Remove expired cert sh id linked to old nameservers

My domain is: happyblend.fr

My web server is (include version): Linux version 4.19.0-8-amd64

The operating system my web server runs on is (include version): Debian 9

I can login to a root shell on my machine (yes or no, or I don't know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.9.0

I had this domain managed by Cloudfare in the past but I have now reverted the DNS to be handled by OVH where the website is also hosted.

My issue is that the old and expired certificate is still listed when I have a look here crt.sh | happyblend.fr (id 3673602313) and is still served randomly to some users browsing the website causing confusion.

I have already tried to :

  • renew the certificate on my OVH server
  • delete and then create again the certificate

But nothing changed...

If you have any idea how I could get rid of this expired certificate this would be really helpful!

Thanks for your help
Nicolas

2 Likes

You can't remove certs from crt.sh: it's a certificate transparancy log aggregator and people can search for all recorded certificates indefinitely. It's 100 % separate from the server configuration.

3 Likes

Thanks @Osiris for your explanation about crt.sh. Do you know though how I can fix my issue?

It just happened to me now trying to browse the website.

Certificate is marked as invalid Dropbox - Screenshot 2021-02-26 at 18.42.50.png - Simplify your life

If I force refresh my page the error goes away but this clearly an issue for most people landing on the website for the first time.

Thanks

3 Likes

Hi @nicolasricci

checking your domain via https://check-your-website.server-daten.de/?q=happyblend.fr#url-checks you see:

Your non-www is secure. Your www not.

Your non-www uses a new certificate:

CN=www.happyblend.fr
	26.02.2021
	27.05.2021
expires in 90 days	
happy-blend.fr, happyblend.fr, 
www.happy-blend.fr, www.happyblend.fr - 4 entries

So you have already a new certificate with the correct domain names.

Your www version has the same list of domain names - but the certificate is expired.

What says

apachectl -S
3 Likes

Hi @JuergenAuer

Thanks for your quick answer.

Here is the result for apachectl -S for this domain

 port 443 namevhost happyblend.fr (/etc/apache2/sites-enabled/happyblend.fr-le-ssl.conf:2)
 port 443 namevhost www.happyblend.fr (/etc/apache2/sites-enabled/happyblend.fr-le-ssl.conf:28)
                 alias happy-blend.fr
                 alias www.happy-blend.fr
2 Likes

There you see two problems.

Combination of port and domain name is duplicated -> remove one (line 2 / line 28).

Second definition - duplicated www entries.

2 Likes

@JuergenAuer this is just because I have two vhost in my apache configuration to handle redirect. I am using this for other domains on my server with no issue

Here is the VirtualHost configuration I am using. Is there anything wrong with that?

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName happyblend.fr

    DocumentRoot /var/www/sites/happyblend/public_html

    <FilesMatch \.php$>
        SetHandler "proxy:unix:/var/run/php7.4-fpm-happyblend.sock|fcgi://localhost/"
    </FilesMatch>
    <Proxy "fcgi://localhost/">
    </Proxy>

    <Directory /var/www/sites/happyblend/public_html>
         Options -Indexes
         AllowOverride All
         Require all granted
    </Directory>

    ErrorLog "| /usr/sbin/vlogger -e -s error.log /var/www/sites/happyblend/_logs/error/"
    CustomLog "| /usr/sbin/vlogger -s access.log /var/www/sites/happyblend/_logs" vhost_combined

SSLCertificateFile /etc/letsencrypt/live/www.happyblend.fr/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.happyblend.fr/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
<VirtualHost *:443>
        ServerName www.happyblend.fr
        ServerAlias happy-blend.fr www.happy-blend.fr
        Redirect permanent / https://happyblend.fr
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/www.happyblend.fr/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.happyblend.fr/privkey.pem
</VirtualHost>
</IfModule>

Thanks again for your quick answer

3 Likes

I'm not sure whether reorganizing this will solve your actual problem, but officially VirtualHosts in Apache are supposed to be unique (per name and port); they're not supposed to overlap with each other.

3 Likes

OK thanks @schoen I have followed your advice and had all config under the same VirtualHost it seems to fix the issue as I have no more expired certificate when checking on ssllabs.com!

Thanks @JuergenAuer too for your quick support!

Have a nice weekend!

5 Likes

For future knowledge/consideration:

You can't listen on HTTPS/443 for bad names with the sole intention of redirecting to the correct name, without first having a cert that covers all the bad names.

So that when you want:
https://wrongsub.domain.name/ to redirect to https://domain.name/
(or to https://correct.domain.name/)
You must have a cert that covers wrongsub.domain.name or they will get a security popup message and most likely will cancel and not continue through to the correct site.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.