Remove expired cert sh id linked to old nameservers

Help
#1

My domain is: happyblend.fr

My web server is (include version): Linux version 4.19.0-8-amd64

The operating system my web server runs on is (include version): Debian 9

I can login to a root shell on my machine (yes or no, or I don't know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.9.0

I had this domain managed by Cloudfare in the past but I have now reverted the DNS to be handled by OVH where the website is also hosted.

My issue is that the old and expired certificate is still listed when I have a look here crt.sh | happyblend.fr (id 3673602313) and is still served randomly to some users browsing the website causing confusion.

I have already tried to :

  • renew the certificate on my OVH server
  • delete and then create again the certificate

But nothing changed...

If you have any idea how I could get rid of this expired certificate this would be really helpful!

Thanks for your help
Nicolas

2 Likes
#2

You can't remove certs from crt.sh: it's a certificate transparancy log aggregator and people can search for all recorded certificates indefinitely. It's 100 % separate from the server configuration.

3 Likes
#3

Thanks @Osiris for your explanation about crt.sh. Do you know though how I can fix my issue?

It just happened to me now trying to browse the website.

Certificate is marked as invalid Dropbox - Screenshot 2021-02-26 at 18.42.50.png - Simplify your life

If I force refresh my page the error goes away but this clearly an issue for most people landing on the website for the first time.

Thanks

3 Likes
#4

Hi @nicolasricci

checking your domain via https://check-your-website.server-daten.de/?q=happyblend.fr#url-checks you see:

Your non-www is secure. Your www not.

Your non-www uses a new certificate:

CN=www.happyblend.fr
	26.02.2021
	27.05.2021
expires in 90 days	
happy-blend.fr, happyblend.fr, 
www.happy-blend.fr, www.happyblend.fr - 4 entries

So you have already a new certificate with the correct domain names.

Your www version has the same list of domain names - but the certificate is expired.

What says

apachectl -S
3 Likes
#5

Hi @JuergenAuer

Thanks for your quick answer.

Here is the result for apachectl -S for this domain

 port 443 namevhost happyblend.fr (/etc/apache2/sites-enabled/happyblend.fr-le-ssl.conf:2)
 port 443 namevhost www.happyblend.fr (/etc/apache2/sites-enabled/happyblend.fr-le-ssl.conf:28)
                 alias happy-blend.fr
                 alias www.happy-blend.fr
2 Likes
#6

There you see two problems.

Combination of port and domain name is duplicated -> remove one (line 2 / line 28).

Second definition - duplicated www entries.

2 Likes
#7

@JuergenAuer this is just because I have two vhost in my apache configuration to handle redirect. I am using this for other domains on my server with no issue

Here is the VirtualHost configuration I am using. Is there anything wrong with that?

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName happyblend.fr

    DocumentRoot /var/www/sites/happyblend/public_html

    <FilesMatch \.php$>
        SetHandler "proxy:unix:/var/run/php7.4-fpm-happyblend.sock|fcgi://localhost/"
    </FilesMatch>
    <Proxy "fcgi://localhost/">
    </Proxy>

    <Directory /var/www/sites/happyblend/public_html>
         Options -Indexes
         AllowOverride All
         Require all granted
    </Directory>

    ErrorLog "| /usr/sbin/vlogger -e -s error.log /var/www/sites/happyblend/_logs/error/"
    CustomLog "| /usr/sbin/vlogger -s access.log /var/www/sites/happyblend/_logs" vhost_combined

SSLCertificateFile /etc/letsencrypt/live/www.happyblend.fr/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.happyblend.fr/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
<VirtualHost *:443>
        ServerName www.happyblend.fr
        ServerAlias happy-blend.fr www.happy-blend.fr
        Redirect permanent / https://happyblend.fr
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/www.happyblend.fr/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.happyblend.fr/privkey.pem
</VirtualHost>
</IfModule>

Thanks again for your quick answer

3 Likes
#8

I'm not sure whether reorganizing this will solve your actual problem, but officially VirtualHosts in Apache are supposed to be unique (per name and port); they're not supposed to overlap with each other.

3 Likes
#9

OK thanks @schoen I have followed your advice and had all config under the same VirtualHost it seems to fix the issue as I have no more expired certificate when checking on ssllabs.com!

Thanks @JuergenAuer too for your quick support!

Have a nice weekend!

5 Likes
#10

For future knowledge/consideration:

You can't listen on HTTPS/443 for bad names with the sole intention of redirecting to the correct name, without first having a cert that covers all the bad names.

So that when you want:
https://wrongsub.domain.name/ to redirect to https://domain.name/
(or to https://correct.domain.name/)
You must have a cert that covers wrongsub.domain.name or they will get a security popup message and most likely will cancel and not continue through to the correct site.

#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.