Oddity in Chain

Preface: I’ve been having update issues with WP and Divi recently. That lead me to discover this problem.

When I run a certificate check on any domain residing on my server it shows one of the accounts in the chain for all of them. flyovercountryscribe.com is just a normal account and shouldn’t be getting added.

I don’t know what is going on, or how to fix this. Any help would be greatly appreciated.

"dircolors: no SHELL environment variable, and no shell type option given
dedi2:~# openssl s_client -connect https://midstatemedia.com:443
getaddrinfo: Servname not supported for ai_socktype
connect:errno=0
dedi2:~# openssl s_client -connect midstatemedia.com:443
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
verify return:1
depth=0 CN = flyovercountryscribe.com
verify return:1

Certificate chain
0 s:/CN=flyovercountryscribe.com
i:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
1 s:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3

Server certificate
-----BEGIN CERTIFICATE-----
MIIGWDCCBUCgAwIBAgISA3SdAE46sldmzST3Wo339I7cMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA4MjQwNzAwMzJaFw0x
ODExMjIwNzAwMzJaMCMxITAfBgNVBAMTGGZseW92ZXJjb3VudHJ5c2NyaWJlLmNv
bTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALEpuC+lVQUt2sSkxHzl
oNY3SsySW0r9hAJ3hSRQO9wDtFrOPMo8MdCMIJOxKPE+HBcHE8WOro62qvmbpplt
gpC1LSYb9aUeJHzmurSYPehuv6Y9DWRLm7VD3n6fv6uLpaVIrhYmze9CZ5o+sxKK
2iI1wYWjqn+r1aHJSGxLZN6cQhQHXDTpmhlby7AL20EGjlEoB/6zZBA9uyfqL+85
s4nwIpbAv1pGAhHH5BLkqVun2oLiUv7ZCKC4Y82EasZA6qGoOJhAQVjlO38hvaVc
pUJtr2Txy3VDc5+wGW3JZw13TvoZfB6LbPiy4G3VjiwpqMJDkln49SqOMxVYKkzT
duECAwEAAaOCA10wggNZMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUvnqqrlsaPXo+
F3kAeEoZ451erNkwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYI
KwYBBQUHAQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0
c2VuY3J5cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0
c2VuY3J5cHQub3JnLzBgBgNVHREEWTBXghhmbHlvdmVyY291bnRyeXNjcmliZS5j
b22CHW1haWwuZmx5b3ZlcmNvdW50cnlzY3JpYmUuY29tghx3d3cuZmx5b3ZlcmNv
dW50cnlzY3JpYmUuY29tMIH+BgNVHSAEgfYwgfMwCAYGZ4EMAQIBMIHmBgsrBgEE
AYLfEwEBATCB1jAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5v
cmcwgasGCCsGAQUFBwICMIGeDIGbVGhpcyBDZXJ0aWZpY2F0ZSBtYXkgb25seSBi
ZSByZWxpZWQgdXBvbiBieSBSZWx5aW5nIFBhcnRpZXMgYW5kIG9ubHkgaW4gYWNj
b3JkYW5jZSB3aXRoIHRoZSBDZXJ0aWZpY2F0ZSBQb2xpY3kgZm91bmQgYXQgaHR0
cHM6Ly9sZXRzZW5jcnlwdC5vcmcvcmVwb3NpdG9yeS8wggEEBgorBgEEAdZ5AgQC
BIH1BIHyAPAAdgCkUBJpBVoVVF5iEas3vBA/Yq5VdqReSxcURT4bIhBqJQAAAWVq
8vbIAAAEAwBHMEUCIQCABYs6D+qPLKItW3/EalN07mnXTJJex9pZdlHgEXKExwIg
X/XH+UBUSJwAuTi8+7+n0JIfaS821Kju1h+MilHDVt8AdgDBFkrgp3LS1DktyArB
B3DU8MSb3pkaSEDB+gdRZPYzYAAAAWVq8vi8AAAEAwBHMEUCIETuy2gaWen0ry37
YP5EwbHYrdZgzNX50VRuZQr4MWqsAiEAtTrfWzTf2qRmjW0bo9b4jcPdZX7OtJKQ
eW3xXeKfMkUwDQYJKoZIhvcNAQELBQADggEBAGLdcS0sF7menZ8H5/9AkMl72Xah
zjau1dl1ZPf8RiFLt7BHfyV6nLmdwacZ1RsVt3MFhXvDgF6jNJ7kc2pMXCoNB/Fo
IDdT3G6MhTT/Gaidah3niQmMa1F1Lx+CHTBkq55hXoDPnmygbvjBxm1sIfaM1kZb
p0ES8iylFvg3nRB6HEuX2q+s0ky/WOfNOlTTV/juzEpV2EyXpGGaLMO3wiFg4FxG
ClQVbFflCM3bFofzCT6zaUSQhl4tFcYfTudV0Rn8bFDlyaqAAR8naOH8R9WRq9YE
gi8w5U7gDmKBgT21PteNx1r0GOcBxUkkNKY4kzWnGoXF/7bf0/vcduHwvVU=
-----END CERTIFICATE-----
subject=/CN=flyovercountryscribe.com
issuer=/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3

No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits

SSL handshake has read 3457 bytes and written 415 bytes

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: B920982FF0ECAC71B68E1D68897FB36C09914EA7D80225E88BFFA25F5866CC5B
Session-ID-ctx:
Master-Key: 394C40B05FF2F92A5A7E10ABCB52D26277A4279F5483CB23C36C9103A5436A1322E2331F34332A3E189D343E290EEC0C
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 88 59 9d 79 d1 44 e0 e8-8b 1f 9b 67 5f ac f1 39 .Y.y.D…g_…9
0010 - 91 7b 8e 3d 3a 2e cd 5b-d9 ef cf 76 78 1b d4 d9 .{.=:…[…vx…
0020 - 5c ef 29 6d 0e a2 4c c2-1a 71 ed 5a 83 a8 1b ce .)m…L…q.Z…
0030 - 36 fc 5f 7a dd 67 97 7f-ad 60 19 f2 69 70 50 29 6._z.g…..ipP) 0040 - 4c 40 65 0c a7 f7 ab 7b-de 2d c8 1d 49 1b 07 68 L@e....{.-..I..h 0050 - 68 56 eb 7e d9 e1 4f d4-fe 04 d0 d8 99 26 24 23 hV.~..O......&$# 0060 - ef 8c f6 d0 88 e7 03 4a-60 6e 02 9f ee 77 13 db .......Jn…w…
0070 - 83 c3 0d fc c4 b8 82 7b-05 ab dd 2a 96 1f 48 5e …{…*…H^
0080 - 5c c3 3c e7 d7 21 a2 70-15 e6 79 1e 8f a1 b4 88 .<…!.p…y…
0090 - 2e 2f 84 55 70 f3 1f 8c-5d b9 23 79 47 50 75 ./.Up…].#yGPu
00a0 - <SPACES/NULS>

Start Time: 1535136534
Timeout   : 300 (sec)
Verify return code: 0 (ok)

—"

Apparently, you’re using virtual hosts with use of SNI to send the correct certificate to the client. But to use OpenSSL with SNI, you’ll have to supply the correct hostname manually with -servername.

If you run the following command:

openssl s_client -connect midstatemedia.com:443 -servername midstatemedia.com

You’ll see you’ll get the correct chain.

Without the SNI hostname, the webserver will send a “default” certificate, most of the time corresponding with the first configured virtual host.

Ah, that makes sense, I suppose.

You’re correct about the chain appearing correctly when running the command line you sent.

In other words, everything is cool and I have nothing to worry about here, right?

Thank you!

Corey

Correct.  

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.