Different results for otherwise identical A, B cnames on server


#1

So I have a server, myserver.example.com. I have two cname’d domains mapping to it, a.example.com/a.myserver.example.com and b.example.com/b.myserver.example.com.

I set a.example.com up last year without any problems. I’m running Ubuntu 16.04, apache2 and I used certbot-auto, eg
certbot-auto certonly --webroot --webroot-path /var/www/vhost.b -d b.example.com -d b.myserver.example.com

While I successfully get a certificate for b, the certificate is matching to myserver.example.com instead of b.example.com so it goes into fullblown chrome alarum-alarum “Your connection is not private” etc and I’m going slowly insane trying to figure out what is going on here.

Comparing the two setups (a and b are handled by apache-run virtual host configurations on myserver) yields NO difference at all. In fact, the openssl x509 output check on the fullchain.pem that I got for a and b respectively from certbot show EXACTLY the domain names I would expect (and myserver.example.com is not at all listed).

Using nslookup, host, etc all show equivalent results between a and b.

The only difference I’ve discovered is when using the browser to examine the certificate: a shows a example.com but b shows myserver.example.com. I’ve even tried different browsers and cleared out all data on one browser to be sure I wasn’t somehow caching an old cert from when setting b up.

What completely stumps me is that the openssl x509 -text -noout -in cert.pem looks good on both a and b:

root# openssl x509 -text -noout -in cert.pem 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            [...]
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
        Validity
            Not Before: Jul 16 12:42:16 2018 GMT
            Not After : Oct 14 12:42:16 2018 GMT
        Subject: CN=[a|b].example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
[...]
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier: 
                [...]
            X509v3 Authority Key Identifier: 
                keyid:[...]

            Authority Information Access: 
                OCSP - URI:http://ocsp.int-x3.letsencrypt.org
                CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

            X509v3 Subject Alternative Name: 
                DNS:[a|b].example.com, DNS:[a|b].myserver.example.com
            X509v3 Certificate Policies: 
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org
                  User Notice:
                    Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/

            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : [...]
                    Timestamp : Jul 16 13:42:16.605 2018 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
[...]                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : [...]
                    Timestamp : Jul 16 13:42:16.791 2018 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
[...]    Signature Algorithm: sha256WithRSAEncryption
[...]

And also:

root@example:/etc/letsencrypt/live/b.example.com# openssl x509 -noout -modulus -in fullchain.pem | openssl md5
(stdin)= f3808a306853c31ee5ca309224207322

root@example:/etc/letsencrypt/live/b.example.com# openssl rsa -noout -modulus -in privkey.pem | openssl md5
(stdin)= f3808a306853c31ee5ca309224207322

Where would you start looking?


#2

I’d start with the Apache configuration… it sounds like maybe the VirtualHost on port 443 for b.example.com is misconfigured.

Try running apachectl -S and see if the output matches your expectations - it may help point you in the right direction. If that doesn’t help, post the output and the relevant configuration file(s) here.


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.