Seems like domain is pointing to wrong machine to get my certificates when using SSL

My domain is:
http://netbracquets.com
IPv4: 208.52.161.127

http://netbrackets.com
104.190.211.55

I ran this command in my browser:
https://netbracquets.com:8443/cgi-bin/WebObjects/netbrackets.woa/wa/userLogin

It produced this output:
The connection is not private warning

I ran this command:
https://netbracquets.com:8443/cgi-bin/WebObjects/netbrackets.woa/wa/userLogin

on an ssl test site:
https://www.htbridge.com/ssl/?id=iiyJ24F5

It produced this output:
Untrusted Reasons The certificate doesn’t match hostname Common Name netbrackets.com Key Type/Size RSA 2048 bits Signature Algorithm sha256WithRSAEncryption Subject Alternative Names DNS:netbrackets.com, DNS:www.netbrackets.com Transparency Yes Validation Level DV CRL http://crls.ssl.com/SSLcomRSASSLsubCA.crlOCSP http://ocsps.ssl.comOCSP Must-Staple No Supports OCSP Stapling No Valid From November 25th 2018, 14:36 CET Valid To September 1st 2019, 15:36 CEST
My web server is (include version):
Server version: Apache/2.4.38 (Unix)
Server built: Feb 10 2019 02:48:38

The operating system my web server runs on is (include version):
Mac OS 10.14.2

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.32.0

certbot certificates on netbracquets.com:


Found the following certs:
Certificate Name: homebridgemania.com
Domains: homebridgemania.com www.homebridgemania.com
Expiry Date: 2019-06-10 03:00:20+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/homebridgemania.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/homebridgemania.com/privkey.pem
Certificate Name: www.netbracquets.com
Domains: www.netbracquets.com netbracquets.com
Expiry Date: 2019-06-09 22:52:36+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/www.netbracquets.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.netbracquets.com/privkey.pem
Certificate Name: www.wildcatsbaseball.org
Domains: wildcatsbaseball.org www.wildcatsbaseball.org
Expiry Date: 2019-06-08 22:49:40+00:00 (VALID: 87 days)
Certificate Path: /etc/letsencrypt/live/www.wildcatsbaseball.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.wildcatsbaseball.org/privkey.pem


Hi @netbrackets,

Is this service meant to be accessible to the public? I tried to access it via your link, but I got a connection refused (distinct from the error that you reported above).

Hi @shoen,
Sorry, I was mucking with it, it should be operational now. However, NOW it seems to be working. I’ve been working on the error for 4 hours at least, and now it starts to work. No idea what I did except restart apache for the umpteenth time.

However when I use the test site I still get an error on the test site which gives me pause:
https://www.htbridge.com/ssl/?id=iiyJ24F5

https://netbracquets.com:8443/cgi-bin/WebObjects/netbrackets.woa/wa/userLogin

However when I try it here:

https://www.fairssl.net/en/ssltest

It says all is good.

After refreshing the test:
https://www.htbridge.com/ssl/?id=iiyJ24F5
seems OK; now with A- result.

Wow, now that test is working for me too. Is there a trick to refreshing it? I just put the URL in and clicked the right arrow for the last two hours today and got errors every time.

Anyway it was acting very strange picking up a certificate that wasn’t even loaded on that machine, it’s on another one. I have not changed the domain A record in days.

I don’t know about this particular scanner, but some of the online testing tools do cache their results and don’t re-perform the test automatically when you ask about the same site later on.

Now I’m trying to add another domain (homebridgemania.com) but can’t get it to work. I’ve successfully created the keys

In httpd.conf I have:
Include /usr/local/etc/httpd/extra/httpd-vhosts-le-ssl.conf

in extra/httpd-vhosts-le-ssl.conf I have:
<IfModule mod_ssl.c>

<VirtualHost *:8443>

DocumentRoot “/Library/WebServer/Documents”

ServerName homebridgemania.com:8443

ServerAdmin support@netbrackets.com

SSLCertificateFile “/etc/letsencrypt/live/homebridgemania.com/fullchain.pem”

SSLCertificateKeyFile “/etc/letsencrypt/live/homebridgemania.com/privkey.pem”

ErrorLog “/usr/local/var/log/httpd/error_log”

TransferLog “/usr/local/var/log/httpd/access_log”

</VirtualHost>

</IfModule>

certbot certificats:
Certificate Name: homebridgemania.com
Domains: homebridgemania.com www.homebridgemania.com
Expiry Date: 2019-06-10 03:00:20+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/homebridgemania.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/homebridgemania.com/privkey.pem

You shouldn’t include the port in the name - it is already controlled by the virtualhost setting.

Updated to below, but still no go.

https://homebridgemania.com:8443/cgi-bin/WebObjects/netbrackets.woa/wa/userLogin

<VirtualHost *:8443>

General setup for the virtual host

DocumentRoot “/Library/WebServer/Documents”

ServerName homebridgemania.com

ServerAdmin support@netbrackets.com

SSLCertificateFile “/etc/letsencrypt/live/homebridgemania.com/fullchain.pem”

SSLCertificateKeyFile “/etc/letsencrypt/live/homebridgemania.com/privkey.pem”

ErrorLog “/usr/local/var/log/httpd/error_log”

TransferLog “/usr/local/var/log/httpd/access_log”

</VirtualHost>

</IfModule>

The name resolves to IPv4 & IPv6 addresses:
Addresses: fe80::462:629a:593e:bd5a
208.52.161.127
This vhost config may not cover both:

A check on 6 shows:
curl -Iki6 https://homebridgemania.com:8443/
curl: (7) Couldn't connect to server

the 4 address seems to just timeout (eventually)

EDIT: Sorry that 4 was my firewall blocking the outbound request on port 8443.
It seems to connect but shows the “wrong cert”:
[using: openssl s_client -connect 208.52.161.127:8443 -servername homebridgemania.com]
-----BEGIN CERTIFICATE-----
MIIFcjCCBFqgAwIBAgISAw9Jinv0ZKprwmPZyKAA22jaMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTAzMTEyMjUyMzZaFw0x
OTA2MDkyMjUyMzZaMB8xHTAbBgNVBAMTFHd3dy5uZXRicmFjcXVldHMuY29tMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnPXYzm5bhhNXCpLjUnLv+sZZ
Jo1XejHxvYmNBJsO0fTLwUoJFN7y38YZX+QfzjPj32vVE5Q4gybRUQrmigWHhTBR
7/Elzr50duxYISW73y8sn+m9XLKu+6Ot6k0++1aT/mPTW6YBQihN1ZlCqtBbNS6z
emjmTU8MaUw1HBbjZ7ARB7CjwUXJ1axvi+nzVvcJB213zIBFlfr3zhr1gRu/aBjh
ssFKbKLPNq4jjrFHLrnSqXnZxcWHCMXA/2fVTh01CtKN0AIze5CU+aVH8EGfdLw7
6fdZCRGFxZWdR1imzO/UItlt2IivisHrEtmht5/vBZMNNuD8eaGi0rKzmswsiwID
AQABo4ICezCCAncwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMB
BggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTKVY08HyIG/F018HTO
r4gVTl+WmzAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEF
BQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5j
cnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5j
cnlwdC5vcmcvMDEGA1UdEQQqMCiCEG5ldGJyYWNxdWV0cy5jb22CFHd3dy5uZXRi
cmFjcXVldHMuY29tMEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEB
MCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBAYK
KwYBBAHWeQIEAgSB9QSB8gDwAHYAdH7agzGtMxCRIZzOJU9CcMK//V5CIAjGNzV5
5hB7zFYAAAFpbywd/AAABAMARzBFAiEA3F0z9ewQTqIfi73UfyGx5EGRZ4VHK9Qk
wuHT7nwCJegCIDoqSafKdbhnzfeHDTQSS7wVGEc1Whrcnk56KO731KFTAHYAY/Lb
zeg7zCzPC3KEJ1drM6SNYXePvXWmOLHHaFRL2I0AAAFpbywgRwAABAMARzBFAiEA
rQOkM6greZ6dauxfo5UNNi0ElEVmhehTwf10HQ+iflYCIEjlJ5ru9aJ/QxSvf9t6
VjEk9swCOQaJKNmwVoGRqAp+MA0GCSqGSIb3DQEBCwUAA4IBAQACq9hyYckpA6eX
ZwF/LDe2TsUcrBBJ1y5Y1pch0OQ47JgpKqAtVtxID/pqM3quhRVYS3J9HkNLHrXV
3D5i2t/PWPF8F2OGGrPW1z09kYEc0r/5ZAggnR70dPQqq6FmPUFhOBYsBayzoMfw
X7mnK08wX1bnqofZN4pGIBjA0j6yz/M9EDbeI0+Z6PvtRGJhK+iNxnelM5wrzzhX
HVctcRpgRp8ektl3rr18sa5hHpVFtZopVu0ltxYtXhrHFJk45BwB1A/cNg0H5Jeq
EaiLfywKtjP0x1R4n9s/X91J/FiYJJjklOr9pVKtIVAQ4+FQ2QgYM+QC01tMLbgF
voo5j6FQ
-----END CERTIFICATE-----

Yeah, the certbot wouldn’t create a certificate until after I added the ipv6 address for this domain, even though it made the other certs fine without it on their domains. Should I remove the ipv6 IP from that domain? Would I need to re-make the cert if I do?

You don’t need to recreate the certificate if you have a valid one; the certificate doesn’t mention any IP addresses at all, only domain names.

If you advertise an IPv6 address in DNS, your server has to actually listen in IPv6. It looks like currently you do advertise an IPv6 address with an AAAA record, but your server isn’t currently reachable that way.

How can you tell it’s the wrong cert? I think I’ll delete the ipv6 AAAA record from that domain since non of my other domains have it.

And is that fairly common to block port 8443? I would think that would be better since it’s an encryption port.

Adding the IPv6 “just to get a cert” really makes no sense to me.
I don’t even know how to comment on that…
Other than if you don’t need it, then don’t use it.
[but you kind of just said that you do need it…]

Ha, me either. Maybe it was coincidence, but I tried and tried to create a cert for that domain and kept getting errors (sadly I can’t remember exactly what it was). I then added the record, and it worked. Strange things seem to be occurring all around on this machine

It could be that you had a firewall blocking some connections to the IPv4 address but not corresponding connections to the IPv6 address, for example. (I don’t have any evidence of this, but that’s just an example of why adding an IPv6 address might make something work that failed in IPv4.)

Moving the definition into my main httpd-ssl.conf file didn’t help. Gotta be something wrong with the vhost config.

maybe the file isn’t being included.
Show:
ls -l /etc/apache2/sites-enabled/
as compared to:
ls -l /etc/apache2/sites-available/

My apache is installed by Homebrew at:

/usr/local/etc/httpd

I don’t see any dirs like that there.

perhaps there is a /conf.d/ or the likes

Be sure that the inclusion search (like *.conf) matches that file name.