Deleted certificate shows in SSL Server Test

Kaplan · February 14, 2019, 9:02pm

I have a domain, texashealthsurgerycenterrockwall.com, that was under another domain’s certificate, surgicalcenterofsandiego.com. I’ve been making new certificates for those domains and then deleting the one that had the group, but sometimes I get a certificate error, sometimes I get the error and the page reloads. Maybe it’s not a problem that I’m seeing this in the SSL Test but I’m still getting an error when I browse.

I thought I deleted using certbot delete --cert-name surgicalcenterofsandiego.com

I can see the deleted certificates when I visit https://www.ssllabs.com/ssltest/analyze.html?d=texashealthsurgerycenterrockwall.com

Here’s my config:

    # Updated: 2019-02-14
    ServerAdmin dave.kaplan@dept-11.com
    ServerName texashealthsurgerycenterrockwall.com
    ServerAlias www.texashealthsurgerycenterrockwall.com

    DocumentRoot /var/www/html/scafacilitywebsites/public_html

    <Directory /var/www/html/scafacilitywebsites/public_html>

            # Don't show directory index
            Options -Indexes +FollowSymLinks +MultiViews

            # Allow .htaccess files
            AllowOverride All

            # Allow web access to this directory
            Require all granted
    </Directory>

    # Error and access logs
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
    LogLevel warn

    # PHP-FPM 
    <FilesMatch \.php$>
            SetHandler "proxy:unix:/var/run/php7-fpm-texashealthsurgerycenterrockwall.sock|fcgi://texashealthsurgerycenterrockwall.com"
    </FilesMatch>

    RewriteEngine on
    RewriteCond %{SERVER_NAME} =texashealthsurgerycenterrockwall.com [OR]
    RewriteCond %{SERVER_NAME} =www.texashealthsurgerycenterrockwall.com
    RewriteRule ^ https://texashealthsurgerycenterrockwall.com%{REQUEST_URI} [END,NE,R=permanent]

    # Updated: 2019-02-14
    ServerAdmin dave.kaplan@dept-11.com
    ServerName texashealthsurgerycenterrockwall.com
    ServerAlias www.texashealthsurgerycenterrockwall.com

    DocumentRoot /var/www/html/scafacilitywebsites/public_html

    <Directory /var/www/html/scafacilitywebsites/public_html>

            # Don't show directory index
            Options -Indexes +FollowSymLinks +MultiViews

            # Allow .htaccess files
            AllowOverride All

            # Allow web access to this directory
            Require all granted
    </Directory>

    # Error and access logs
    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
    LogLevel warn

    # PHP-FPM 
    <FilesMatch \.php$>
            SetHandler "proxy:unix:/var/run/php7-fpm-texashealthsurgerycenterrockwall.sock|fcgi://texashealthsurgerycenterrockwall.com"
    </FilesMatch>

    RewriteEngine on
    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateFile /etc/letsencrypt/live/texashealthsurgerycenterrockwall.com/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/texashealthsurgerycenterrockwall.com/privkey.pem

Any advice for fixing “This Connection Is Not Private”? that comes up. I’m on Ubuntu 14.04.5 LTS

JuergenAuer · February 14, 2019, 9:10pm

Hi Kaplan

there is a Grade A, there is no problem with your certificate.

The No-SNI version isn't relevant.

There is the "wrong certificate", but this isn't wrong.

Alternative names aksurgery.com www.aksurgery.com MISMATCH

If you have a lot of domains on the same ip, SNI (Server Name Indication) is required to send the hostname (your domain name) before creating a SSL-connection.

But if the browser is an IE / XP, then SNI isn't supported.

These old browsers - ignore them.

I see, you have rechecked your domain via https://check-your-website.server-daten.de/?q=texashealthsurgerycenterrockwall.com

That's good:

CN=texashealthsurgerycenterrockwall.com
	14.02.2019
	15.05.2019
expires in 90 days	texashealthsurgerycenterrockwall.com, 
www.texashealthsurgerycenterrockwall.com - 2 entries

PS: My main project has *.server-daten.de as wildcard certificate, check-your-website.server-daten.de and other customers use this certificate. But there is a second domain sql-und-xml.de. Check that domain via ssllabs -> there is the same, Non-SNI -> *.server-daten.de -> Mismatch.

So it's a general phenomen if one ip has a lot of domains with https.

Kaplan · February 14, 2019, 9:24pm

Is there anything I can do? My project manager is getting the errors and she’s asking that I find the fix.

I’m using Chrome 72.0.3626.109 and I see the errors until I refresh or the browser redirects. Is it my cache? I’m imagining patients or the folks at the centers are getting the same error, no? Can I make a new certificate and use SNI or have both?

Is it ok to use your check-your-website domain page to check my domains? I’ve done that based on our other discussion.

Thanks,
Dave

JuergenAuer · February 14, 2019, 9:33pm

This isn't an error. Your project manager should learn the basics of SSL connections.

Earlier, before SNI was deployed, one ip address could only have one certificate. So https - connections were limited to banking companies, online shops etc.

Now it's possible to have one ip with a lot of domains with https. But that requires SNI support.

Without SNI big hosters (one ip, more then 100.000 domains with this ip) couldn't use https with these 100.000 domains.

Without SNI we would have perhaps 10 - 20 % https connections, not 60 - 70 %.

Currently, it's only a cache problem. Ssllabs sees the correct certificate.

Yes, I've created the tool to make it easier to find configuration errors. And if users use the tool directly, I don't need to check the domain, I can scan the results

Kaplan · February 14, 2019, 9:49pm

Thanks for sharing the SNI information. To be honest, I didn’t quite get it either. I’m fairly new to server configuration and host management, my background is in design. I see how that’s making security possible for so many sites now.

Do you think this issue will clear itself up?

I get the error on my desktop and mobile device.

Anything I can do to help get rid of that “Your connection is not private” error? I’m a little concerned that visitors to the site are seeing this as well.

JuergenAuer · February 14, 2019, 9:54pm

Clear your cache.

I see:

schoen · February 14, 2019, 10:06pm

I think there’s something odd going on because when I reload I get the valid certificate sometimes and then an expired certificate other times. (And it almost alternates so that the valid certificate often appears, followed by the invalid certificate, followed by the valid certificate.) Could there be some kind of load balancer or CDN involved somehow?

_az · February 14, 2019, 10:08pm

The other time I've seen this is when Apache did not restart cleanly and half the workers are on the old config, half on the new.

Making sure no apache2/httpd processes are running and then starting Apache can clean this up.

JuergenAuer · February 14, 2019, 10:14pm

First, I loaded the site with Chrome and saw the old certificate. But I had loaded the page some days earlier.

Then (without own interaction) Chrome loaded the correct certificate -> own cache problem.

After reading the next answers, one time the wrong certificate, then the correct.

Perhaps reboot your server one time.

PS: Now the same. F5 - Chrome shows a warning, then Chrome switches to the correct certificate.

PPS: This isn’t a “SNI-problem”.

Kaplan · February 14, 2019, 11:02pm

I'm still getting that same error and I cleared everything, shut down and waited a while, then rebooted my laptop.

I'll try rebooting the server. I have made changes to my configs and usually use a2ensite, a2dissite and then I've really on run apache2 reload, so maybe the reload isn't the same thing as a restart. I'm going to wait until later tonight, I'm on CST, and think I'd feel better if it was 'after hours' that I do that restart.

Making sure no apache2 / httpd processes are running and then starting Apache can clean this up.

Would a restart kill any running processes?

Thanks so much guys!

mnordhoff · February 14, 2019, 11:21pm

Reloading is supposed to be enough. Restarting is supposed to kill all old processes.

None of this is supposed to go wrong, but apparently it is.

Stopping Apache and then using ps or whatever to see if there are any Apache processes still running causes downtime but is the simple and easy way to confirm whether that's the issue.

(If any Apache processes do continue to run, you can kill them.)

To try to avoid downtime, you can restart Apache and then check if any of the processes are old, but that's slightly more work.

Kaplan · February 15, 2019, 2:50pm

Thanks again guys! I always learn a great amount here. I think the problem has been solved by a service apache2 restart, there was a short a pause then the beautiful [OK].

I did some some research about ps, definitely need to do more and mess around with my local development setup (I have a Vagrant - Fusion VMWare box pretty close to my production setup).

Hopefully I’m all set for a bit. Have a great day!

JuergenAuer · February 15, 2019, 4:34pm

Yep, my Chrome was already open, F5, F5, F5 ... no wrong certificate.

system · March 17, 2019, 4:34pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.