Letsencrypt SSL certificate conflict with Geotrust Certificate?


#1

Hello,
I have a website www.creatissus.com for which I installed the SSL issued by geotrust.
Now I have a second website for which I issued a Letsencrypt certificate, www.gammaseotools.com,
however when I try to access https://www.gammaseotools.com , I get a warning, and here his the scrrenshot:


I wonder what’s happening, all my other sites have no problem, except this one.


#2

Quick guess: You did not configure another virtualhost for gammaseotools.com (https), so the first one will be used and this is creatissus.com, which contains only the certificate for this domain.


#3

Hi here is my vhost configuration:

<VirtualHost *:443>
SuexecUserGroup “#1015” “#1014

ServerName www.gammaseotools.com

FcgidMaxRequestLen 2000000

DocumentRoot /home/gammaseotools.com/public_html
ErrorLog /home/gammaseotools.com/logs/ssl_error_log
CustomLog /home/gammaseotools.com/logs/ssl_access_log combined

<Directory /home/gammaseotools.com/public_html>
Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch +ExecCGI
allow from all
AllowOverride All Options=ExeCGI,Includes,IncludesNOEXEC,Indexes,Multiviews,SymlinksIfOwnerMatch
AddHandler fcgid-script .php
AddHandler fcgid-script .php5
FCGIWrapper /home/gammaseotools.com/fcgi-bin/php5.fcgi .php
FCGIWrapper /home/gammaseotools.com/fcgi-bin/php5.fcgi .php5
AddType application/x-httpd-php .php
Require all granted

SSLCertificateFile /etc/letsencrypt/live/www.gammaseotools.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.gammaseotools.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/www.gammaseotools.com/chain.pem

It has the same pattern than the other sites, maybe there was a problem during the certificate generation?


#4

I don’t know the reason for the problem, but I agree with @bytecamp that this is nonetheless a symptom of Apache configuration problems rather than any kind of invalidity of each certificate. This is not a cryptographic or certificate error, but rather a problem that Apache didn’t know how to decide which certificate to present.


#5

I deleted and recreated and there is still the problem. Any Apache God here? At least where to look because in the Apache logs there is nothing.
These are old log message on the ss error log :slight_smile:
(104)Connection reset by peer: [client 78.245.111.175:64993] mod_fcgid: error reading data from FastCGI server
[client 78.245.111.175:64993] End of script output before headers: index.php


#6

Can you post the other virtual host(s) too?


#7

creatissus.com.conf.txt (4.5 KB)
gammaseotools.conf.txt (5.0 KB)
Here they are,basically i just copy the non SSL config file and modify port, log path, and include the SSL part generated by Certbot, and add the path to the certificates.
The files are big, and maybe some part are useless, it was generated by virtualmin.

Here is what Google Chrome show when attempting to connect to https version of gammaseotools.com
alert.txt (4.9 KB)


#8

Your port 443 virtualhost for creatissus.com explicitly specifies an IP address. That makes it take precedence over the gammaseotools.com virtualhost, regardless of the servername / serveralias. See: https://httpd.apache.org/docs/2.4/mod/core.html#virtualhost

You can change the first one to *:443 or change the second one to include the IP address.


#9

Hi, thank you for your input, I removed the IP address, when I try to reload the site (wiping out all Google Chrome history), made ipconfig /flushdns in my CMD in Windows, it takes longer for the browser to tell me the error : NET::ERR_CERT_COMMON_NAME_INVALID.
In fact now instead of going to creatissus, it says that "Impossible to verify on the server that it’s gammaseotools.com, because its SSL certificate comes from www.domain2.com where www.domain2.com is another domain hosted on the same server that also has SSL…

Now you pointed me to the solution, in Gammaseotools.com I put the IP address and it worked ! Now my question is why it is not working if I dont put the IP address?


#10

Maybe there’s another domain that also has an IP address in its respective virtual host?


#11

If some of your VirtualHosts specify IP addresses and some don’t, the ones that have IP addresses always take precedence over the ones that don’t (assuming the IP address is the correct one for your server).

To quote the Apache documentation (emphasis mine):

When a request is received, the server first maps it to the best matching <VirtualHost> based on the local IP address and port combination only. Non-wildcards have a higher precedence. If no match based on IP and port occurs at all, the “main” server configuration is used.

If multiple virtual hosts contain the best matching IP address and port, the server selects from these virtual hosts the best match based on the requested hostname. If no matching name-based virtual host is found, then the first listed virtual host that matched the IP address will be used. As a consequence, the first listed virtual host for a given IP address and port combination is the default virtual host for that IP and port combination.

So, if you have a VirtualHost for www.domain2.com that specifies the IP address, then it will take precedence over any VirtualHost that does not. If that’s the case, when you removed the IP address from creatissus.com, the remaining VirtualHost with an IP address took precedence.

So you need to have all your VirtualHosts configured the same way: either specify the IP address for all of them, or none. The only time you might likely want to do otherwise is if your server has multiple IP addresses and you want to put different sites on each of them.


#12

Yes indeed,if I set * to one, then it goes to the next that has IP address set, over and over, that’s how I get the Idea of setting the IP for gammaseotools.


#13

Thank you again. I’ve checked the document, this is a valuable lesson since I manage server with several virtual hosts.


#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.