Remove Duplicate Expired Certs

pcnweb · March 13, 2020, 5:53pm

How do I remove the two old expired certs?

I ran this command:
https://transparencyreport.google.com/https/certificates?hl=en&cert_search_auth=&cert_search_cert=&cert_search=include_subdomains:true;domain:pcnselect.com&lu=cert_search

It produced this output:

pcnselect.com	Let’s Encrypt Authority X3	2	Dec 12, 2019	Mar 12, 2020	3	See details
pcnselect.com	Let’s Encrypt Authority X3	2	Dec 12, 2019	Mar 12, 2020	5	See details
pcnselect.com	Let’s Encrypt Authority X3	2	Feb 11, 2020	May 11, 2020	2	See details
pcnselect.com	Let’s Encrypt Authority X3	2	Feb 11, 2020	May 11, 2020	5	See details

My web server is (include version):
Server version: Apache/2.4.29 (Ubuntu)
Server built: 2019-12-03T15:55:03

The operating system my web server runs on is (include version):
Distributor ID: Ubuntu
Description: Ubuntu 18.04.4 LTS
Release: 18.04
Codename: bionic

My hosting provider, if applicable, is:
Linode

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

9peppe · March 13, 2020, 5:57pm

You don't.

Certificate Transparency logs include all certificates, including duplicates and expired.

(and there are no duplicates in that list, it's the same cert, same serial number, appearing two times each.)

pcnweb · March 13, 2020, 6:10pm

Ah, I see - try going to the site on a mobile browser (Chrome or Firefox on my Android device). Says that there is an SSL error, no issue on PC browsers (yet).

Osiris · March 13, 2020, 6:18pm

My Chromium nor OpenSSL s_client can connect to your site. And I'm pretty sure it isn't the certificates fault, but a webserver configuration. It seems your IPv6 server isn't working correctly. Your IPv4 server sends a correct certificate.

See: SSL Server Test: pcnselect.com (Powered by Qualys SSL Labs)

rg305 · March 13, 2020, 6:19pm

There appears to be some problem with your IPv6 address.

Name: www.pcnselect.com
Addresses: 2600:3c03::f03c:91ff:fe73:6c4
50.116.61.130

Name: pcnselect.com
Addresses: 2600:3c03::f03c:91ff:fe73:6c4
50.116.61.130

curl -Iki4 https://pcnselect.com/
HTTP/1.1 200 OK
Date: Fri, 13 Mar 2020 18:19:23 GMT
Server: Apache/2.4.29 (Ubuntu)
Last-Modified: Fri, 13 Mar 2020 05:02:11 GMT
ETag: “0-5a0b55f49826f”
Accept-Ranges: bytes
Connection: close
Content-Type: text/html

curl -Iki6 https://pcnselect.com/
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

pcnweb · March 13, 2020, 6:20pm

Weird, I have no idea - thanks for the clues!

9peppe · March 13, 2020, 6:21pm

You probably just forgot to tell apache to listen on ipv6 too.

Osiris · March 13, 2020, 6:24pm

Well, something is answering on port 443… So if it isn’t Apache, what could it be? There is an Apache listening on port 80 on IPv6, so Apache is IPv6 aware…

9peppe · March 13, 2020, 6:25pm

this suggest it is apache, just unencrypted.

# curl -Iki6 http://pcnselect.com:443/
HTTP/1.1 301 Moved Permanently
Date: Fri, 13 Mar 2020 18:25:33 GMT
Server: Apache/2.4.29 (Ubuntu)
Location: https://pcnselect.com/
Connection: close
Content-Type: text/html; charset=UTF-8

curl -Ii? I thought -i includes -I.

Osiris · March 13, 2020, 6:28pm

Hm yes, not only suggests, but proves

Strange, I thought I’d recognise the error from OpenSSL with those situations… I guess I didn’t

rg305 · March 13, 2020, 6:39pm

Maybe force of (old) habit; as although the big I fetches the header (mostly), the little i will always force the header to be displayed:

-I/--head
(HTTP/FTP/FILE) Fetch the HTTP-header only! HTTP-servers feature the command HEAD which this uses to get nothing but the header of a document.
When used on a FTP or FILE file, curl displays the file size and last modification time only.

pcnweb · March 13, 2020, 7:14pm

My ports.conf:

Listen 80

<IfModule ssl_module>
        Listen 443
</IfModule>

<IfModule mod_gnutls.c>
        Listen 443
</IfModule>
-----------------------------------------
My 000-default.conf:

<VirtualHost 50.116.61.130:80 2600:3c03::f03c:91ff:fe73:06c4:80>
  # Admin email, Server Name (domain name), and any aliases
  ServerAdmin myemail@my.com
  ServerName  50.116.61.130

  # Index file and Document Root (where the public files are located)
  DirectoryIndex index.html index.php
  DocumentRoot /var/www/html

  # Log file locations
  LogLevel warn
  ErrorLog  /mypath/error.log
  CustomLog /mypath/access.log combined
</VirtualHost>

<Directory /var/www/html>
Options Indexes FollowSymLinks MultiViews
AllowOverride all
Order allow,deny
allow from all
</Directory>
---------------------------------------------
My pcnselect.com.conf:

<VirtualHost 50.116.61.130:80 2600:3c03::f03c:91ff:fe73:06c4:80>
  # Admin email, Server Name (domain name), and any aliases
  ServerAdmin myemail@my.com
  ServerName  pcnselect.com
  ServerAlias www.pcnselect.com

  # Index file and Document Root (where the public files are located)
  DirectoryIndex index.html index.php
  DocumentRoot /mypath/pcnselect.com/public

  # Log file locations
  LogLevel warn
  ErrorLog  /mypath/error.log
  CustomLog /mypath/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =pcnselect.com [OR]
RewriteCond %{SERVER_NAME} =www.pcnselect.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<Directory /mypath/pcnselect.com/public>
  Options Indexes FollowSymLinks
  AllowOverride None
  Require all granted
</Directory>
------------------------------
Certbot made this conf file as well, pcnselect.com-le-ssl.conf:

<IfModule mod_ssl.c>
<VirtualHost 50.116.61.130:443 2600:443>
  # Admin email, Server Name (domain name), and any aliases
  ServerAdmin myemail@my.com
  ServerName  pcnselect.com
  ServerAlias www.pcnselect.com

  # Index file and Document Root (where the public files are located)
  DirectoryIndex index.html index.php
  DocumentRoot /mypath/pcnselect.com/public

  # Log file locations
  LogLevel warn
  ErrorLog  /mypath/error.log
  CustomLog /mypath/access.log combined


Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/mypath/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/mypath/privkey.pem
</VirtualHost>
</IfModule>
-----------------------------
What do I have messed up here?

Osiris · March 13, 2020, 7:22pm

Please use the “Preformatted text” option ("</>" icon) in the post editor for your configuration for better readability and completeness.

pcnweb · March 13, 2020, 7:22pm

Gotcha, sorry about that - edited.

rg305 · March 13, 2020, 7:22pm

Osiris · March 13, 2020, 7:25pm

Here's the problem. Certbot didn't copy the IPv6 address in the virtualhost directive correctly. You should edit the "2600:443" to be the same as the virtualhost directive above for port :80 but with :443 of course. I.e., change 2600 to the correct IPv6 address.

I think that's because your original VirtualHost directive isn't correct! Please read the Apache documentation about VirtualHosts with regard to IPv6 addresses:

IPv6 addresses must be specified in square brackets because the optional port number could not be determined otherwise.

rg305 · March 13, 2020, 7:26pm

Or more like:
*:443
[::]:443

Osiris · March 13, 2020, 7:28pm

@rg305 Depends. If the server doesn’t rely on IP addresses to determine the virtualhosts, that’s OK.

9peppe · March 13, 2020, 7:30pm

you have no ipv6 here, and no default ssl virtualhost.

you know you can use wildcards if ~~your machine only has one public ip address~~ you want to serve the same website on all ip addresses, do you?

https://httpd.apache.org/docs/2.4/mod/core.html#virtualhost

pcnweb · March 13, 2020, 7:30pm

I didn't even notice that, you are correct and it fixed the issue.

Thanks for all the responses, you guys are super helpful!!