Domain verwendet ein ungültiges Sicherheitszertifikat / uses an invalid security certificate


#1

Hello Experts,

I’ve installed for a domain a certificate for a test and this worked fine. I removed the certs from /etc/live/domainX/ (as well as /renew /archiv …) from the server, apache2 restart and now it should run at port 80 as usual, but it don’t.

he certificate is only valid for the following names: DomainYcom, www.domainY.com

Error code: SSL_ERROR_BAD_CERT_DOMAIN

"<DomainX.de> verwendet ein ungültiges Sicherheitszertifikat."
In english the “<DomainX.de>uses an invalid security certificate” but all is removed and it shows on an certificate which is for a other domainY on the server which is not connected in any way.

So where are all the installed files & links to delete after installing via #certbot --apache -domainX the certificate?


#2

Hi,

The file usually located in /etc/letsencrypt/live/domain.tld/ (Might vary in different cases)

Please fill in the following form so we can help you:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

Thank you.

P.S. probably move to #help


#3

HiSteven,

which command you want me to run (…there pretty many commands, so you
need to be a “little” more specific for expecting helping output
afterwards):

I ran this command:

It produced this output:


#4

If you want to undo the proces, usually you would also need to remove the virtual host configuration from /etc/apache2/sites-available and /etc/apache2/sites-enabled, which are usually called something-le-ssl.conf and are based on your previous non-HTTPS virtual hosts. However, it is strange that you didn’t get an error after deleting the certificate files without removing the virtual hosts, because deleting the certificates without changing the Apache configuration should have left Apache in a state where it couldn’t start up at all.


#5

i delete everything what has to do with the certificate, removed the
domain-le-ssl.conf and re-attached the original (port 80) conf.

but check by yourselfits the domainX “baumangel-baurecht.de” and it
shows on a other certificate for whatever reason… and its in the
meantime impossible to point with the *.conf into the directory of the
domainX- its a mess!


#6

So, there is still a redirection rule in your HTTP virtual host. If you don’t want that redirection, you’ll have to find it and remove it. It will either start with Redirect or RewriteRule. It is redirecting HTTP URLs to the corresponding HTTPS URLs, which then produces a certificate error.

The fact that the server answers in HTTPS and presents another certificate is unavoidable when sharing a server with multiple sites, at least one of which supports HTTPS. It will always be possible to attempt to connect via HTTPS if any HTTPS virtualhost is listening on the same IP address, but if no appropriate certificate is configured, none will be returned to the browser.


#7

Thanks for the answer, but the redirection is the first thing to remove and this was the very first step, but its still points to the wrong address, here the domain.conf in the /etc/apache2/sites-available/ directory

<VirtualHost 88.198.130.183:80>
# 2018-01-15

    ServerAdmin user@localhost
    ServerName baumangel-baurecht.de
    ServerAlias www.baumangel-baurecht.de

    <IfModule mod_suexec.c>
            SuexecUserGroup baumangel-baurechtde baumangel-baurechtde
    </IfModule>

    AddHandler fcgid-script .php

    DocumentRoot "/var/www/bmrecht.de/docs"
    DirectoryIndex index.php index.html index.htm

    <Directory />
            Options FollowSymLinks
            AllowOverride None
    </Directory>

    <Directory "/var/www/bmrecht.de/docs">
            Options -Indexes +FollowSymLinks +MultiViews +ExecCGI
            AllowOverride AuthConfig FileInfo
            FCGIWrapper /var/www/bmrecht.de/php-fcgi/php-fcgi-wrapper .php
            Order allow,deny
            Allow from all
    </Directory>

    ErrorLog /var/www/bmrecht.de/logs/error.log
    #ErrorLog /var/log/apache2/error.log

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel warn
    #RewriteLogLevel 9
    CustomLog /var/log/apache2/access.log vhost_combined

    ServerSignature Off

#8

Did you restart Apache after changing the configuration?

Is there a file .htaccess in the directory /var/www/bmrecht.de/docs?
The redirect might be configured there.


#9

Of course I’ll restart the apache after making changes on a config.
The .htaccess shows nothing specific, just

RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^(.*)$ index.php [L]

if I comment # all out, nothing changesso it doesn’t have to do with the
htaccess file.

  • the internet explorer shows:

Fehlercode: DLG_FLAGS_SEC_CERT_CN_INVALID

  • the firefox shows:

Fehlercode: SSL_ERROR_BAD_CERT_DOMAIN

It has something to do with the Certificate and any link created by the
certbot in any file which forces to the https://


#10

Well, at the moment there is no redirect anymore.
But the certificate given for https is wrong (issued for cybersec-alliance.com).


#11

currently I’m trying to fix it anyhow. I see the message that it redirects to the other domain (cybersec). But even if I’ll turn off this site (cybersec) the https shows on the next https site! And so forth… It looks like, that doesn’t matter what I do, the pattern of this bug is: just take ANY certificate available on this server!


#12

I don’t - there is no redirect from http to https:

$ wget -S -O/dev/null www.baumangel-baurecht.de
–2018-03-01 10:09:29-- http://www.baumangel-baurecht.de/
Auflösen des Hostnamen »www.baumangel-baurecht.de (www.baumangel-baurecht.de)«… 88.198.130.183
Verbindungsaufbau zu www.baumangel-baurecht.de (www.baumangel-baurecht.de)|88.198.130.183|:80… verbunden.
HTTP-Anforderung gesendet, warte auf Antwort…
HTTP/1.1 200 OK
Date: Thu, 01 Mar 2018 09:09:24 GMT
Server: Apache/2.4.25 (Debian) mod_fcgid/2.3.9 OpenSSL/1.0.2l
Last-Modified: Wed, 28 Feb 2018 15:42:11 GMT
ETag: "84-56647962f2a1b"
Accept-Ranges: bytes
Content-Length: 132
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
Länge: 132 [text/html]

The other thing you realize is obvious: the first virtualhost which applies for port 443 (https) will be taken unless you don’t have a matching virtualhost. This is called the default virtual host - the same applies for http.

You have to configure a virtualhost for baumangel-baurecht.de (ServerName) to apply the correct certificate for it.


#13

Update: if change to <virtualhost *:80> it just jumps to the next page, ignoring the settings in the conf (like DocumentRoot “/var/www/site/docs”)

-> I just rebuild the original entry (with the IP) and now you can see the redirect on the - for this site - “wrong” certificate.

Back to question one: where is the entry which forces any domain to https and in this case, if I’ve removed the https “flag” from this domains, it shouldnt search for the next certificate at all


#14

Please: don’t just turn all knobs. First get an overview of all configured virtualhosts:

httpd -t -D DUMP_VHOSTS

Then setup your https vhosts accordingly.


#15

… there is not httpd installed (debian 4.9.65)


#16

httpd is the name of the Apache executable.
If this is false on Debian, please try to get the name:

netstat -tpln | grep :80


#17

Try to find it:

grep -ri Redirect /etc/apache2
grep -ri RewriteRule /etc/apache2


#18

tcp6 0 0 :::80 :::* LISTEN 24848/apache2


#19

Ok, maybe apache2 -t -D DUMP_VHOSTS will give you a list of vhosts.


#20

88.198.130.183:80 is a NameVirtualHost
default server baumangel-baurecht.de (/etc/apache2/sites-enabled/baumangel-baurecht.de.conf:1)
port 80 namevhost baumangel-baurecht.de (/etc/apache2/sites-enabled/baumangel-baurecht.de.conf:1)
alias www.baumangel-baurecht.de