Site is presented with the certificate of another site and then redirects to that site

My domain is: universitian . timpara . com
My web server is (include version):Apache 2.4.10
The operating system my web server runs on is (include version):Debian 8
I can login to a root shell on my machine (yes or no, or I don't know):Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):ISPConfig3
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):1.8.0

Hi there,
The problem is with the subdomain. When I try the main domain timpara on its own with https, or when I try universitian . .timpara . com without https, there are no problems. But when I try https://universitian . timpara . com, then get the famous error:

"Browser does not trust this site because it uses a certificate that is not valid for universitian . timpara . com. The certificate is only valid for the following names otherDomain1, www.otherDomain1"

This is despite the fact that I have updated the certificate of timpara to also have the universitian . timpara. com. I can confirm this when I do certbot-auto certificates. It comes neat and clean. The same is true for the otherDomain1 certificate covered domain names. There is no overlap.

Yet after this warning message, browser redirects to OtherDomain1 site. A completely different domain name. In Apache, under the sites-available, I checked the files default-ssl.conf and 000-default.conf, they are just snakeoil certificates and otherDomain1 certificate is no way a "default" certificate.

I have checked the existing help request with the same error message, but I did not see any redirect. If I missed anything, my apologies for any duplicate entry.

I appreciate any help...
Kind Regards
isoguci

2 Likes

There seems to be something misconfigured in your Apache configuration.
It is serving the wrong cert; see:
SSL Server Test: universitian.timpara.com (Powered by Qualys SSL Labs)

Start by reviewing the output of:
apachectl -S

4 Likes

@rg305 Thank you for your kınd reply and especially for the websıte lınk and the command. They are good additions to my tool box.
Website link result is further confirmation that something fishy is going on here. When I 'certbot-auto certificates', I do not see any overlap between certificates and the domain names.

The strange thing is 'apachectl -S' gives a pretty innocent looking output with everything 'using_defaults'. With ssl-stapling, ssl-cache and what else. To my mind, this only means that it should be serving snakeoil certificate as default.

I know that the certificate of timpara . com is correct because the problem is only with the subdomain. This subdomain did not exist before. One more think I shall check. This subdomain-hosted website transferred from another top level domain which had had probably issues. It is a Wordpress site and probably the old certificate is lurking somewhere in a plugin. I shall be checking that next...

Thank you again for your reply!

3 Likes

Share your apachectl -S
A second set of eyes are better than one :slight_smile:

2 Likes

@rg305 Thanks! I had not posted the output not to look like I just dump the output without checking.
Below is the output (I am sharing this server with others and I had to rename host name to host.net and had to ask others if they minded their sites are mentioned. Some did not want and I had to take out).
Thanks again.

root:/etc/apache2/sites-available# apachectl -S
AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/000-ispconfig.conf:73
VirtualHost configuration:
*:8081 host.net
(/etc/apache2/sites-enabled/000-apps.vhost:9)
*:8080 host.net
(/etc/apache2/sites-enabled/000-ispconfig.vhost:9)
*:80 is a NameVirtualHost
default server host
(/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost host.net
(/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost avroturk.com
(/etc/apache2/sites-enabled/100-avroturk.com.vhost:7)
alias www.avroturk.com
port 80 namevhost campus.timpara.com
(/etc/apache2/sites-enabled/100-campus.timpara.com.vhost:7)
alias www.campus.timpara.com
port 80 namevhost timpara.com
(/etc/apache2/sites-enabled/100-timpara.com.vhost:7)
alias www.timpara.com
port 80 namevhost universitian.timpara.com
(/etc/apache2/sites-enabled/100-universitian.timpara.com.vhost:7)
alias www.universitian.timpara.com
*:443 is a NameVirtualHost
default server avroturk.com
(/etc/apache2/sites-enabled/100-avroturk.com.vhost:124)
port 443 namevhost avroturk.com
(/etc/apache2/sites-enabled/100-avroturk.com.vhost:124)
alias www.avroturk.com
port 443 namevhost avroturk.com
(/etc/apache2/sites-enabled/avroturk.com.vhost-le-ssl.conf:2)
alias www.avroturk.com
port 443 namevhost bilgi.avroturk.com
(/etc/apache2/sites-enabled/bilgi.avroturk.com.vhost-le-ssl.conf:2)
alias www.bilgi.avroturk.com
port 443 namevhost timpara.com
(/etc/apache2/sites-enabled/timpara.com.vhost-le-ssl.conf:2)
alias www.timpara.com
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex authdigest-client: using_defaults
Mutex fcgid-proctbl: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/lock/apache2" mechanism=fcntl
Mutex mpm-accept: using_defaults
Mutex fcgid-pipe: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: ENABLE_USR_LIB_CGI_BIN
User: name="www-data" id=33
Group: name="www-data" id=33

By the way, my theory about some Wordpress plugin having wrong certificate link is baseless.
I created another subdomain (campus.timpara.com and it has nothing other than an index.html) and added it to timpara certificate. Guess what; the same result. The same certificate of the other website (belongs to someone else) sharing this host comes. Exactly the same certificate comes. Strange.

Hi @isoguci1

your error is expected.

Your output of apachectl -S doesn't show a port 443 vHost with that domain name.

So another certificate is used.

What says

certbot certificates

If you have a correct certificate with that subdomain name, try

certbot --reinstall
2 Likes

@JuergenAuer Indeed. Thank you very much. I ran
certbot-auto --reinstall -d universitian.timpra.com
And it resolved the issue.
Thanks a lot.

1 Like

@rg305 Thank you for the help.

1 Like

Yep - two small offline checks, difference 10 minutes:

First with a wrong certificate:

D:\temp>download https://universitian.timpara.com/ -h
SSL error: RemoteCertificateNameMismatch
pragma: no-cache
x-frame-options: SAMEORIGIN
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Cache-Control: must-revalidate, no-cache, no-store, post-check=0, pre-check=0, private
Content-Type: text/html; charset=UTF-8
Date: Sun, 07 Feb 2021 14:21:33 GMT
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Set-Cookie: Elgg=q088gpo9enn872q5sgcr22pcq5; path=/
Server: Apache/2.4.10 (Debian)

Status: 200 OK

2180,63 milliseconds
2,18 seconds

Now the certificate is correct:

D:\temp>download https://universitian.timpara.com/ -h
SSL-Zertifikat is valide
Link: https://universitian.timpara.com/wp-json/; rel="https://api.w.org/", https://universitian.timpara.com/; rel=shortlink
Vary: Accept-Encoding
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
Date: Sun, 07 Feb 2021 14:28:44 GMT
Server: Apache/2.4.10 (Debian)

Status: 200 OK

934,75 milliseconds
0,93 seconds

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.