CNAME secure A record not secure

Problem
My FQDN is dediserve1.jhalbrecht.net. In chrome and edge the A record https://dediserve1.jhalbrecht.net gives a not secure message, while the CNAME does not https://www.dediserve1.jhalbrecht.net

Additional background
FWIW I use this key for postfix and dovecot without error.

The virtual domains that are not this FQDN host work as expected. For instance https://rodaw.info and https://www.rodaw.info

I’m bringing up a new vm, the one documented here, to replace an old centos 6 vm that didn’t have https etc… So while dediserve1 is technically in production these aren’t my main services. I’d like to get it right before I move over my main sites.

FWIW There are A and CNAME records on the current soon to be old centos 6 site in the jhalbrecht.net domain

[root@dediserve1 sites.d]# dig www.jhalbrecht.net
[...]
;; ANSWER SECTION:
www.jhalbrecht.net.     300     IN      CNAME   dediserve0.jhalbrecht.net.
dediserve0.jhalbrecht.net. 300  IN      A       96.8.126.101

cert
https://crt.sh/?q=dediserve1.jhalbrecht.net

versions
certbot 0.20.0

CentOS Linux release 7.4.1708 (Core)

[root@dediserve1 ~]# httpd -v
Server version: Apache/2.4.6 (CentOS)
Server built:   Oct 19 2017 20:39:16
[root@dediserve1 ~]#

dig

[root@dediserve1 ~]# dig www.dediserve1.jhalbrecht.net
[...]
;; ANSWER SECTION:
www.dediserve1.jhalbrecht.net. 300 IN   CNAME   dediserve1.jhalbrecht.net.
dediserve1.jhalbrecht.net. 300  IN      A       96.8.127.20
[root@dediserve1 ~]# 
[root@dediserve1 ~]# dig -x 96.8.127.20
[...]
;; ANSWER SECTION:
20.127.8.96.in-addr.arpa. 1871  IN      PTR     dediserve1.jhalbrecht.net.
[...]
[root@dediserve1 ~]#

certbot

[root@dediserve1 ~]# certbot --version
certbot 0.20.0
[root@dediserve1 ~]# certbot --authenticator standalone --installer apache \
        -d dediserve1.jhalbrecht.net -d www.dediserve1.jhalbrecht.net \
        -d flashmobmashup.com -d www.flashmobmashup.com \
        -d flashmobmashup.net -d www.flashmobmashup.net \
        -d wiki.rodaw.com \
        -d rodaw.info -d www.rodaw.info \
        --pre-hook "systemctl stop httpd" --post-hook "systemctl start httpd"
[root@dediserve1 ~]# 

dediserve1.jhalbrecht.net.conf

[root@dediserve1 sites.d]# cat dediserve1.jhalbrecht.net.conf
<VirtualHost *:80>
    ServerName dediserve1.jhalbrecht.net
    ServerAlias www.dediserve1.jhalbrecht.net
    # ServerName www.dediserve1.jhalbrecht.net
    # ServerAlias dediserve1.jhalbrecht.net
    DocumentRoot /var/www/html
    # DocumentRoot /var/www/dediserve1.jhalbrecht.net
    CustomLog   /var/log/httpd/dediserve1.jhalbrecht.net_access.log combined
    ErrorLog    /var/log/httpd/dediserve1.jhalbrecht.net_error.log
#RewriteEngine on
#RewriteCond %{SERVER_NAME} =www.dediserve1.jhalbrecht.net [OR]
#RewriteCond %{SERVER_NAME} =dediserve1.jhalbrecht.net
#RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>
[root@dediserve1 sites.d]#

dediserve1.jhalbrecht.net-le-ssl.conf

[root@dediserve1 sites.d]# cat dediserve1.jhalbrecht.net-le-ssl.conf
<IfModule mod_ssl.c>
<VirtualHost *:443>
    # ServerName dediserve1.jhalbrecht.net
    # ServerAlias www.dediserve1.jhalbrecht.net
    ServerName www.dediserve1.jhalbrecht.net
    ServerAlias dediserve1.jhalbrecht.net
    DocumentRoot /var/www/html
    # DocumentRoot /var/www/dediserve1.jhalbrecht.net
    CustomLog   /var/log/httpd/dediserve1.jhalbrecht.net_access.log combined
    ErrorLog    /var/log/httpd/dediserve1.jhalbrecht.net_error.log
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/dediserve1.jhalbrecht.net/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/dediserve1.jhalbrecht.net/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/dediserve1.jhalbrecht.net/chain.pem
</VirtualHost>
</IfModule>
[root@dediserve1 sites.d]#

Can you show us the VirtualHost list?

apachectl -S
[root@dediserve1 sites.d]# apachectl -S
VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server dediserve1.jhalbrecht.net (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost dediserve1.jhalbrecht.net (/etc/httpd/conf.d/ssl.conf:56)
         port 443 namevhost www.dediserve1.jhalbrecht.net (/etc/httpd/sites.d/dediserve1.jhalbrecht.net-le-ssl.conf:2)
                 alias dediserve1.jhalbrecht.net
         port 443 namevhost rodaw.info (/etc/httpd/sites.d/rodaw.info-le-ssl.conf:2)
                 alias www.rodaw.info
         port 443 namevhost wiki.rodaw.com (/etc/httpd/sites.d/wiki.rodaw.com-le-ssl.conf:2)
*:80                   is a NameVirtualHost
         default server dediserve1.jhalbrecht.net (/etc/httpd/sites.d/dediserve1.jhalbrecht.net.conf:1)
         port 80 namevhost dediserve1.jhalbrecht.net (/etc/httpd/sites.d/dediserve1.jhalbrecht.net.conf:1)
                 alias www.dediserve1.jhalbrecht.net
         port 80 namevhost rodaw.info (/etc/httpd/sites.d/rodaw.info.conf:1)
                 alias www.rodaw.info
         port 80 namevhost wiki.rodaw.com (/etc/httpd/sites.d/wiki.rodaw.com.conf:1)
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
PidFile: "/run/httpd/httpd.pid"
Define: _RH_HAS_HTTPPROTOCOLOPTIONS
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="apache" id=48
Group: name="apache" id=48
[root@dediserve1 sites.d]#

You have duplicated (partially duplicated) virtual hosts across ssl.conf and dediserve1.jhalbrecht.net-le-ssl.conf, which is why Apache still serves the self-signed certificate. You will need to consolidate them.

Nice. Thank you. I set the SSLCertificateFile and SSLCertificateKeyFile to their respective letsencrypt/live files in in the ssl.conf

I don’t recall generating a self signed cert, does httpd do that on first startup. Maybe that would be good for certbot to check?

Also my certbot version 0.20.0 seems to add an additional

Include /etc/letsencrypt/options-ssl-apache.conf

to the vhosts .confs every time I run certbot.

Not in and of itself, but the OS’s packaging scripts might have generated one when Apache was first installed.

Duplicate ones? Sounds like this bug, which should be fixed in the next release of Certbot (0.22.0). But I can’t be sure it’s not a different, similar bug.

I’m not so sure that my solution is optimal. If, in the future, I elect to assign individual certs to each domain could’t I create the conflict anew? Is there a more proper, elegant or best practice to configure ssl.conf. Initially I just commented out the SSLCertificateFile SSLCertificateKeyFile in ssl.conf. Although apachectl configtest reported no errors httpd wouldn’t start.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.