New certificate on subdomain sometimes uses another certifcate and gives an error


#21

I’m sorry, OpenSSL is pretty new for me. I did an a2dissite on the 000-default and reloaded apache. Can and how would I remove the second certificate? Can I run that command, openssl.exe in my Mac’s Terminal and see what you are seeing?


#22

Show the fullchain file being served.
Use openssl against it.


#23

Is this what I should run? $ openssl s_client -showcerts -connect scafacilitywebsites.com:443

and maybe this is the problem? I get 0 s:/CN=aksurgery.com

~ $ openssl s_client -showcerts -connect scafacilitywebsites.com:443
CONNECTED(00000003)
depth=1 /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/CN=aksurgery.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIGGzCCBQOgAwIBAgISBMBp/UeTkhrDHV6CLC+3xgaDMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODEyMTkwNTUwMzlaFw0x
OTAzMTkwNTUwMzlaMBgxFjAUBgNVBAMTDWFrc3VyZ2VyeS5jb20wggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDk0+6QJK8exLfYBY9YZlcrOlYztf7sLLUx
QgV1bEouPkMeTEGjgmo/MIDNnerC5x/4zductvna+8wQRMXH37OWkGxCbn43+0vK
SwhExCwtGYmSfUgjhwxi5RWLPR5yTnknvN36y6kFga2GSCISzzdFvGkYGRelrcS0
y5wMtF8jA/hYvvs2egrqpiIHwL/vtUX41BEGs809KYTjdoujP38IeaCg2ZaL0nYH
K07yOBSb21dvoMuM78YOX/XFvU0EQCGoEwGzOqUNA2d+9EUl9e/7ljlxvzNH9kJb
cr8/jXNwYwSxLBOWA4T8XehFdIyNQz4m9lNpQBP4PBdHBPFVjWDPAgMBAAGjggMr
MIIDJzAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
BwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFPNeVMR5U1RDinAul2e4lOBfrBPA
MB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsGAQUFBwEBBGMw
YTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNyeXB0Lm9y
ZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9y
Zy8wgeEGA1UdEQSB2TCB1oINYWtzdXJnZXJ5LmNvbYIVYWxhc2thc3BpbmVjZW50
ZXIuY29tghRhbGxpYW5jZWxha2VtYXJ5LmNvbYIXYW1zdXJnc3VyZ2VyeWNlbnRl
ci5jb22CH2FudGVsb3BldmFsbGV5c3VyZ2VyeWNlbnRlci5jb22CEWFwb2dlZXN1
cmdlcnkuY29tghhhcmNhZGlhc3VyZ2VyeWNlbnRlci5jb22CGWJhcnJhbmNhc3Vy
Z2VyeWNlbnRlci5jb22CFmJlbGxldmlsbGVzdXJnaWNhbC5jb20wTAYDVR0gBEUw
QzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDov
L2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEDBgorBgEEAdZ5AgQCBIH0BIHxAO8AdgDi
aUuuJujpQAnohhu2O4PUPuf+dIj7pI8okwGd3fHb/gAAAWfFOwoFAAAEAwBHMEUC
IBgRd5iMOW04OCM1DagXAQcKYXRNvrr0DTfMAIw5BMXPAiEAkLdq3YYGzmvHNL4j
SFq/5Z+WdoaFPraMzEwLgyd0r/AAdQApPFGWVMg5ZbqqUPxYB9S3b79Yeily3KTD
DPTlRUf0eAAAAWfFOwn6AAAEAwBGMEQCICZCRr62YiTy0Rj3sYbf0EWKhrfzcX77
YLRZ0c6BgGDOAiAkXNBD4xVphXvyxtMLs56n+ao9451KXLZXwWd9n01IojANBgkq
hkiG9w0BAQsFAAOCAQEAYj8vBMBB8xU/MlYCutdEtlypDJAqiraYFDkE0lrnw46K
udARVtXqW3nXrKnzvX8oed3X3qkrvBf6tSQEi/xVkqtocxpkZdNUEjhAgwqFuGxS
KyK2zMg9ZnPis/xAdGURFKfxhac91THMnpNFSpW/iyYQG8EVBsqo+Iuei35EJpfd
hQr7r/mNZFE3aRMbOb6IP2MfM/b2XmUTf9e3HZIfVJL7P6viV7dqP9BU861icQKN
L5Fixl/+RAFt2NeKglvAMNxNWlz75EP2Cbt5Q2+7lHnP2vzyU9ye2sCoU4uKcofU
t4EqPShs3Q3RzhQ5Ka6sEugdP87egtoDSBIZU5iEaw==
-----END CERTIFICATE-----
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=aksurgery.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
---
SSL handshake has read 3699 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES128-SHA
    Session-ID: F6BF08DFBA7B44C1B7432BB00DB43FF8F043D6005439BF05AC4C56E114BF73DC
    Session-ID-ctx: 
    Master-Key: 53F2135BA3B35DF35FCD5CEB53C22966CD24FF05F4643523C9FE6F7E370728CDFAA48E4B4CFA72B7FEEF638E4DFCB5BA
    Key-Arg   : None
    Start Time: 1549319153
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

HTTP/1.1 400 Bad Request
Date: Mon, 04 Feb 2019 22:21:44 GMT
Server: Apache/2.4.25 (Ubuntu)
Content-Length: 306
Connection: close
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache/2.4.25 (Ubuntu) Server at aksurgery.com Port 443</address>
</body></html>
closed
~ $

#24

If you don’t send a servername, then the server sends the certificate of the default host. So this is ok.

Add

-servername ontarioadvanced.scafacilitywebsites.com

#25

I’m sorry if I’m lost, do you mean paste the output here?

sudo cat /etc/letsencrypt/live/ontarioadvanced.scafacilitywebsites.com-0001/fullchain.pem

[sudo] password for manager: 

-----BEGIN CERTIFICATE-----

MIIFhjCCBG6gAwIBAgISBDlSnsqMI+/Djz5DeD9T69InMA0GCSqGSIb3DQEBCwUA

MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD

ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTAyMDQyMDEwNDJaFw0x

OTA1MDUyMDEwNDJaMDIxMDAuBgNVBAMTJ29udGFyaW9hZHZhbmNlZC5zY2FmYWNp

bGl0eXdlYnNpdGVzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB

ALaOTL4ocmOJCGAtTsfXwrQCmslurTSiDQ5hxpUf8jP39n1JnLnGFbpkHDicHfYo

Pfl/gfSw9l6yTk66zTDFZkxRx/y45kiUAEEDWMMI0Eid7dtVoXYM4sWtQSQqHCEm

5C/tczR7CPbNzaaDyvYn7GMpbv6zhc1BEI0SaVcxVK5zIDMjH5+gQCkWdf4CmcYy

U+rWdBZdsSRhvmZb7k0q9eOpPkF1b2lP0PnEfJBY+8j6lp3CLh1I1pvmzh3bAg17

GO8Ola2XjgTwnEc13u38WhDjkMunkbWKZDrUATlppAsyOyAfzfFeWcY0ZLz2wVq+

xrmf9vOW/cKUMGzuMFzmcXkCAwEAAaOCAnwwggJ4MA4GA1UdDwEB/wQEAwIFoDAd

BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNV

HQ4EFgQU+7rmPVPhM6ZVbSsa3Ed7Yx/NPPcwHwYDVR0jBBgwFoAUqEpqYwR93brm

0Tm3pkVl7/Oo7KEwbwYIKwYBBQUHAQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8v

b2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8v

Y2VydC5pbnQteDMubGV0c2VuY3J5cHQub3JnLzAyBgNVHREEKzApgidvbnRhcmlv

YWR2YW5jZWQuc2NhZmFjaWxpdHl3ZWJzaXRlcy5jb20wTAYDVR0gBEUwQzAIBgZn

gQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5s

ZXRzZW5jcnlwdC5vcmcwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgDiaUuuJujp

QAnohhu2O4PUPuf+dIj7pI8okwGd3fHb/gAAAWi6WVWhAAAEAwBHMEUCIQCrWJc1

b6dqNvcxxftys21BpdzfLKPVxNsarKOkPsRNuQIgBw2SDAEgXywF58DmzrVG97sl

UGzdpRpBLDZUH/JN8bcAdgBj8tvN6DvMLM8LcoQnV2szpI1hd4+9daY4scdoVEvY

jQAAAWi6WVOiAAAEAwBHMEUCIQDrDJQjVrnSISmHGk6qoR/cxiwZBXwlpMZ6wU8F

RtkMAwIgbp/qWg/V8nBD2yI6qRaKen+4HasVk+KahbIDzMdGcBUwDQYJKoZIhvcN

AQELBQADggEBADZKNIsGsxMvhWMV2MwRgl9/iLDnOSJtSk5NFz+KTQ9xEcdYbKtC

oZvALNsQNlNpku+mi6J2R+loKcJY2NNnGDiVqKdZYJ++hyJVGQrTrEwh0FhmCl+G

9IQnKc6u2xV+0piiBCbZSqBInF4brmzXeK3HgyXAMwaV9N3ksiM3e3AW0N8Ks2BH

g5n8nnpC0pp4/Rf8QCwvCm4vuotHlP+tENwoGybS4d/E5BdwUkO/3whUiqtp0e73

AVXtx94e+6ZUuJQ7tW+3i1UYjL3uWn+/ju3wR4Qes1rxO5NAIAuXwLIv2Olmr16q

kvZ1f1vz8CUQWJH77YN3eASmyttxxHb6wcs=

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/

MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT

DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow

SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT

GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC

AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF

q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8

SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0

Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA

a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj

/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T

AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG

CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv

bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k

c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw

VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC

ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz

MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu

Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF

AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo

uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/

wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu

X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG

PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6

KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==

-----END CERTIFICATE-----

#26

I ran the following:

openssl s_client -showcerts -connect scafacilitywebsites.com:443 -servername ontarioadvanced.scafacilitywebsites.com
CONNECTED(00000003)
depth=1 /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/CN=ontarioadvanced.scafacilitywebsites.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
MIIFhjCCBG6gAwIBAgISBDlSnsqMI+/Djz5DeD9T69InMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTAyMDQyMDEwNDJaFw0x
OTA1MDUyMDEwNDJaMDIxMDAuBgNVBAMTJ29udGFyaW9hZHZhbmNlZC5zY2FmYWNp
bGl0eXdlYnNpdGVzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
ALaOTL4ocmOJCGAtTsfXwrQCmslurTSiDQ5hxpUf8jP39n1JnLnGFbpkHDicHfYo
Pfl/gfSw9l6yTk66zTDFZkxRx/y45kiUAEEDWMMI0Eid7dtVoXYM4sWtQSQqHCEm
5C/tczR7CPbNzaaDyvYn7GMpbv6zhc1BEI0SaVcxVK5zIDMjH5+gQCkWdf4CmcYy
U+rWdBZdsSRhvmZb7k0q9eOpPkF1b2lP0PnEfJBY+8j6lp3CLh1I1pvmzh3bAg17
GO8Ola2XjgTwnEc13u38WhDjkMunkbWKZDrUATlppAsyOyAfzfFeWcY0ZLz2wVq+
xrmf9vOW/cKUMGzuMFzmcXkCAwEAAaOCAnwwggJ4MA4GA1UdDwEB/wQEAwIFoDAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNV
HQ4EFgQU+7rmPVPhM6ZVbSsa3Ed7Yx/NPPcwHwYDVR0jBBgwFoAUqEpqYwR93brm
0Tm3pkVl7/Oo7KEwbwYIKwYBBQUHAQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8v
b2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8v
Y2VydC5pbnQteDMubGV0c2VuY3J5cHQub3JnLzAyBgNVHREEKzApgidvbnRhcmlv
YWR2YW5jZWQuc2NhZmFjaWxpdHl3ZWJzaXRlcy5jb20wTAYDVR0gBEUwQzAIBgZn
gQwBAgEwNwYLKwYBBAGC3xMBAQEwKDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5s
ZXRzZW5jcnlwdC5vcmcwggEEBgorBgEEAdZ5AgQCBIH1BIHyAPAAdgDiaUuuJujp
QAnohhu2O4PUPuf+dIj7pI8okwGd3fHb/gAAAWi6WVWhAAAEAwBHMEUCIQCrWJc1
b6dqNvcxxftys21BpdzfLKPVxNsarKOkPsRNuQIgBw2SDAEgXywF58DmzrVG97sl
UGzdpRpBLDZUH/JN8bcAdgBj8tvN6DvMLM8LcoQnV2szpI1hd4+9daY4scdoVEvY
jQAAAWi6WVOiAAAEAwBHMEUCIQDrDJQjVrnSISmHGk6qoR/cxiwZBXwlpMZ6wU8F
RtkMAwIgbp/qWg/V8nBD2yI6qRaKen+4HasVk+KahbIDzMdGcBUwDQYJKoZIhvcN
AQELBQADggEBADZKNIsGsxMvhWMV2MwRgl9/iLDnOSJtSk5NFz+KTQ9xEcdYbKtC
oZvALNsQNlNpku+mi6J2R+loKcJY2NNnGDiVqKdZYJ++hyJVGQrTrEwh0FhmCl+G
9IQnKc6u2xV+0piiBCbZSqBInF4brmzXeK3HgyXAMwaV9N3ksiM3e3AW0N8Ks2BH
g5n8nnpC0pp4/Rf8QCwvCm4vuotHlP+tENwoGybS4d/E5BdwUkO/3whUiqtp0e73
AVXtx94e+6ZUuJQ7tW+3i1UYjL3uWn+/ju3wR4Qes1rxO5NAIAuXwLIv2Olmr16q
kvZ1f1vz8CUQWJH77YN3eASmyttxxHb6wcs=
-----END CERTIFICATE-----
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=ontarioadvanced.scafacilitywebsites.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
---
SSL handshake has read 3765 bytes and written 474 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES128-SHA
    Session-ID: 107A63FCF26A11E2B0B8502BC348CBED32BC4B1B1F6109AA9F5A5F4049E6D8D8
    Session-ID-ctx: 
    Master-Key: 5926E2C12DB5469E621BA4273C3BF8746D3A3555A95A35D3D349CE873187BBC4BE612FA33B28554DAACAD72AE2281F9D
    Key-Arg   : None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 52 49 a6 0c a3 78 dd 7c-1a 3f 57 e9 2d 4d cd 05   RI...x.|.?W.-M..
    0010 - 20 68 dd 42 c6 03 c3 19-bd cb 56 74 7f c4 f4 6d    h.B......Vt...m
    0020 - b4 41 6a 86 ed c1 4b f0-f3 20 7d 0d 29 1f 10 62   .Aj...K.. }.)..b
    0030 - a3 31 50 6d 5c 9d 1a d8-1a ad 15 3b 53 24 70 5c   .1Pm\......;S$p\
    0040 - c1 72 d5 61 ab 7a 84 53-ab ed a8 dc 05 d1 13 d3   .r.a.z.S........
    0050 - 0f f2 27 11 57 1f 5b 11-2a c5 28 30 d8 41 37 f6   ..'.W.[.*.(0.A7.
    0060 - 4f 07 54 af cd ee 12 22-a1 19 02 d2 de d8 31 8a   O.T...."......1.
    0070 - d0 e6 25 7a 8e 20 8c 62-9f 68 2f 6c 94 10 5d b1   ..%z. .b.h/l..].
    0080 - b0 fe f1 57 d0 33 1a 7a-2c 99 76 9f 0b 50 1b d4   ...W.3.z,.v..P..
    0090 - 6b ab 45 08 2d d3 f0 a2-ac 25 44 4d 9c 30 49 99   k.E.-....%DM.0I.
    00a0 - 97 34 56 dd ab 23 3b 6f-28 70 2b 0f d3 e9 ff eb   .4V..#;o(p+.....
    00b0 - fc 76 22 f6 d9 92 b6 38-b8 78 f8 03 ee c1 14 f5   .v"....8.x......
    00c0 - 89 1b 13 75 4c e1 44 ca-3f ae 02 b9 7b 87 e5 19   ...uL.D.?...{...
    00d0 - be b4 5a df 59 1b ba 62-89 d4 7a 61 fb 74 5e b0   ..Z.Y..b..za.t^.

    Start Time: 1549320740
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
closed

#27

Run this command two times. First - correct, second - wrong. Same now, rechecked.


#28

I see what are saying now! Any recommendations?

Can I some how remove the aksurgery.com certificate? make new certs for any domains under AK and a new certificate for my main domain? I’m lost but not as lost, thanks.


#30

Yes, that was the file requested.
Unfortunately, it looks just fine; so that is not part of the problem.

I’ve never seen a web server serve two certs of the exact same type for any single site/name.

Have you tried restarting the web service?
How is it doing on memory usage?


#31

Thanks for your help. I have a hunch that I’m going to see if I can work out. Maybe the main domain should be on its own certificate. I see I have it under ranchobernardosurgerycenter.com

At first I thought the aksurgery.com had the scafacilitywebsites.com under it, but it has a different set of domains. When I was first setting up the certificates I did them in batches using the sudo certbot --apache then picking a batch (I think 10 was the limit) from the numbered list separated by commas. But I’ve run into trouble one other time where the domain that was holding the other domains under its certificate went away and then those under it all broke.

I’m thinking if I make new certificates for each of the domains under the ranchobernardosurgerycenter.com site including my primary domain that I’m trying to create subdomains under.


#32

I’m stilling having trouble with the https://aksurgery.com/ certificate. I made new certificates for all the sites listed under https://aksurgery.com/ and https://ranchobernardosurgerycenter.com/ and then I replaced (I believe I did) those certificates.

I did notice sometimes a certbot --apache command would fail with one of these methods and if I ran it again it worked. I have all the commands and output in a text file if it would help to see that as well.

// for example this failed
sudo certbot --apache -d santacruzendoscopy.com -d www.santacruzendoscopy.com
// but this worked and sometimes it didn't for other domains, it may if I ran it a 2nd time sometimes
sudo certbot --apache -d santacruzendoscopy.com --preferred-challenges http

I don’t manage the domain names or have access to the DNS settings, so I’m not sure exactly what each one loooks like from a DNS pov.

Is it possible to remove a certificate completely? When I use those testing sites on the subdomain site ontarioadvanced.scafacilitywebsites.com it still finds the aksurgery.com certificate, then in the browser sometimes it gets that certificate and returns an error page for no certificate.

https://www.ssllabs.com/ssltest/analyze.html?d=ontarioadvanced.scafacilitywebsites.com shows:

Certificate #3: RSA 2048 bits (SHA256withRSA) 
Server Key and Certificate #1
Subject	aksurgery.com 

My goal was to make new certificates for each of the domains listed under aksurgery and ranchobernardo then recreate certificates for them once I completed the listed ones, but it doesn’t seem like I removed aksurgery?

Domains on the aksurgery.com site

aksurgery.com
alaskaspinecenter.com
alliancelakemary.com
amsurgsurgerycenter.com
antelopevalleysurgerycenter.com
apogeesurgery.com
arcadiasurgerycenter.com
barrancasurgerycenter.com
bellevillesurgical.com 			// EXPIRED DOMAIN

Domains on the ranchobernardosurgerycenter.com site

chatham.scafacilitywebsites.com            // domain in production
hoagendo.scafacilitywebsites.com           // still up in dev
maplewood.scafacilitywebsites.com          // domain in production
midlandsortho.scafacilitywebsites.com      // domain in production	
oregonoutpatient.scafacilitywebsites.com   // domain in production
ranchobernardosurgerycenter.com            // MAIN cert
sandiegoendo.com                           // domain in production
santacruzendoscopy.com                     // domain in production
scafacilitywebsites.com                    // MAIN dev site for subdomains
scofconnecticut.scafacilitywebsites.com    // new domain in production

#33

Those are two different things; in that the first has two FQDNs and the second only has one.
[aside from the forced http challenge]

So they must match different certs or try to create new ones (if unmatched by an existing one).

To see which certs you have and which names they cover use:
certbot certificates

Yes, but you must ensure the vhost configs are no longer referencing that cert.
To remove use:
certbot delete {NAME-OF-CERT}
[NAME-OF-CERT can be found using certbot certificates]


#34

Sorry, I copied a bad example for the first question. I do have some where I ran the command 2x, first time didn’t work, but that’s ok. I think the certbot certificates is what is giong to really help me. I learned from some trial and error that I need to use the --cert-name flag

This worked. After seeing all the certificates I see I’ve got some work to clean up, thanks again!
sudo certbot delete --cert-name aksurgery.com


closed #35

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.