Invalid certificate in browser

bendauphinee · March 3, 2019, 7:38pm

I’ve made several attempts to get a correct certificate, but don’t seem to be able to successfully. I’ve attempted before and after setting RDNS for my linode box, in between reboots, manually setting the hostname, nothing seems to produce the correct certificate.

This command: certbot -vvv -a dns-linode -i apache --cert-name realm-peach.com -d "*.realm-peach.com" -d realm-peach.com --server https://acme-v02.api.letsencrypt.org/directory

This output: I don’t have the output as this was yesterday, however, it appeared to have no errors. I reset the webserver after.

My domain is:           realm-peach.com
My web server is:       Apache 2.4.6
The operating system:   CentOS 7
My hosting provider:    Linode
I can login to root:    yes
Control panel:          No
Client version:         certbot 0.31.0

mnordhoff · March 3, 2019, 7:46pm

Seven certificates were issued yesterday:

https://tools.letsdebug.net/cert-search?m=domain&q=realm-peach.com&d=168

But Apache isn’t using any of them. It’s using a self-signed certificate instead.

Can you show us what “certbot certificates” or “sudo certbot certificates” shows?

Can you also check all your Apache configuration files to see what SSLCertificateFile, SSLCertificateChainFile and SSLCertificateKeyFile directives are being used?

“apachectl -t -D DUMP_VHOSTS” or “sudo apachectl -t -D DUMP_VHOSTS” should be able to list all of the virtual hosts configured.

The default ssl.conf file is sometimes known to conflict with other virtual hosts. That might be what’s happening here, or it could be something else.

schoen · March 3, 2019, 8:01pm

On CentOS, it apparently matters whether your hostname comes before or after ssl.conf alphabetically (!!). @joohoi has created a fix for this but there are other workarounds possible.

bendauphinee · March 3, 2019, 8:25pm

Thank you for the hint. I’m sniffing around these files now, but you are correct it does appear to be not overriding the certificate for the vhost properly.

apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:80                   realm-peach.com (/etc/httpd/conf/httpd.conf:133)
*:443                  is a NameVirtualHost
         default server realm-peach.com (/etc/httpd/conf.d/ssl.conf:36)
         port 443 namevhost realm-peach.com (/etc/httpd/conf.d/ssl.conf:36)
         port 443 namevhost realm-peach.com (/etc/httpd/conf/httpd-le-ssl.conf:2)
                 wild alias *.realm-peach.com
---------------------------------------------------------------------------
grep -i -r "SSLCertificate" /etc/httpd
/etc/httpd/conf/httpd-le-ssl.conf:        SSLCertificateFile /etc/letsencrypt/live/realm-peach.com/cert.pem
/etc/httpd/conf/httpd-le-ssl.conf:        SSLCertificateKeyFile /etc/letsencrypt/live/realm-peach.com/privkey.pem
/etc/httpd/conf/httpd-le-ssl.conf:        SSLCertificateChainFile /etc/letsencrypt/live/realm-peach.com/chain.pem
/etc/httpd/conf.d/ssl.conf:    SSLCertificateFile /etc/pki/tls/certs/localhost.crt
/etc/httpd/conf.d/ssl.conf:    SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
/etc/httpd/conf.d/ssl.conf:    #SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

bendauphinee · March 3, 2019, 9:15pm

Ok, I am stuck again.

ssl_error_log shows this on restarting: RSA certificate configured for realm-peach.com:443 does NOT include an ID which matches the server name

Had a look at the cert with these commands:

#openssl x509 -in /etc/letsencrypt/live/realm-peach.com/cert.pem -noout -subject
subject= /CN=*.realm-peach.com

#openssl x509 -in /etc/letsencrypt/live/realm-peach.com/cert.pem -text | grep -A1 "Subject Alternative Name"
        X509v3 Subject Alternative Name:
            DNS:*.realm-peach.com, DNS:realm-peach.com

And I did a dig just to make sure my RDNS was as expected:

#dig @ns1.linode.com -x 173.255.195.24

; <<>> DiG 9.9.4-RedHat-9.9.4-73.el7_6 <<>> @ns1.linode.com -x 173.255.195.24
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 20797
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 11

;; ANSWER SECTION:
24.195.255.173.in-addr.arpa. 86400 IN   PTR     realm-peach.com.

And double-checked the hostname as well:

# hostname
realm-peach.com

# hostname -A
realm-peach.com realm-peach.com

# hostname -i
2600:3c00::f03c:91ff:fec2:ee9b 173.255.195.24

What am I missing? It appears the webserver is still serving the old file, and I’m guessing it’s because of that error, but I don’t know enough of this side of server building to know what to do next.

joohoi · March 5, 2019, 3:15pm

Sorry, I’m a bit late in the party. The upcoming fix is rather simple, and you can do it easily manually: just move the LoadModule ssl_module ... line from ssl.conf to the beginning of /etc/httpd/conf/httpd.conf.

The reason that this is happening is that in the default CentOS 6 installation, Apache reads all configuration files : /etc/httpd/conf.d/*.conf.

The files are read in aplhabetically sorted order. When a VirtualHost directive is wrapped in <IfModule mod_ssl.c> directive, it gets ignored if it’s read before the LoadModule directive… which then again comes in ssl.conf, which is pretty late in the alphabetic sort order.

bendauphinee · March 5, 2019, 10:53pm

Interesting. Attempted that, but does not seem to have solved the problem. Also, I’m still receiving the same RSA certificate configured for realm-peach.com:443 does NOT include an ID which matches the server name error message.

schoen · March 5, 2019, 10:57pm

Is this true? Does that file define a namevhost for this name?

bendauphinee · March 5, 2019, 11:13pm

Apparently that's a lie. The domain is nowhere in that file. Here are all occurrences of it:

# grep -i -r "realm" /etc/httpd
/etc/httpd/conf/httpd.conf:    ServerAdmin everyone@realm-peach.com
/etc/httpd/conf/httpd.conf:    ServerName realm-peach.com
/etc/httpd/conf/httpd.conf:    ServerName realm-peach.com
/etc/httpd/conf/httpd.conf:    ServerAlias *.realm-peach.com
/etc/httpd/conf/httpd.conf:    RewriteCond %{SERVER_NAME} =realm-peach.com [OR]
/etc/httpd/conf/httpd.conf:    RewriteCond %{SERVER_NAME} =*.realm-peach.com
/etc/httpd/conf/httpd-le-ssl.conf:        ServerName realm-peach.com
/etc/httpd/conf/httpd-le-ssl.conf:        ServerAlias *.realm-peach.com
/etc/httpd/conf/httpd-le-ssl.conf:        SSLCertificateFile /etc/letsencrypt/live/realm-peach.com/cert.pem
/etc/httpd/conf/httpd-le-ssl.conf:        SSLCertificateKeyFile /etc/letsencrypt/live/realm-peach.com/privkey.pem
/etc/httpd/conf/httpd-le-ssl.conf:        SSLCertificateChainFile /etc/letsencrypt/live/realm-peach.com/chain.pem

schoen · March 5, 2019, 11:53pm

@joohoi, should we suggest for @bendauphinee to edit the includes here so that their order will change?

joohoi · March 6, 2019, 8:46am

I just realized that it’s not CentOS 6 we’re talking about here. CentOS 7 does not have the same include order issue with LoadModule. There’s something else in play here.

bendauphinee · March 13, 2019, 2:37pm

Does anyone else have any additional advice to offer on this problem?

jsha · March 13, 2019, 4:29pm

I notice in your DUMP_VHOSTS output that ssl.conf contains a virtualhost for realm-peach.com. You should probably delete that vhost or change it to an unrelated domain name.

bendauphinee · March 15, 2019, 1:26am

From my post a little further down, I ran a grep across all the files, and I found no entry for that vhost in that file.

What would be the next step for this problem?

system · April 14, 2019, 1:26am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.