CNAME secure A record not secure

jhalbrecht · January 28, 2018, 9:38pm

Problem
My FQDN is dediserve1.jhalbrecht.net. In chrome and edge the A record https://dediserve1.jhalbrecht.net gives a not secure message, while the CNAME does not https://www.dediserve1.jhalbrecht.net

Additional background
FWIW I use this key for postfix and dovecot without error.

The virtual domains that are not this FQDN host work as expected. For instance https://rodaw.info and https://www.rodaw.info

I’m bringing up a new vm, the one documented here, to replace an old centos 6 vm that didn’t have https etc… So while dediserve1 is technically in production these aren’t my main services. I’d like to get it right before I move over my main sites.

FWIW There are A and CNAME records on the current soon to be old centos 6 site in the jhalbrecht.net domain

[root@dediserve1 sites.d]# dig www.jhalbrecht.net
[...]
;; ANSWER SECTION:
www.jhalbrecht.net.     300     IN      CNAME   dediserve0.jhalbrecht.net.
dediserve0.jhalbrecht.net. 300  IN      A       96.8.126.101

cert
https://crt.sh/?q=dediserve1.jhalbrecht.net

versions
certbot 0.20.0

CentOS Linux release 7.4.1708 (Core)

[root@dediserve1 ~]# httpd -v
Server version: Apache/2.4.6 (CentOS)
Server built:   Oct 19 2017 20:39:16
[root@dediserve1 ~]#

dig

[root@dediserve1 ~]# dig www.dediserve1.jhalbrecht.net
[...]
;; ANSWER SECTION:
www.dediserve1.jhalbrecht.net. 300 IN   CNAME   dediserve1.jhalbrecht.net.
dediserve1.jhalbrecht.net. 300  IN      A       96.8.127.20
[root@dediserve1 ~]# 
[root@dediserve1 ~]# dig -x 96.8.127.20
[...]
;; ANSWER SECTION:
20.127.8.96.in-addr.arpa. 1871  IN      PTR     dediserve1.jhalbrecht.net.
[...]
[root@dediserve1 ~]#

certbot

[root@dediserve1 ~]# certbot --version
certbot 0.20.0
[root@dediserve1 ~]# certbot --authenticator standalone --installer apache \
        -d dediserve1.jhalbrecht.net -d www.dediserve1.jhalbrecht.net \
        -d flashmobmashup.com -d www.flashmobmashup.com \
        -d flashmobmashup.net -d www.flashmobmashup.net \
        -d wiki.rodaw.com \
        -d rodaw.info -d www.rodaw.info \
        --pre-hook "systemctl stop httpd" --post-hook "systemctl start httpd"
[root@dediserve1 ~]#

dediserve1.jhalbrecht.net.conf

[root@dediserve1 sites.d]# cat dediserve1.jhalbrecht.net.conf
<VirtualHost *:80>
    ServerName dediserve1.jhalbrecht.net
    ServerAlias www.dediserve1.jhalbrecht.net
    # ServerName www.dediserve1.jhalbrecht.net
    # ServerAlias dediserve1.jhalbrecht.net
    DocumentRoot /var/www/html
    # DocumentRoot /var/www/dediserve1.jhalbrecht.net
    CustomLog   /var/log/httpd/dediserve1.jhalbrecht.net_access.log combined
    ErrorLog    /var/log/httpd/dediserve1.jhalbrecht.net_error.log
#RewriteEngine on
#RewriteCond %{SERVER_NAME} =www.dediserve1.jhalbrecht.net [OR]
#RewriteCond %{SERVER_NAME} =dediserve1.jhalbrecht.net
#RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
[root@dediserve1 sites.d]#

dediserve1.jhalbrecht.net-le-ssl.conf

[root@dediserve1 sites.d]# cat dediserve1.jhalbrecht.net-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
    # ServerName dediserve1.jhalbrecht.net
    # ServerAlias www.dediserve1.jhalbrecht.net
    ServerName www.dediserve1.jhalbrecht.net
    ServerAlias dediserve1.jhalbrecht.net
    DocumentRoot /var/www/html
    # DocumentRoot /var/www/dediserve1.jhalbrecht.net
    CustomLog   /var/log/httpd/dediserve1.jhalbrecht.net_access.log combined
    ErrorLog    /var/log/httpd/dediserve1.jhalbrecht.net_error.log
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/dediserve1.jhalbrecht.net/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/dediserve1.jhalbrecht.net/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/dediserve1.jhalbrecht.net/chain.pem
</VirtualHost>
</IfModule>
[root@dediserve1 sites.d]#

_az · January 28, 2018, 10:00pm

Can you show us the VirtualHost list?

apachectl -S

jhalbrecht · January 28, 2018, 10:42pm

[root@dediserve1 sites.d]# apachectl -S
VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server dediserve1.jhalbrecht.net (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost dediserve1.jhalbrecht.net (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost www.dediserve1.jhalbrecht.net (/etc/httpd/sites.d/dediserve1.jhalbrecht.net-le-ssl.conf:2)
                 alias dediserve1.jhalbrecht.net
         port 443 namevhost rodaw.info (/etc/httpd/sites.d/rodaw.info-le-ssl.conf:2)
                 alias www.rodaw.info
         port 443 namevhost wiki.rodaw.com (/etc/httpd/sites.d/wiki.rodaw.com-le-ssl.conf:2)
*:80                   is a NameVirtualHost
         default server dediserve1.jhalbrecht.net (/etc/httpd/sites.d/dediserve1.jhalbrecht.net.conf:1)
         port 80 namevhost dediserve1.jhalbrecht.net (/etc/httpd/sites.d/dediserve1.jhalbrecht.net.conf:1)
                 alias www.dediserve1.jhalbrecht.net
         port 80 namevhost rodaw.info (/etc/httpd/sites.d/rodaw.info.conf:1)
                 alias www.rodaw.info
         port 80 namevhost wiki.rodaw.com (/etc/httpd/sites.d/wiki.rodaw.com.conf:1)
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
PidFile: "/run/httpd/httpd.pid"
Define: _RH_HAS_HTTPPROTOCOLOPTIONS
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="apache" id=48
Group: name="apache" id=48
[root@dediserve1 sites.d]#

_az · January 28, 2018, 10:44pm

You have duplicated (partially duplicated) virtual hosts across ssl.conf and dediserve1.jhalbrecht.net-le-ssl.conf, which is why Apache still serves the self-signed certificate. You will need to consolidate them.

jhalbrecht · January 28, 2018, 11:20pm

Nice. Thank you. I set the SSLCertificateFile and SSLCertificateKeyFile to their respective letsencrypt/live files in in the ssl.conf

I don't recall generating a self signed cert, does httpd do that on first startup. Maybe that would be good for certbot to check?

Also my certbot version 0.20.0 seems to add an additional

Include /etc/letsencrypt/options-ssl-apache.conf

to the vhosts .confs every time I run certbot.

mnordhoff · January 28, 2018, 11:35pm

Not in and of itself, but the OS's packaging scripts might have generated one when Apache was first installed.

Duplicate ones? Sounds like this bug, which should be fixed in the next release of Certbot (0.22.0). But I can't be sure it's not a different, similar bug.

github.com/certbot/certbot

Certbot keeps adding multiple options-ssl-apache.conf includes

opened 02:53PM - 25 Jan 18 UTC

closed 04:16PM - 14 Feb 18 UTC

nilsm

bug area: apache has pr

## My operating system is (include version): Debian 8, Apache 2.4 ## I insta…lled Certbot with (certbot-auto, OS package manager, pip, etc): certbot-auto, gives me v0.21.0 ## I ran this command and it produced this output: ``` ./certbot-auto --force-renew --webroot -d domain.com -w /var/www/domain.com --installer apache ``` I chose option 2, to redirect HTTP to HTTP2. ## Certbot's behavior differed from what I expected because: Each time I run the command, certbot keeps adding another line to include the ssl options, even though it's already present in the file: ``` Include /etc/letsencrypt/options-ssl-apache.conf' ``` I've now ended up with vhost config with 6 of these include lines, in different places. The file already had the line in once, and certbot added another 5 after consecutively running the command: ``` Include /etc/letsencrypt/options-ssl-apache.conf Include /etc/letsencrypt/options-ssl-apache.conf Include /etc/letsencrypt/options-ssl-apache.conf Include /etc/letsencrypt/options-ssl-apache.conf ``` ## Here is a Certbot log showing the issue (if available): ###### Logs are stored in `/var/log/letsencrypt` by default. Feel free to redact domains, e-mail and IP addresses as you see fit. ## Here is the relevant nginx server block or Apache virtualhost for the domain I am configuring: ``` <VirtualHost *:443> ServerName domain.com DocumentRoot /var/www/domain.com ErrorLog "/var/log/apache2/error.log" CustomLog "/var/log/apache2/access.log" common Include /etc/letsencrypt/options-ssl-apache.conf <Directory "/var/www/domain.com"> AllowOverride All Options MultiViews FollowSymLinks Require all granted </Directory> Include /etc/letsencrypt/options-ssl-apache.conf Include /etc/letsencrypt/options-ssl-apache.conf Include /etc/letsencrypt/options-ssl-apache.conf Include /etc/letsencrypt/options-ssl-apache.conf SSLCertificateFile /etc/letsencrypt/live/domain.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/domain.com/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf </VirtualHost> ```

jhalbrecht · January 29, 2018, 12:24am

I'm not so sure that my solution is optimal. If, in the future, I elect to assign individual certs to each domain could't I create the conflict anew? Is there a more proper, elegant or best practice to configure ssl.conf. Initially I just commented out the SSLCertificateFile SSLCertificateKeyFile in ssl.conf. Although apachectl configtest reported no errors httpd wouldn't start.

system · February 28, 2018, 12:24am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.