Site with multiple domains returns wrong certificate

Krischu · August 2, 2020, 5:25pm

I don’t know whether I’m analyzing the problem correctly, so let me just describe, what happens:

I have a hosted site with one IP. I bought a commercial certificate (DigiCert) I established this certificate in /etc/apache2/certs/ and gave the main site a http Redirect permanent that redirects every http://www.mydomain.tld/ to https://www.mydomain.tld/.

When I analyze the site using a command like:

openssl s_client -connect www.mydomain.tld:443 < /dev/null | openssl x509 -noout -text | grep -C3 -i dns

the SANs are listed like as specified when ordering the cert.
DNS:mydomain.tld, DNS:www.mydomain.tld, DNS:mail.mydomain.tld, DNS:smtp.mydomain.tld

When I enter the command:

openssl s_client -connect mydomain.tld:443 < /dev/null | openssl x509 -noout -text | grep -C3 -i dns

I’m getting the SANs that I entered when requesting the letsencrypt certificate. All fine so far.

But, when I open the site URL https://mydomain.tld/ in a browser (FF), I’m getting the yellow alarm window of Firefox, saying that the site may have an insecure certificate.

When I open the details, I see that it is the letsencrypt certificate with the common name

mydomain.tld

But for this domain I have provided the DigiCert Certificate.

How comes this intermixing?

JuergenAuer · August 2, 2020, 4:37pm

Hi @Krischu

if you have problems using a DigiCert certificate, the DigiCert support is the place to find an answer.

Krischu · August 2, 2020, 5:23pm

I did not have this problem before I installed the Letsencrypt certificate.

9peppe · August 2, 2020, 8:59pm

This is not an answer you’re going to get without sharing your actual domain name.

Krischu · August 3, 2020, 6:01am

Ok, thought that it would be difficult without the real names. So here it is:

The domain that used to work before the Letsencrypt certificate was installed, is

https://werkwelt.de

(SANs are www.werkwelt.de, mail.werkwelt.de, smtp.werkwelt.de)

The domains under the same IP that have the LE-certificate, are

www.buchabsatz.de
www.lindenthaler.eu

Also another LE

www.urquell.de

Thanks for helping

Christoph

9peppe · August 3, 2020, 6:30am

It looks like you replaced the digicert certificate instead of adding to it.

You have three options:

Create three virtualhosts for the three sets of domains, one for each certificate (one digicert and two let’s encrypt).
Add all the certificates to the same virtualhost, with all the domains. (if your webserver supports it – apache only does in quite modern versions)
Ignore the digicert certificate and expand a let’s encrypt certificate to include all of the domains. (This is the only option that works without SNI, but it doesn’t matter too much)

Krischu · August 3, 2020, 3:19pm

I believe I have implemented choice 1. at present.

DigiCert host werkwelt.de has:

<VirtualHost *:80>
    ServerName www.werkwelt.de
   ServerAlias werkwelt.de
   Redirect permanent / https://www.werkwelt.de/
</VirtualHost>

<VirtualHost *:443>
    ServerAdmin webmaster@werkwelt.de

    DocumentRoot /var/www/de.werkwelt.www
    ServerName www.werkwelt.de
    ServerSignature Off
SSLEngine on
SSLCertificateFile "/etc/apache2/certs/de.werkwelt.www.crt"
SSLCertificateKeyFile "/etc/apache2/certs/de.werkwelt.www.key"
SSLCertificateChainFile "/etc/apache2/certs/de.werkwelt.www.chain"
...

second one:

 <VirtualHost *:80>
    ServerAdmin webmaster@buchabsatz.de
    ServerName www.buchabsatz.de
    ServerAlias buchabsatz.de web.buchabsatz.de

    Redirect permanent / https://www.buchabsatz.de/

</VirtualHost>
<VirtualHost *:443>
    ServerAdmin webmaster@buchabsatz.de

    DocumentRoot /var/www/de.buchabsatz.www
    ServerName www.buchabsatz.de
    ServerAlias buchabsatz.de web.buchabsatz.de
    ServerSignature Off

SSLEngine on
SSLCertificateFile  "/etc/letsencrypt/live/www.buchabsatz.de/cert.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/www.buchabsatz.de/privkey.pem"
SSLCertificateChainFile "/etc/letsencrypt/live/www.buchabsatz.de/chain.pem"
...

Third one:

<VirtualHost *:80>
    ServerName www.lindenthaler.eu
    ServerAlias lindenthaler.eu web.lindenthaler.eu
    Redirect permanent / https://www.lindenthaler.eu/
</VirtualHost>

<VirtualHost *:443>
    ServerAdmin webmaster@lindenthaler.eu

    DocumentRoot /var/www/eu.lindenthaler.www
    ServerName www.lindenthaler.eu
    ServerAlias lindenthaler.eu web.lindenthaler.eu
    ServerSignature Off
SSLEngine on
SSLCertificateFile  "/etc/letsencrypt/live/www.lindenthaler.eu/cert.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/www.lindenthaler.eu/privkey.pem"
SSLCertificateChainFile "/etc/letsencrypt/live/www.lindenthaler.eu/chain.pem"
...

The last one:

<VirtualHost *:80>
    ServerName www.urquell.de
    ServerAlias urquell.de
    Redirect permanent / https://www.urquell.de/
</VirtualHost>

<VirtualHost *:443>
    ServerAdmin webmaster@urquell.de

    DocumentRoot /var/www/de.urquell.www
    ServerName www.urquell.de
    ServerAlias urquell.de web.urquell.de
    ServerSignature Off
SSLEngine on
SSLCertificateFile  "/etc/letsencrypt/live/www.urquell.de/cert.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/www.urquell.de/privkey.pem"
SSLCertificateChainFile "/etc/letsencrypt/live/www.urquell.de/chain.pem"
...

JuergenAuer · August 3, 2020, 12:08pm

That’s only partial relevant. You may have defined these vHosts, but they may not be used.

What says

apachectl -S

Krischu · August 3, 2020, 3:21pm

$ apachectl -S
VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server mail.werkwelt.de (/etc/apache2/sites-enabled/000-default.conf:1)
     port 80 namevhost mail.werkwelt.de (/etc/apache2/sites-enabled/000-default.conf:1)
     port 80 namevhost www.buchabsatz.de (/etc/apache2/sites-enabled/de.buchabsatz.www:1)
             alias buchabsatz.de
             alias web.buchabsatz.de
     port 80 namevhost www.urquell.de (/etc/apache2/sites-enabled/de.urquell.www:1)
             alias urquell.de
     port 80 namevhost www.werkwelt.de (/etc/apache2/sites-enabled/de.werkwelt.www:1)
             alias werkwelt.de
     port 80 namevhost www.lindenthaler.eu (/etc/apache2/sites-enabled/eu.lindenthaler.www:1)
             alias lindenthaler.eu
             alias web.lindenthaler.eu
*:443                  is a NameVirtualHost
     default server www.buchabsatz.de (/etc/apache2/sites-enabled/de.buchabsatz.www:9)
     port 443 namevhost www.buchabsatz.de (/etc/apache2/sites-enabled/de.buchabsatz.www:9)
             alias buchabsatz.de
             alias web.buchabsatz.de
     port 443 namevhost www.urquell.de (/etc/apache2/sites-enabled/de.urquell.www:7)
             alias urquell.de
             alias web.urquell.de
     port 443 namevhost www.werkwelt.de (/etc/apache2/sites-enabled/de.werkwelt.www:7)
     port 443 namevhost www.lindenthaler.eu (/etc/apache2/sites-enabled/eu.lindenthaler.www:7)
             alias lindenthaler.eu
             alias web.lindenthaler.eu
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/lock/apache2" mechanism=default 
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
PidFile: "/var/run/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33
$

JuergenAuer · August 3, 2020, 12:47pm

There you see a problem: Your port 80 vHost list doesn’t match your port 443 vHost list.

And the file names are a little bit curious - de.urquell.www instead of de.urquell.conf.

Krischu · August 3, 2020, 3:22pm

Thanks. I have

# Include the virtual host configurations:
Include sites-enabled/

in my /etc/apache2/apache2.conf so files don’t need to be named .conf there.

You say, my port 80 vHost list doesn’t match my port 443 list.

Well, I wasn’t aware that the order in which the sites are loaded, plays a role.

I took care that the default site got loaded first and now it seems to look better.

$ apachectl -S
VirtualHost configuration:
*:80                   is a NameVirtualHost
     default server www.werkwelt.de (/etc/apache2/sites-enabled/000-de.werkwelt.de:1)
     port 80 namevhost www.werkwelt.de (/etc/apache2/sites-enabled/000-de.werkwelt.de:1)
             alias werkwelt.de
     port 80 namevhost www.buchabsatz.de (/etc/apache2/sites-enabled/de.buchabsatz.www:1)
             alias buchabsatz.de
             alias web.buchabsatz.de
     port 80 namevhost www.urquell.de (/etc/apache2/sites-enabled/de.urquell.www:1)
             alias urquell.de
     port 80 namevhost www.lindenthaler.eu (/etc/apache2/sites-enabled/eu.lindenthaler.www:1)
             alias lindenthaler.eu
             alias web.lindenthaler.eu
*:443                  is a NameVirtualHost
     default server www.werkwelt.de (/etc/apache2/sites-enabled/000-de.werkwelt.de:7)
     port 443 namevhost www.werkwelt.de (/etc/apache2/sites-enabled/000-de.werkwelt.de:7)
     port 443 namevhost www.buchabsatz.de (/etc/apache2/sites-enabled/de.buchabsatz.www:9)
             alias buchabsatz.de
             alias web.buchabsatz.de
     port 443 namevhost www.urquell.de (/etc/apache2/sites-enabled/de.urquell.www:7)
             alias urquell.de
             alias web.urquell.de
     port 443 namevhost www.lindenthaler.eu (/etc/apache2/sites-enabled/eu.lindenthaler.www:7)
             alias lindenthaler.eu
             alias web.lindenthaler.eu
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex default: dir="/var/lock/apache2" mechanism=default 
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
PidFile: "/var/run/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

$

JuergenAuer · August 3, 2020, 2:41pm

The order isn’t so relevant.

You have a SAN with

https://werkwelt.de

(SANs are www.werkwelt.de, mail.werkwelt.de, smtp.werkwelt.de)

but you don’t have a matching port 80 and your port 443 doesn’t match your port 80.

So mail / smtp / non-www aren’t defined, so the default vHost is used - with the wrong certificate.

So the result is expected.

Krischu · August 3, 2020, 3:16pm

To me it looks better now. The port 443 entry was missing the ServerAlias werkwelt.de.

Now they seem to match and the mistakenly drawn Letsencrypt cert is gone.

Thanks for helping. If you think I’m still in error let me know

( I also brought the .conf extension back to order so that the usual a2ensite mechanism works again)