CN defaults to main host cert instead of name-virtualhost cert


#1

Hi,

Not sure if this is the right place to ask, but if I use openssl s_client -connect host:443 when the host is a virtual hostname behind a common IP, the CN is always the main hostname and not the host I am checking on.

For eg: I have bic.nus.edu.sg which has an IP address 137.132.19.100. It has its own cert in /etc/letsencrypt/live/bic.nus.edu.sg.

Then I have biomolfrontiers.nus.edu.sg which is a name-virtualhost and also points to 137.132.19.100, apache knows to point it to its own document root based on the hostname. It also has its own cert in /etc/letsencryp/live/biomolfrontiers.nus.edu.sg.

When I do a from the command line:

openssl s_client -connect biomolfrontiers.nus.edu.sg:443

the CN refers to the main bic.nus.edu.sg cert. I googled and found I need to add the -servername argument to get it to refer to the biomolfrontiers cert

openssl s_client -servername biomolfrontiers.nus.edu.sg -connect biomolfrontiers.nus.edu.sg:443

However, its still referring to the main bic.nus.edu.sg cert.

If the different domains have different IPs on the same machine then its fine. Its only when all the domains point to the same IP that there is an issue.

I’m unsure if this is just for LE certs only or its a generic problem. If its generic I apologize for posting here. The servers I tested the command on are all the latest linux from Slackware to Ubuntu - all return the CN of the main host and not the name-virtualhost.

Thank you.


#2

This is in all likelihood a problem with your apache configuration. Would you mind sharing both of your <VirtualHost> config files?

You’ll want to make sure that the SSL directives for your biomolfrontiers.nus.edu.sg vhost are pointing to the certificates in /etc/letsencrypt/live/biomolfrontiers.nus.edu.sg, and the ones for bic.nus.edu.sg should point to /etc/letsencrypt/live/bic.nus.edu.sg. The ServerName directives need to be set correctly as well.


#3

Yes the main is pointing to its own cert and biomolfrontiers is pointing to its own as well in the config files:

For main BIC:

    <VirtualHost _default_:443>
            ServerName bic.nus.edu.sg
            ServerAdmin sysadmin@bic.nus.edu.sg
            DocumentRoot /var/www/vhosts/corp/htdocs
            ErrorLog ${APACHE_LOG_DIR}/error.log
            CustomLog ${APACHE_LOG_DIR}/access.log combined
            SSLEngine on
            SSLCertificateFile      /etc/letsencrypt/live/bic.nus.edu.sg/cert.pem
            SSLCertificateKeyFile   /etc/letsencrypt/live/bic.nus.edu.sg/privkey.pem
            SSLCertificateChainFile /etc/letsencrypt/live/bic.nus.edu.sg/chain.pem
            <FilesMatch "\.(cgi|shtml|phtml|php)$">
                            SSLOptions +StdEnvVars
            </FilesMatch>
    </VirtualHost>

And for NVH biomolfrontiers:

<VirtualHost *:443>
    ServerName biomolfrontiers.nus.edu.sg
    ServerAlias www.biomolfrontiers.nus.edu.sg
    ServerAdmin sysadmin@bic.nus.edu.sg
    DocumentRoot /var/www/vhosts/biomolfrontiers/htdocs
    ErrorLog ${APACHE_LOG_DIR}/biomol-error.log
    CustomLog ${APACHE_LOG_DIR}/biomol-access.log combined

    SSLEngine on
    SSLCertificateFile      /etc/letsencrypt/live/biomolfrontiers.nus.edu.sg/cert.pem
    SSLCertificateKeyFile   /etc/letsencrypt/live/biomolfrontiers.nus.edu.sg/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/biomolfrontiers.nus.edu.sg/chain.pem

    <FilesMatch "\.(cgi|shtml|phtml|php)$">
       SSLOptions +StdEnvVars
    </FilesMatch>
</VirtualHost>

#5

I think its somehow resolving the host.domain to IP and then getting the cert of that IP which is the main host. The -servername is supposed to fix that from what I read, but it doesn’t seem to be working.


Certificate not trusted - wrong ip?
#6

Apache doesn’t seem to think that the biomolfrontiers.nus.edu.sg vhost is what should be used to serve that domain - it’s going with the bic.nus.edu.sg vhost instead. You can verify this by simply visiting the site via HTTPS - it’ll show the same content, while you’ll see something else via HTTP. For all intents and purposes, think about this as an apache configuration issue, nothing related to certificates.

I’m not entirely certain whether that _default_:443 in your first vhost is correct here - maybe try changing that to *:443 as well. You’ll probably want to make sure that you have a NameVirtualHost *:443 somewhere in your apache configuration (I think it should be in /etc/apache2/ports.conf on Debian/Ubuntu, not sure about others).


#7

You are right!

I changed the default to * and that fixed it. Command line now shows CN as biomolfrontiers.nus.edu.sg with the -servername argument.

My apologies for the not LE based question.

Thank you!


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.