Remove Duplicate Expired Certs

Help
1

How do I remove the two old expired certs?

My domain is:
pcnselect.com

I ran this command:
https://transparencyreport.google.com/https/certificates?hl=en&cert_search_auth=&cert_search_cert=&cert_search=include_subdomains:true;domain:pcnselect.com&lu=cert_search

It produced this output:

pcnselect.com Let’s Encrypt Authority X3 2 Dec 12, 2019 Mar 12, 2020 3 See details
pcnselect.com Let’s Encrypt Authority X3 2 Dec 12, 2019 Mar 12, 2020 5 See details
pcnselect.com Let’s Encrypt Authority X3 2 Feb 11, 2020 May 11, 2020 2 See details
pcnselect.com Let’s Encrypt Authority X3 2 Feb 11, 2020 May 11, 2020 5 See details

My web server is (include version):
Server version: Apache/2.4.29 (Ubuntu)
Server built: 2019-12-03T15:55:03

The operating system my web server runs on is (include version):
Distributor ID: Ubuntu
Description: Ubuntu 18.04.4 LTS
Release: 18.04
Codename: bionic

My hosting provider, if applicable, is:
Linode

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.31.0

2

You don't.

Certificate Transparency logs include all certificates, including duplicates and expired.

(and there are no duplicates in that list, it's the same cert, same serial number, appearing two times each.)

1 Like
3

Ah, I see - try going to the site on a mobile browser (Chrome or Firefox on my Android device). Says that there is an SSL error, no issue on PC browsers (yet).

4

My Chromium nor OpenSSL s_client can connect to your site. And I'm pretty sure it isn't the certificates fault, but a webserver configuration. It seems your IPv6 server isn't working correctly. Your IPv4 server sends a correct certificate.

See: SSL Server Test: pcnselect.com (Powered by Qualys SSL Labs)

1 Like
5

There appears to be some problem with your IPv6 address.

Name: www.pcnselect.com
Addresses: 2600:3c03::f03c:91ff:fe73:6c4
50.116.61.130

Name: pcnselect.com
Addresses: 2600:3c03::f03c:91ff:fe73:6c4
50.116.61.130

curl -Iki4 https://pcnselect.com/
HTTP/1.1 200 OK
Date: Fri, 13 Mar 2020 18:19:23 GMT
Server: Apache/2.4.29 (Ubuntu)
Last-Modified: Fri, 13 Mar 2020 05:02:11 GMT
ETag: “0-5a0b55f49826f”
Accept-Ranges: bytes
Connection: close
Content-Type: text/html

curl -Iki6 https://pcnselect.com/
curl: (35) error:1408F10B:SSL routines:ssl3_get_record:wrong version number

2 Likes
6

Weird, I have no idea - thanks for the clues!

7

You probably just forgot to tell apache to listen on ipv6 too.

1 Like
8

Well, something is answering on port 443… So if it isn’t Apache, what could it be? There is an Apache listening on port 80 on IPv6, so Apache is IPv6 aware…

1 Like
9

this suggest it is apache, just unencrypted.

# curl -Iki6 http://pcnselect.com:443/
HTTP/1.1 301 Moved Permanently
Date: Fri, 13 Mar 2020 18:25:33 GMT
Server: Apache/2.4.29 (Ubuntu)
Location: https://pcnselect.com/
Connection: close
Content-Type: text/html; charset=UTF-8

curl -Ii? I thought -i includes -I.

1 Like
10

Hm yes, not only suggests, but proves :stuck_out_tongue:

Strange, I thought I’d recognise the error from OpenSSL with those situations… I guess I didn’t :slight_smile:

1 Like
11

Maybe force of (old) habit; as although the big I fetches the header (mostly), the little i will always force the header to be displayed:

-I/--head
(HTTP/FTP/FILE) Fetch the HTTP-header only! HTTP-servers feature the command HEAD which this uses to get nothing but the header of a document.
When used on a FTP or FILE file, curl displays the file size and last modification time only.

2 Likes
12 
My ports.conf:

Listen 80

<IfModule ssl_module>
        Listen 443
</IfModule>

<IfModule mod_gnutls.c>
        Listen 443
</IfModule>
-----------------------------------------
My 000-default.conf:

<VirtualHost 50.116.61.130:80 2600:3c03::f03c:91ff:fe73:06c4:80>
  # Admin email, Server Name (domain name), and any aliases
  ServerAdmin myemail@my.com
  ServerName  50.116.61.130

  # Index file and Document Root (where the public files are located)
  DirectoryIndex index.html index.php
  DocumentRoot /var/www/html

  # Log file locations
  LogLevel warn
  ErrorLog  /mypath/error.log
  CustomLog /mypath/access.log combined
</VirtualHost>

<Directory /var/www/html>
Options Indexes FollowSymLinks MultiViews
AllowOverride all
Order allow,deny
allow from all
</Directory>
---------------------------------------------
My pcnselect.com.conf:

<VirtualHost 50.116.61.130:80 2600:3c03::f03c:91ff:fe73:06c4:80>
  # Admin email, Server Name (domain name), and any aliases
  ServerAdmin myemail@my.com
  ServerName  pcnselect.com
  ServerAlias www.pcnselect.com

  # Index file and Document Root (where the public files are located)
  DirectoryIndex index.html index.php
  DocumentRoot /mypath/pcnselect.com/public

  # Log file locations
  LogLevel warn
  ErrorLog  /mypath/error.log
  CustomLog /mypath/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =pcnselect.com [OR]
RewriteCond %{SERVER_NAME} =www.pcnselect.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<Directory /mypath/pcnselect.com/public>
  Options Indexes FollowSymLinks
  AllowOverride None
  Require all granted
</Directory>
------------------------------
Certbot made this conf file as well, pcnselect.com-le-ssl.conf:

<IfModule mod_ssl.c>
<VirtualHost 50.116.61.130:443 2600:443>
  # Admin email, Server Name (domain name), and any aliases
  ServerAdmin myemail@my.com
  ServerName  pcnselect.com
  ServerAlias www.pcnselect.com

  # Index file and Document Root (where the public files are located)
  DirectoryIndex index.html index.php
  DocumentRoot /mypath/pcnselect.com/public

  # Log file locations
  LogLevel warn
  ErrorLog  /mypath/error.log
  CustomLog /mypath/access.log combined


Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/mypath/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/mypath/privkey.pem
</VirtualHost>
</IfModule>
-----------------------------
What do I have messed up here?
13

Please use the “Preformatted text” option ("</>" icon) in the post editor for your configuration for better readability and completeness.

1 Like
14

Gotcha, sorry about that - edited.

15
2 Likes
16

Here's the problem. Certbot didn't copy the IPv6 address in the virtualhost directive correctly. You should edit the "2600:443" to be the same as the virtualhost directive above for port :80 but with :443 of course. I.e., change 2600 to the correct IPv6 address.

I think that's because your original VirtualHost directive isn't correct! Please read the Apache documentation about VirtualHosts with regard to IPv6 addresses:

IPv6 addresses must be specified in square brackets because the optional port number could not be determined otherwise.

2 Likes
17

Or more like:
*:443
[::]:443

2 Likes
18

@rg305 Depends. If the server doesn’t rely on IP addresses to determine the virtualhosts, that’s OK.

1 Like
19

you have no ipv6 here, and no default ssl virtualhost.

you know you can use wildcards if your machine only has one public ip address you want to serve the same website on all ip addresses, do you?

https://httpd.apache.org/docs/2.4/mod/core.html#virtualhost

1 Like
20

I didn't even notice that, you are correct and it fixed the issue.

Thanks for all the responses, you guys are super helpful!!

2 Likes