New certificate on subdomain sometimes uses another certifcate and gives an error


#1

I created a new subdomain on a WordPress network and I have new certificate that sometimes works, sometime it grabs a certificate for another domain on the network. And I can see the “This certificate is not valid (host name mismatch)”

The domain is https://ontarioadvanced.scafacilitywebsites.com/
If I get the error I see a certifcate for https://aksurgery.com/

https://aksurgery.com/ has several domains under it, when I first started setting up the network certificates I was doing them in 10s.

For OntarioAdvanced.sc

Going forward, since initial setup, I found it’s better to do 1 site at time, so the process is usually a subdomain gets created with a certificate, we work on the subdomain, then when it’s ready to be live, I update the vHosts, have the live domain name pointed at the Server’s IP, then create the final certificate for the new site. And most of the time it’s smooth. Every once and a while I run into this kind of ‘crossing of wires’ for a lack of a better way to describe it, where that aksurgery.com cert gets loaded with a domain.

I’m running Server version:
Ubuntu 14.04.5 LTS (GNU/Linux 4.4.0-31-generic x86_64)
Apache/2.4.25 (Ubuntu)
certbot 0.22.2

Is the new subdomain not loading and the server looks for the first certificate in the list of certificates, being ‘ak…’

Any advice would be very helpful. I have 100+ sites running on the network and want to be careful about messing with the certificates, otherwise I’ll be seeing many emails from angry people.

My 80 vHost looks like this, except the redirect gets put in after by certbot

<VirtualHost *:80>
  ServerAdmin dave.kaplan@mysite.com
  ServerName ontarioadvanced.scafacilitywebsites.com

  DocumentRoot /var/www/html/scafacilitywebsites/public_html

  <Directory /var/www/html/scafacilitywebsites/public_html>
    # Don't show directory index
    Options -Indexes +FollowSymLinks +MultiViews
    # Allow .htaccess files
    AllowOverride All
    # Allow web access to this directory
    Require all granted
  </Directory>

# Error and access logs
ErrorLog ${APACHE_LOG_DIR}/ontarioadvanced/error.log
CustomLog ${APACHE_LOG_DIR}/ontarioadvanced/access.log combined

# Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
LogLevel warn

# PHP-FPM 
<FilesMatch \.php$>
  SetHandler "proxy:unix:/var/run/php7-fpm-ontarioadvanced.sock|fcgi://ontarioadvanced.scafacilitywebsites.com"
</FilesMatch>

RewriteEngine on
RewriteCond %{SERVER_NAME} =ontarioadvanced.scafacilitywebsites.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

#2

Hi @Kaplan

I see, you have already checked your site via https://check-your-website.server-daten.de/?q=ontarioadvanced.scafacilitywebsites.com

Your certificate:

CN=ontarioadvanced.scafacilitywebsites.com
	01.02.2019
	02.05.2019
	ontarioadvanced.scafacilitywebsites.com - 1 entry

has only one domain name.

But your website:

has the www - version defined, as dns entry and as domain. So the www version doesn’t have the correct certificate, instead

CN=aksurgery.com
	19.12.2018
	19.03.2019
	aksurgery.com, alaskaspinecenter.com, alliancelakemary.com, 
amsurgsurgerycenter.com, antelopevalleysurgerycenter.com, 
apogeesurgery.com, arcadiasurgerycenter.com, barrancasurgerycenter.com, 
bellevillesurgical.com - 9 entries

is used.

To fix:

  • find the vHost of your ontarioadvanced.scafacilitywebsites.com, there add the www.ontarioadvanced.scafacilitywebsites.com as ServerAlias

To check that, rerun the test, then the second certificate should go away.

  • Create one certificate with both domain names, so this vHost can use this certificate.

#3

Thanks for your help @JuergenAuer I’ve added the ServerAlias to both configuration files, the -le-ssl.conf and my regular 80 ontarioadvanced.conf.

ServerAlias www.ontarioadvanced.scafacilitywebsites.com

I’m looking at that ‘check-your-website’ again, there’s alot of information there. What can I look for to make sure I have this right?

Thanks so much, I really appreciate your help and I’m learning a great deal.

Dave


#4

It’s correct. Now is only one certificate listed

CN=ontarioadvanced.scafacilitywebsites.com
	01.02.2019
	02.05.2019
	ontarioadvanced.scafacilitywebsites.com - 1 entry

not two, so your www - subdomain uses the same certificate.

Now create a new certificate with both domain names.


#5

Thank you! This is the command I’ve run for making a certificate with both domains:

sudo certbot --apache -d ontarioadvanced.scafacilitywebsites.com -d www.ontarioadvanced.scafacilitywebsites.com

I can still use the -d and string these together, and attempt to replace the certificate I have, right?


#6

Yes, that creates one certificate with two domain names.


#7

Everything went off ok in the Terminal. Looks good in the browser, I’m asking my client to try the domain too.

Your existing certificate has been successfully renewed, and the new certificate

has been installed.

You’re the best!!


#8

No, there is a curious thing I don’t understand.

Rechecking your domain ( https://check-your-website.server-daten.de/?q=ontarioadvanced.scafacilitywebsites.com ) both domain names are wrong.

CN=aksurgery.com
	19.12.2018
	19.03.2019
	aksurgery.com, alaskaspinecenter.com, alliancelakemary.com, 
amsurgsurgerycenter.com, antelopevalleysurgerycenter.com, 
apogeesurgery.com, arcadiasurgerycenter.com, barrancasurgerycenter.com, 
bellevillesurgical.com - 9 entries

Loading your site with an offline tool www is valide, non-www is wrong.

Loading your site via Chrome, first it’s wrong, hitting F5 it’s correct.

Looks like your server answers sometimes with the wrong certificate.

Do you have only one VirtualHost with these two domain names?

Hitting F5 in a browser used the first time to load a specific site should never change something.

Rechecking with an offline tool, now www is wrong, non-www is correct.


#9

I see that too, but it seems like sometimes it’s right. I’ve been having trouble with that aksurgery.com certificate. Do you have any recommendations for fixing or removing the aksurgery.com certificate so that it doesn’t show up for other domains? Should I recreate the aksurgery? And do the other domains under it on their own as well?

1. 
CN=ontarioadvanced.scafacilitywebsites.com
04.02.2019
05.05.2019
ontarioadvanced.scafacilitywebsites.com, www.ontarioadvanced.scafacilitywebsites.com - 2 entries

Keyalgorithm	RSA encryption (2048 bit)
Signatur:	SHA256 With RSA-Encryption
Serial Number:	0493E9B5A2A4DA5EE908D20CA10BB53073E8
Thumbprint:	2F5D28F4CA2B25294018E4A9287EF427B7F0E317
OCSP - Url:	http://ocsp.int-x3.letsencrypt.org
OCSP - must staple:	no
Certificate Transparency:	yes

#10

Yep, I see, you have rechecked your domain, now it’s Grade E, so both domain names are secure.

But using an old offline tool (without caching) sometimes it’s ok, sometimes it’s wrong.

There are some options

  • an Apache bug, perhaps update your apache
  • a curious caching in front of your webserver
  • something like a DDOS protection or a wrong configured firewall that sometimes blocks the SNI hostheader. So no SNI header is sent -> the standard certificate is sent.

Difference ~~ 30 seconds: The first is wrong, the second is ok.

D:\temp>download https://ontarioadvanced.scafacilitywebsites.com/ -h
SystemDefault
SSL error: RemoteCertificateNameMismatch
Link: <https://ontarioadvanced.scafacilitywebsites.com/wp-json/>; rel="https://api.w.org/", <https://ontarioadvanced.scafacilitywebsites.com/>; rel=shortlink
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
Date: Mon, 04 Feb 2019 19:17:05 GMT
Server: Apache/2.4.25 (Ubuntu)

Status: 200 OK

1547,19 milliseconds
1,55 seconds

D:\temp>download https://ontarioadvanced.scafacilitywebsites.com/ -h
SystemDefault
SSL-Zertifikat is valide
Link: <https://ontarioadvanced.scafacilitywebsites.com/wp-json/>; rel="https://api.w.org/", <https://ontarioadvanced.scafacilitywebsites.com/>; rel=shortlink
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
Date: Mon, 04 Feb 2019 19:19:59 GMT
Server: Apache/2.4.25 (Ubuntu)

Status: 200 OK

971,52 milliseconds
0,97 seconds

#11

I don’t want to mess with the server right now. I’ve been requesting that we get a staging server setup again, but until then I’d rather not mess with the software stack.

I am running a firewall plugin for WordPress called NinjaFirewall (WP Edition), which is a pretty new addition to the network. Maybe that’s the problem.

Maybe I can try disabling the plugin temporarily and see if that works.


#12

I checked my notes and configured 4 other sites after installing the firewall, so I don’t think it’s the plugin. I removed the -le-ssl.conf disabled and enabled the configuration following 1 of the most recent sites. I see this thread has a similar issue with the #2 certificate. https://www.ssllabs.com/ssltest/analyze.html?d=directtest.isitef.com

I see the SSL Labs ontario report has the #2 as that aksurgery.com certificate. It’s throwing me that it seems to be happening to this one recent site. The others look ok, but also show the same SSL Labs #2 in the SSL Labs report on Naperville.

I did remove the www.ontarioadvanced ServerAlias, I’m trying to start over and match Naperville’s config.

Any suggestions would be helpful.

Thanks,
Dave


#13

I would review the entire config for possible name overlaps or repetition.
You can try (the most likely place they would be found):
grep -Eri 'ServerName|ServerAlias|virtualhost|listen' /etc/apache2

If that doesn’t show much, then maybe your config are placed elsewhere.
Try finding where that might be with:
grep -Ei 'include' /etc/apache2


#14

This isn’t a problem, it’s normal if one ip address has a lot of websites.

So SNI (ServerNameIndication) is required.

The effect is still the same: First check, one second later the second:

D:\temp>download https://ontarioadvanced.scafacilitywebsites.com/ -h
SystemDefault
SSL-Zertifikat is valide
Link: <https://ontarioadvanced.scafacilitywebsites.com/wp-json/>; rel="https://api.w.org/", <https://ontarioadvanced.scafacilitywebsites.com/>; rel=shortlink
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
Date: Mon, 04 Feb 2019 21:30:48 GMT
Server: Apache/2.4.25 (Ubuntu)

Status: 200 OK

986,79 milliseconds
0,99 seconds

D:\temp>download https://ontarioadvanced.scafacilitywebsites.com/ -h
SystemDefault
SSL error: RemoteCertificateNameMismatch
Link: <https://ontarioadvanced.scafacilitywebsites.com/wp-json/>; rel="https://api.w.org/", <https://ontarioadvanced.scafacilitywebsites.com/>; rel=shortlink
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
Date: Mon, 04 Feb 2019 21:30:54 GMT
Server: Apache/2.4.25 (Ubuntu)

Status: 200 OK

792,00 milliseconds
0,79 seconds

First is good, second is RemoteCertificateMismatch.

One idea: Does every domain has it’s own vHost?

If yes, remove the default vHost.

Or is there a second instance running?


#15

I see I have a 000-default.conf in my etc/apache2/sites-enabled directory.
000-default.conf -&gt; ../sites-available/000-default.conf

I do have a single vHost for each domain, it’s starts as a ‘dev’ version with subdomain of the main domain, then I update the configs when we switch to the live domain name.

I’m going to disable the 000-default.conf and see what happens.


#16

Do you have multiple SSLCert… lines in the same vhost?

This is a first for me:

https://www.ssllabs.com/ssltest/analyze.html?d=ontarioadvanced.scafacilitywebsites.com

seeing more than one cert of the exact same type from the site.
Perhaps you have combined the cert.pem files (or fullchain.pem files) from different certs; forcing it to serve two certs at once.


#17

There is a curious message (never seen):

Path #1: Not trusted (invalid certificate [Fingerprint SHA256: 2dd11c707edd1cb8e37d33e2827762a3d0d33652156c6aeba353898fe8a4f885])

This is the aksurgery.com certificate.


#18

I took a look and it seems right even though the certbot did some commenting out for me.

# Some rewrite rules in this file were disabled on your HTTPS site,
# because they have the potential to create redirection loops.

# RewriteCond %{SERVER_NAME} =ontarioadvanced.scafacilitywebsites.com
# RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
SSLCertificateFile /etc/letsencrypt/live/ontarioadvanced.scafacilitywebsites.com-0001/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/ontarioadvanced.scafacilitywebsites.com-0001/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

uh-boi the slope is getting more slippery for me here.


#19

Now checked with OpenSSL:

Two times the same command:

openssl.exe s_client -connect 207.223.115.39:443 -servername ontarioadvanced.scafacilitywebsites.com

First - certificate is correct.

Second - certificate is wrong.

Your server sends different certificates.


#20

Please show this public file:

[only key files are private]