Problems with certificate after server reboot


#1

Hi, I have faced with a problem. I have successfully issued a certificate from LetsEncrypt.

I issued my certificate using certbot --apache -d mydomain.net

It had worked great before I rebooted a server.
After that I got a weird behavior of my server. After visiting the page the browser showed an error.
NET::ERR_CERT_AUTHORITY_INVALID
And in case I accept using an untrusted certificate it shows me the default httpd page “Test 1,2,3”, but should show a virtual host site.
And a browser really shows that the certificate is self-signed.
I started to explore log files and found only these messages (/var/log/httpd/error_log)

[Mon Apr 10 13:59:58.816952 2017] [core:notice] [pid 5750] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Mon Apr 10 14:27:07.705574 2017] [mpm_prefork:notice] [pid 5750] AH00170: caught SIGWINCH, shutting down gracefully
[Mon Apr 10 14:27:38.818878 2017] [suexec:notice] [pid 525] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Mon Apr 10 14:27:38.824084 2017] [ssl:warn] [pid 525] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
AH00558: httpd: Could not reliably determine the server's fully qualified domain name, using mydomain.net. Set the 'ServerName' directive globally to suppress this message
[Mon Apr 10 14:27:38.887075 2017] [auth_digest:notice] [pid 525] AH01757: generating secret for digest authentication ...
[Mon Apr 10 14:27:38.887773 2017] [lbmethod_heartbeat:notice] [pid 525] AH02282: No slotmem from mod_heartmonitor
[Mon Apr 10 14:27:38.888874 2017] [ssl:warn] [pid 525] AH02292: Init: Name-based SSL virtual hosts only work for clients with TLS server name indication support (RFC 4366)
[Mon Apr 10 14:27:39.487227 2017] [mpm_prefork:notice] [pid 525] AH00163: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips configured -- resuming normal operations
[Mon Apr 10 14:27:39.487275 2017] [core:notice] [pid 525] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'

At first, I thought that the problem could be in the mod_security module, but now I have just disabled it and the same weird behavior.

But the more interesting fact is that if I restart the httpd server using systemctl restart httpd command , everything starts to work as expected, the certificate is valid, the correct page is displayed.

There some more interesting cases of this weird behavior.

When I try to change /etc/hosts/ file for example

x.x.x.x mydomain.net
I get the same behavior with the certificate and restarting httpd doesn’t help.

But there are more error messages are logged.

Mon Apr 10 01:45:43.010329 2017] [ssl:error] [pid 2288] AH02217: ssl_stapling_init_cert: Can't retrieve issuer certificate!
[Mon Apr 10 01:45:43.010340 2017] [ssl:error] [pid 2288] AH02235: Unable to configure server certificate for stapling
[Mon Apr 10 01:45:43.184655 2017] [ssl:error] [pid 2288] AH02217: ssl_stapling_init_cert: Can't retrieve issuer certificate!

The same happens when I try to change ServerName property in the httpd.conf file

I have spent several days trying to solve the problem, but still no luck.
I would be grateful for any help regarding this issue or advice what else to try.

Thanks


#2

And my vhost-le-ssl.conf file

<IfModule mod_ssl.c>
    <VirtualHost *:443>
        ServerAdmin alexander@mydomain.net
        ServerName mydomain.net
        ServerAlias www.mydomain.net
        DocumentRoot /var/www/mydomain.net/public_html/
        ErrorLog /var/log/httpd/sites/mydomain.net/error.log
        CustomLog /var/log/httpd/sites/mydomain.net/access.log combined
    SSLCertificateFile /etc/letsencrypt/live/mydomain.net-0001/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.net-0001/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateChainFile /etc/letsencrypt/live/mydomain.net-0001/chain.pem
      <Location />
        	 Order deny,allow
       	 Deny from all
       	 Allow from 127.0.0.1
      </Location>
    </VirtualHost>
    </IfModule>

#3

Any ideas ? I still cannot manage to solve the problem :disappointed:


#4

Does the configuration file really have a mismatched </IfModule> at the end, or is that a copy and paste error?

I don’t see how that would cause the problem you describe, but it might be worth fixing anyway just in case. (it’s probably meant to be <IfModule mod_ssl.c> at the top)


#5

Thank you for the reply. Yes this is just a typo. I have edited my comment.
Still can’t wrap my head around this problem.
A really weird behavior.


#6

Hmm. Do you happen to have a VirtualHost without a ServerName?


#7

No, all my vhost conf files have ServerName specified.

Here is the http vhost conf file.

<VirtualHost *:80>
    ServerAdmin alexander@mydomain.net
    ServerName mydomain.net
    ServerAlias www.mydomain.net
    DocumentRoot /var/www/mydomain.net/public_html/
    ErrorLog /var/log/httpd/sites/mydomain.net/error.log
    CustomLog /var/log/httpd/sites/mydomain.net/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =mydomain.net [OR]
RewriteCond %{SERVER_NAME} =www.mydomain.net
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>       

As I’ve mentioned. I cannot set ServerName in my httpd.conf file it causes an error.


#8

Is there any way to debug in the verbose mode or something like that ?

I have no ideas what else to try, maybe just start from scratch and setup everything again without using different modules.
There are no errors in log files related to the problem, except messages I’ve post above.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.