJsCXCaS9VBRt6Zbrh76nJPO68iRGV2
VJBAXaAWqqLTRkGzz6ZUsMg93/mjpjK/XBp1npCkfsWpUmLgy6RbQWmgtfuqwggO
ZMsB/WQjGtVv16nWLfPT1pSVviiPvcU=
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----
---
Server certificate
subject=CN = ophtalink.fr
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4730 bytes and written 408 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 358AF4F70BF86FAE239DEF0532C8937946CA968E219AF0C51D172F898AD56BAF
    Session-ID-ctx:
    Master-Key: 29733C6EF1BBE06906E47F2A1A1CB48D18111D2DB800D4DE6B77C4EF9ABC07BE2CAC1957E06498E8D52DE67C299D1D9E
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - d6 26 13 ed c3 7c ff 62-44 00 0b 61 32 5e f5 a9   .&...|.bD..a2^..
    0010 - a0 b5 1d b5 4a 43 95 fa-10 50 71 a9 68 07 6f 4e   ....JC...Pq.h.oN
    0020 - 49 e4 6a 5c 40 6d b9 4f-e7 2d 9e bf 2f 38 56 a0   I.j\@m.O.-../8V.
    0030 - 06 b6 16 d4 8e 49 18 49-81 71 23 ab b2 75 8d ad   .....I.I.q#..u..
    0040 - 5e fa 1b 2d f2 73 c7 43-f8 7e 14 26 f9 76 26 b7   ^..-.s.C.~.&.v&.
    0050 - 19 15 99 e0 45 fb 8c eb-28 ab a8 58 36 b0 71 8d   ....E...(..X6.q.
    0060 - b2 e2 ed 40 b4 2a e2 7a-2b 34 d9 1a b0 e8 4a c3   ...@.*.z+4....J.
    0070 - c2 0d a4 b7 cc ef 72 94-51 14 40 8f 39 9f 14 ad   ......r.Q.@.9...
    0080 - cb c9 aa aa 34 c5 3f c8-f5 d7 57 f9 93 fa 66 ad   ....4.?...W...f.
    0090 - 4d be 20 43 e2 8b 30 03-87 94 bf 85 f1 c9 6a 91   M. C..0.......j.
    00a0 - 34 8b 16 09 93 ba 65 1c-7f f5 d3 df c5 47 08 4d   4.....e......G.M
    00b0 - 8c be e3 68 aa 65 5c 05-cf 29 11 3b f8 18 06 f4   ...h.e\..).;....
    00c0 - d5 f3 d5 5f 15 02 4e 57-90 37 0f 5e 0a 0b ca 6b   ..._..NW.7.^...k

    Start Time: 1676137602
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
DONE

And is this what I see with Windows Chrome Version 110.0.5481.78 (Official Build) (64-bit)

image1675×979 27.1 KB

Given below, I suggest sticking with Mozilla Firefox for your web site.

And is this what I see with Windows Firefox 109.0.1 (64-bit)

image1476×836 211 KB

I also find it confusing you go to all the effort to use https://www.libressl.org/ and yet have so many weaker cipher suites in uses SSL Server Test: ophtalink.com (Powered by Qualys SSL Labs)

From below Server: Apache/2.4.54 (Unix) LibreSSL/3.3.6

$ curl -Ii https://www.ophtalink.com/
HTTP/1.1 403 Forbidden
Date: Sat, 11 Feb 2023 18:30:27 GMT
Server: Apache/2.4.54 (Unix) LibreSSL/3.3.6
Content-Type: text/html; charset=iso-8859-1

LibreSSL is the default OpenSSL-compatible TLS library under macOS. The Apache from Apple's OSS distro also builds with it.

Yeah, I thought they use LibreSSL 2.8.3 (Apple). Guess that's why I didn't think macOS; my bad.
So 3.3.6 seem kind of newer; not as new as what OpenBSD uses.

Hello !

First of all, many thanks for investigate

Perhaps, I could use some better ssl software / library / version with homebrew ? I'm not a senior admin system so I don't know so much SSL mechanism, I thank it could be a server SSL cache issue but not much.

What do you think about when you reload the page, it works well and sometime on macOS, I have to relaunch 3 times chrome before seeing the issue ?

Could you give me some advice to test ?

I tried to install homebrew libreSSL and OpenSSL but macOS refuses to link to the new version, it's 3.3.6 against new 3.6.2

I update macOS from Ventura 3.1 to 3.2, openssl is now :

OpenSSL 3.0.8 7 Feb 2023 (Library: OpenSSL 3.0.8 7 Feb 2023)

I recreate certificates for the domain, but the issue is still there

The issue is not with your certificates.

The issue is (most probably) with your apache config.

Backup your current apache ssl configuration and try this one: Mozilla SSL Configuration Generator

Absolutely Excellent advice!!!

Who are www.eliis.fr and olivieranicet.com?

Other domains, as a workaround, I put maximum of certificates in the first one so Chrome works well, the issue is that it takes the first one instead the right one (1 times over 3 or 4) when I launch chrome

I would like to do the same with ophtalink.com but I reach the 100 limit of domains into a single certificate...

I follow the advice of Apache config generator but always the same issue

I had these lines in the main config

SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:EC$
SSLHonorCipherOrder off
SSLSessionTickets off
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"

I remove these lines that are not in the config generator

#SSLSessionCache "dbm:/usr/local/apache/logs/ssl_gcache_data"
#SSLSessionCache "shmcb:/usr/local/apache/logs/ssl_gcache_data(512000)"
#SSLStrictSNIVHostCheck on
#SSLVerifyDepth 10
#SSLOptions +StrictRequire

I remove from each vHost

#SSLProtocol all -SSLv2 -SSLv3
#SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:E$
#SSLHonorCipherOrder off
#SSLCompression off

I noticed an internal error in letsencrypt.log but with no GUI notice :

2023-02-12 22:31:37,552:DEBUG:certbot_apache._internal.configurator:[Errno 2] No such file or directory: '/etc/apache2/libexec/apache2/mod_ssl.so'
Traceback (most recent call last):
File "/opt/homebrew/Cellar/certbot/2.2.0/libexec/lib/python3.11/site-packages/certbot_apache/_internal/configurator.py", line 297, in _open_module_file
with open(ssl_module_location, mode="rb") as f:
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
FileNotFoundError: [Errno 2] No such file or directory: '/etc/apache2/libexec/apache2/mod_ssl.so'
2023-02-12 22:31:37,554:WARNING:certbot_apache._internal.configurator:Unable to read ssl_module file; not disabling session tickets.