[solved] Common Name (CN) doesn't match sub domain name

Situation:

  1. Old sub domain name 10000.growerpdemo.com (expired on 25 Oct 2017)
  2. I request a new cert for 16050.growerpdemo.com (expired on 18 Jan 2018)
  3. I go to https://16050.growerpdemo.com/pft that show Common Name (CN) = 10000.growerpdemo.com and refresh again than show 16050.growerpdemo.com . It switch between 2 sub domains.

Can anyone help or explain?

Kind Regards,
Supachai Chaimangua (Tor)

Is the subdomain located behind some kind of load balancer which transparantely puts through the TLS connection to multiple servers?

I agree, there has to be.
There has only been one cert assigned to 10000 and it doesn’t cover the 16050 FQDN: https://crt.sh/?id=179688082
So, those two certs are completely different (with no overlap) and must be being served from two different systems via the same IP.

No. It is in the same server.

I have renew cert for 10000 but I have check at https://crt.sh/?q=10000.growerpdemo.com
It doesn’t work.

How can I fix the problem?

LOG:

  • Congratulations! Your certificate and chain have been saved at
    /etc/letsencrypt/live/10000.growerpdemo.com/fullchain.pem. Your
    cert will expire on 2018-01-31. To obtain a new or tweaked version
    of this certificate in the future, simply run certbot-auto again.
    To non-interactively renew all of your certificates, run
    "certbot-auto renew"

OK I think this is the problem:
Certificate chain
0 s:/CN=10000.growerpdemo.com
i:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
1 s:/CN=10000.growerpdemo.com
i:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
2 s:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3

You are chaining
/etc/letsencrypt/xxxxx/cert.pem (line 0 above)
and
/etc/letsencrypt/zzzzz/fullchain.pem (lines 1 and 2 above)
or some combination of “cert.pem” and “fullchain.pem” combination.
which results in TWO certs and the intermediate chain being served.
The two files are probably not from the same folder or they would have the same name.

Please show these:
1. certbot-auto certificates
2. any vhost config files that use the 10000 cert.
3. grep -r cert.pem /etc/apache2
4. grep -r fullchain.pem /etc/apache2

1. certbot-auto certificates

Certificate Name: 10000.growerpdemo.com
Domains: 10000.growerpdemo.com
Expiry Date: 2018-01-31 06:45:10+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/10000.growerpdemo.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/10000.growerpdemo.com/privkey.pem

Certificate Name: 16070.growerpdemo.com
Domains: 16070.growerpdemo.com
Expiry Date: 2018-01-31 04:10:38+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/16070.growerpdemo.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/16070.growerpdemo.com/privkey.pem

2. any vhost config files that use the 10000 cert.
ubuntu@dockerDemo:/Data/Apache2/sites-available$ sudo grep -r 10000 .
./10000.growerpdemo.com.conf:ServerName 10000.growerpdemo.com
./10000.growerpdemo.com.conf:ServerName 10000.growerpdemo.com
./10000.growerpdemo.com.conf: SSLCertificateFile /etc/apache2/ssl/10000.growerpdemo.com/cert.pem
./10000.growerpdemo.com.conf: SSLCertificateKeyFile /etc/apache2/ssl/10000.growerpdemo.com/privkey.pem
./10000.growerpdemo.com.conf: SSLCertificateChainFile /etc/apache2/ssl/10000.growerpdemo.com/fullchain.pem

3. grep -r cert.pem /etc/apache2
No file.
4. grep -r fullchain.pem /etc/apache2
No file.

I see log update at https://crt.sh/?q=10000.growerpdemo.com .

Thats the problem. Drop that statement and use fullchain.pem via SSLCertificateFile.

1 Like

./10000.growerpdemo.com.conf is not a full path
show:

  1. pwd
  2. find / -name 10000.growerpdemo.com.conf
  3. complete contents of 10000.growerpdemo.com.conf

It looks like it may be at:
/Data/Apache2/sites-available/10000.growerpdemo.com.conf

Try:

  1. grep -r cert.pem /Data/Apache2
  2. grep -r fullchain.pem /Data/Apache2

OR since it supports “SSLCertificateChainFile” just change:
SSLCertificateChainFile /etc/apache2/ssl/10000.growerpdemo.com/fullchain.pem
to:
SSLCertificateChainFile /etc/apache2/ssl/10000.growerpdemo.com/chain.pem

Just for all those that may not fully under stand this:
The cert.pem is only the public cert
The chain.pem is only the intermediate(s) cert(s)
The fullchain.pem is the cert.pem and chain.pem
So fullchain.pem is the public cert and the intermediate cert(s)
(No one sends the root cert - clients should already have root certs).

So issuing:
SSLCertificateFile cert.pem
SSLCertificateChainFile fullchain.pem
results in sending:
public cert + public cert and intermediates

Now, If you have been paying close attention, you would already realize that none of this explains how/why the 16050 cert is/was being served.

So, we must continue…

Please show:
1. grep -r cert.pem /Data/Apache2
2. grep -r fullchain.pem /Data/Apache2
3. grep -r 10000 /Data/Apache2
4. grep -r 16050 /Data/Apache2

1. grep -r cert.pem /Data/Apache2
/Data/Apache2/sites-available/salmax.conf: SSLCertificateFile /etc/letsencrypt/live/salmax-backend.growerpdemo.com/cert.pem
/Data/Apache2/sites-available/16070.growerpdemo.com.conf: SSLCertificateFile /etc/apache2/ssl/16070.growerpdemo.com/cert.pem
/Data/Apache2/sites-available/minimum.growerpdemo.com.conf: SSLCertificateFile /etc/letsencrypt/live/minimum.growerpdemo.com/cert.pem
/Data/Apache2/sites-available/10000.growerpdemo.com.conf: SSLCertificateFile /etc/apache2/ssl/10000.growerpdemo.com/cert.pem
/Data/Apache2/sites-available/www.antwebsystems.nl.conf-backup:SSLCertificateFile /etc/apache2/ssl/www.antwebsystems.nl/cert.pem
/Data/Apache2/sites-available/newminimum.growerpdemo.com.conf: SSLCertificateFile /etc/apache2/ssl/newminimum.growerpdemo.com/cert.pem
/Data/Apache2/sites-available/phpbackend.conf:# SSLCertificateFile /etc/ssl/certs/cert.pem
/Data/Apache2/sites-available/phpbackend.conf: SSLCertificateFile /etc/apache2/ssl/phpbackend.growerpdemo.com/cert.pem
/Data/Apache2/sites-available/newantwebsystems.growerpdemo.com.conf: SSLCertificateFile /etc/apache2/ssl/newantwebsystems.growerpdemo.com/cert.pem
/Data/Apache2/sites-available/16050.growerpdemo.com.conf: SSLCertificateFile /etc/apache2/ssl/16050.growerpdemo.com/cert.pem
/Data/Apache2/sites-available/15982.growerpdemo.com.conf: SSLCertificateFile /etc/apache2/ssl/15982.growerpdemo.com/cert.pem
/Data/Apache2/sites-available/w3erp.growerpdemo.com.conf: SSLCertificateFile /etc/apache2/ssl/w3erp.growerpdemo.com/cert.pem
/Data/Apache2/sites-available/logo.growerpdemo.com.conf: SSLCertificateFile /etc/apache2/ssl/logo.growerpdemo.com/cert.pem
/Data/Apache2/sites-available/15100.growerpdemo.com.conf: SSLCertificateFile /etc/apache2/ssl/15100.growerpdemo.com/cert.pem
/Data/Apache2/sites-available/isharehr.conf: SSLCertificateFile /etc/letsencrypt/live/isharehr.growerpdemo.com/cert.pem
/Data/Apache2/sites-available/15303.growerpdemo.com.conf: SSLCertificateFile /etc/apache2/ssl/15303.growerpdemo.com/cert.pem
/Data/Apache2/sites-available/15942.growerpdemo.com.conf: SSLCertificateFile /etc/apache2/ssl/15942.growerpdemo.com/cert.pem
/Data/Apache2/sites-available/15820.growerpdemo.com.conf: SSLCertificateFile /etc/apache2/ssl/15820.growerpdemo.com/cert.pem
/Data/Apache2/sites-available/w3erp.conf: SSLCertificateFile /etc/apache2/ssl/w3.growerpdemo.com/cert.pem
/Data/Apache2/sites-available/new-growerpfrontend.growerpdemo.com.conf: SSLCertificateFile /etc/apache2/ssl/new-growerpfrontend.growerpdemo.com/cert.pem
/Data/Apache2/sites-available/isharehr.conf-origin: SSLCertificateFile /etc/letsencrypt/live/isharehr.growerpdemo.com/cert.pem
/Data/Apache2/sites-available/15410-backend.growerpdemo.com.conf: SSLCertificateFile /etc/letsencrypt/live/15410-backend.growerpdemo.com/cert.pem
/Data/Apache2/sites-available/14942.growerpdemo.com.conf: SSLCertificateFile /etc/apache2/ssl/14942.growerpdemo.com/cert.pem
/Data/Apache2/sites-available/antwebsystems.growerpdemo.com.conf: SSLCertificateFile /etc/apache2/ssl/antwebsystems.growerpdemo.com/cert.pem
/Data/Apache2/sites-available/15921.growerpdemo.com.conf: SSLCertificateFile /etc/apache2/ssl/15921.growerpdemo.com/cert.pem
/Data/Apache2/sites-available/15571.growerpdemo.com.conf: SSLCertificateFile /etc/apache2/ssl/15571.growerpdemo.com/cert.pem
/Data/Apache2/sites-available/15701-backend.growerpdemo.com.conf: SSLCertificateFile /etc/letsencrypt/live/15701-backend.growerpdemo.com/cert.pem
/Data/Apache2/sites-available/15363.growerpdemo.com.conf: SSLCertificateFile /etc/apache2/ssl/15363.growerpdemo.com/cert.pem
/Data/Apache2/sites-available/nagios.growerpdemo.com.conf: SSLCertificateFile /etc/apache2/ssl/nagios.growerpdemo.com/cert.pem
/Data/Apache2/sites-available/jira.growerpdemo.com.conf: SSLCertificateFile /etc/apache2/ssl/jira.growerpdemo.com/cert.pem
/Data/Apache2/sites-available/www.growerp.com.conf: SSLCertificateFile /etc/letsencrypt/live/www.growerp.com/cert.pem
/Data/Apache2/sites-available/15546.growerpdemo.com.conf: SSLCertificateFile /etc/apache2/ssl/15546.growerpdemo.com/cert.pem
/Data/Apache2/sites-available/15780.growerpdemo.com.conf-backup: SSLCertificateFile /etc/apache2/ssl/15780.growerpdemo.com/cert.pem
/Data/Apache2/sites-available/15951.growerpdemo.com.conf: SSLCertificateFile /etc/apache2/ssl/15951.growerpdemo.com/cert.pem

2. grep -r fullchain.pem /Data/Apache2
/Data/Apache2/sites-available/BL-15780.growerpdemo.com.conf-backup: SSLCertificateFile /etc/apache2/ssl/BL-15780.growerpdemo.com/fullchain.pem
/Data/Apache2/sites-available/salmax.conf: SSLCertificateChainFile /etc/letsencrypt/live/salmax-backend.growerpdemo.com/fullchain.pem
/Data/Apache2/sites-available/16070.growerpdemo.com.conf: SSLCertificateChainFile /etc/apache2/ssl/16070.growerpdemo.com/fullchain.pem
/Data/Apache2/sites-available/minimum.growerpdemo.com.conf: SSLCertificateChainFile /etc/letsencrypt/live/minimum.growerpdemo.com/fullchain.pem
/Data/Apache2/sites-available/sofami.growerpdemo.com.conf: SSLCertificateFile /etc/letsencrypt/live/sofami.growerpdemo.com/fullchain.pem
/Data/Apache2/sites-available/10000.growerpdemo.com.conf: SSLCertificateChainFile /etc/apache2/ssl/10000.growerpdemo.com/fullchain.pem
/Data/Apache2/sites-available/newminimum.growerpdemo.com.conf: SSLCertificateChainFile /etc/apache2/ssl/newminimum.growerpdemo.com/fullchain.pem
/Data/Apache2/sites-available/phpbackend.conf: SSLCertificateChainFile /etc/apache2/ssl/phpbackend.growerpdemo.com/fullchain.pem
/Data/Apache2/sites-available/newantwebsystems.growerpdemo.com.conf: SSLCertificateChainFile /etc/apache2/ssl/newantwebsystems.growerpdemo.com/fullchain.pem
/Data/Apache2/sites-available/16050.growerpdemo.com.conf: SSLCertificateChainFile /etc/apache2/ssl/16050.growerpdemo.com/fullchain.pem
/Data/Apache2/sites-available/15982.growerpdemo.com.conf: SSLCertificateChainFile /etc/apache2/ssl/15982.growerpdemo.com/fullchain.pem
/Data/Apache2/sites-available/w3erp.growerpdemo.com.conf: SSLCertificateChainFile /etc/apache2/ssl/w3erp.growerpdemo.com/fullchain.pem
/Data/Apache2/sites-available/logo.growerpdemo.com.conf: SSLCertificateChainFile /etc/apache2/ssl/logo.growerpdemo.com/fullchain.pem
/Data/Apache2/sites-available/15100.growerpdemo.com.conf: SSLCertificateChainFile /etc/apache2/ssl/15100.growerpdemo.com/fullchain.pem
/Data/Apache2/sites-available/isharehr.conf: SSLCertificateChainFile /etc/letsencrypt/live/isharehr.growerpdemo.com/fullchain.pem
/Data/Apache2/sites-available/15303.growerpdemo.com.conf: SSLCertificateChainFile /etc/apache2/ssl/15303.growerpdemo.com/fullchain.pem
/Data/Apache2/sites-available/15942.growerpdemo.com.conf: SSLCertificateChainFile /etc/apache2/ssl/15942.growerpdemo.com/fullchain.pem
/Data/Apache2/sites-available/productfromthailand.growerpdemo.com.conf: SSLCertificateFile /etc/letsencrypt/live/productfromthailand.growerpdemo.com/fullchain.pem
/Data/Apache2/sites-available/15820.growerpdemo.com.conf: SSLCertificateChainFile /etc/apache2/ssl/15820.growerpdemo.com/fullchain.pem
/Data/Apache2/sites-available/w3erp.conf: SSLCertificateChainFile /etc/apache2/ssl/w3.growerpdemo.com/fullchain.pem
/Data/Apache2/sites-available/isharehr-original.growerpdemo.com.conf: SSLCertificateFile /etc/apache2/ssl/isharehr-original.growerpdemo.com/fullchain.pem
/Data/Apache2/sites-available/vaadin-test.growerpdemo.com.conf: SSLCertificateFile /etc/letsencrypt/live/vaadin-test.growerpdemo.com/fullchain.pem
/Data/Apache2/sites-available/new-growerpfrontend.growerpdemo.com.conf: SSLCertificateChainFile /etc/apache2/ssl/new-growerpfrontend.growerpdemo.com/fullchain.pem
/Data/Apache2/sites-available/isharehr.conf-origin: SSLCertificateChainFile /etc/letsencrypt/live/isharehr.growerpdemo.com/fullchain.pem
/Data/Apache2/sites-available/15410-backend.growerpdemo.com.conf: SSLCertificateChainFile /etc/letsencrypt/live/15410-backend.growerpdemo.com/fullchain.pem
/Data/Apache2/sites-available/phpfrontend.growerpdemo.com.conf-backup: SSLCertificateFile /etc/apache2/ssl/phpfrontend.growerpdemo.com/fullchain.pem
/Data/Apache2/sites-available/14942.growerpdemo.com.conf: SSLCertificateChainFile /etc/apache2/ssl/14942.growerpdemo.com/fullchain.pem
/Data/Apache2/sites-available/antwebsystems.growerpdemo.com.conf: SSLCertificateChainFile /etc/apache2/ssl/antwebsystems.growerpdemo.com/fullchain.pem
/Data/Apache2/sites-available/14940.growerpdemo.com.conf: SSLCertificateFile /etc/apache2/ssl/14940.growerpdemo.com/fullchain.pem
/Data/Apache2/sites-available/.growerpdemo.com.conf-backup: SSLCertificateFile /etc/apache2/ssl/.growerpdemo.com/fullchain.pem
/Data/Apache2/sites-available/15921.growerpdemo.com.conf: SSLCertificateChainFile /etc/apache2/ssl/15921.growerpdemo.com/fullchain.pem
/Data/Apache2/sites-available/15571.growerpdemo.com.conf: SSLCertificateChainFile /etc/apache2/ssl/15571.growerpdemo.com/fullchain.pem
/Data/Apache2/sites-available/-backend.growerpdemo.com.conf: SSLCertificateFile /etc/letsencrypt/live/-backend.growerpdemo.com/fullchain.pem
/Data/Apache2/sites-available/fe-aws.growerpdemo.com.conf-backup: SSLCertificateFile /etc/apache2/ssl/fe-aws.growerpdemo.com/fullchain.pem
/Data/Apache2/sites-available/15701-backend.growerpdemo.com.conf: SSLCertificateChainFile /etc/letsencrypt/live/15701-backend.growerpdemo.com/fullchain.pem
/Data/Apache2/sites-available/15363.growerpdemo.com.conf: SSLCertificateChainFile /etc/apache2/ssl/15363.growerpdemo.com/fullchain.pem
/Data/Apache2/sites-available/antwebsystems.nl.conf: SSLCertificateFile /etc/apache2/ssl/antwebsystems.nl/fullchain.pem
/Data/Apache2/sites-available/jira.growerpdemo.com.conf: SSLCertificateChainFile /etc/apache2/ssl/jira.growerpdemo.com/fullchain.pem
/Data/Apache2/sites-available/www.growerp.com.conf: SSLCertificateChainFile /etc/letsencrypt/live/www.growerp.com/fullchain.pem
/Data/Apache2/sites-available/hg-erp.growerpdemo.com.conf: SSLCertificateFile /etc/letsencrypt/live/hg-erp.growerpdemo.com/fullchain.pem
/Data/Apache2/sites-available/15546.growerpdemo.com.conf: SSLCertificateChainFile /etc/apache2/ssl/15546.growerpdemo.com/fullchain.pem
/Data/Apache2/sites-available/15780.growerpdemo.com.conf-backup: SSLCertificateChainFile /etc/apache2/ssl/15780.growerpdemo.com/fullchain.pem
/Data/Apache2/sites-available/15951.growerpdemo.com.conf: SSLCertificateChainFile /etc/apache2/ssl/15951.growerpdemo.com/fullchain.pem
/Data/Apache2/sites-available/hydrograv-erp.growerpdemo.com.conf: SSLCertificateFile /etc/apache2/ssl/hydrograv-erp.growerpdemo.com/fullchain.pem

3. grep -r 10000 /Data/Apache2
/Data/Apache2/sites-available/10000.growerpdemo.com.conf:ServerName 10000.growerpdemo.com
/Data/Apache2/sites-available/10000.growerpdemo.com.conf:ServerName 10000.growerpdemo.com
/Data/Apache2/sites-available/10000.growerpdemo.com.conf: SSLCertificateFile /etc/apache2/ssl/10000.growerpdemo.com/cert.pem
/Data/Apache2/sites-available/10000.growerpdemo.com.conf: SSLCertificateKeyFile /etc/apache2/ssl/10000.growerpdemo.com/privkey.pem
/Data/Apache2/sites-available/10000.growerpdemo.com.conf: SSLCertificateChainFile /etc/apache2/ssl/10000.growerpdemo.com/fullchain.pem

4. grep -r 16050 /Data/Apache2
/Data/Apache2/sites-available/16050.growerpdemo.com.conf:ServerName 16050.growerpdemo.com
/Data/Apache2/sites-available/16050.growerpdemo.com.conf:ProxyPass / ajp://16050.local:8009/
/Data/Apache2/sites-available/16050.growerpdemo.com.conf:ProxyPassReverse / ajp://16050.local:8009/
/Data/Apache2/sites-available/16050.growerpdemo.com.conf:CustomLog /var/log/apache2/16050.growerpdemo.com-access.log combined
/Data/Apache2/sites-available/16050.growerpdemo.com.conf:ErrorLog /var/log/apache2/16050.growerpdemo.com-error.log
/Data/Apache2/sites-available/16050.growerpdemo.com.conf:ServerName 16050.growerpdemo.com
/Data/Apache2/sites-available/16050.growerpdemo.com.conf:ProxyPass / ajp://16050.local:8009/
/Data/Apache2/sites-available/16050.growerpdemo.com.conf:ProxyPassReverse / ajp://16050.local:8009/
/Data/Apache2/sites-available/16050.growerpdemo.com.conf:CustomLog /var/log/apache2/ssl-16050.growerpdemo.com-access.log combined
/Data/Apache2/sites-available/16050.growerpdemo.com.conf:ErrorLog /var/log/apache2/ssl-16050.growerpdemo.com-error.log
/Data/Apache2/sites-available/16050.growerpdemo.com.conf: SSLCertificateFile /etc/apache2/ssl/16050.growerpdemo.com/cert.pem
/Data/Apache2/sites-available/16050.growerpdemo.com.conf: SSLCertificateKeyFile /etc/apache2/ssl/16050.growerpdemo.com/privkey.pem
/Data/Apache2/sites-available/16050.growerpdemo.com.conf: SSLCertificateChainFile /etc/apache2/ssl/16050.growerpdemo.com/fullchain.pem

I will try to check fullchain to chain.

Yes, I can’t find anything else wrong.
I would just change this:
/Data/Apache2/sites-available/10000.growerpdemo.com.conf: SSLCertificateChainFile /etc/apache2/ssl/10000.growerpdemo.com/fullchain.pem

To this:
/Data/Apache2/sites-available/10000.growerpdemo.com.conf: SSLCertificateChainFile /etc/apache2/ssl/10000.growerpdemo.com/chain.pem

If that fixes the problem, you will have to make similar changes any of these 26 other files which also have cert file and chainfile to fullchain.pem - if they are in use (see /Data/Apache2/sites-enabled)/ folder):
(all these files are in the /Data/Apache2/sites-available/ folder)
14942.growerpdemo.com.conf
15100.growerpdemo.com.conf
15303.growerpdemo.com.conf
15363.growerpdemo.com.conf
15410-backend.growerpdemo.com.conf
15546.growerpdemo.com.conf
15571.growerpdemo.com.conf
15701-backend.growerpdemo.com.conf
15820.growerpdemo.com.conf
15921.growerpdemo.com.conf
15982.growerpdemo.com.conf
16050.growerpdemo.com.conf
16070.growerpdemo.com.conf
antwebsystems.growerpdemo.com.conf
newantwebsystems.growerpdemo.com.conf
isharehr.conf
jira.growerpdemo.com.conf
logo.growerpdemo.com.conf
minimum.growerpdemo.com.conf
newminimum.growerpdemo.com.conf
new-growerpfrontend.growerpdemo.com.conf
phpbackend.conf
salmax.conf
w3erp.conf
w3erp.growerpdemo.com.conf
www.growerp.com.conf

Also there are 3 files with cert files to cert.pem and no chain file (chain is not served):
15942.growerpdemo.com.conf
15951.growerpdemo.com.conf
nagios.growerpdemo.com.conf

And also, there are 2 files that have not cert file and chainfile to fullchain (I’m not sure this setup will work)
15942.growerpdemo.com.conf
15951.growerpdemo.com.conf

And lastly, there are 8 files that have cert to fullchain.pem and no chainfile (these should be working correctly - Yay!)
14940.growerpdemo.com.conf
antwebsystems.nl.conf
hg-erp.growerpdemo.com.conf
hydrograv-erp.growerpdemo.com.conf
isharehr-original.growerpdemo.com.conf
productfromthailand.growerpdemo.com.conf
sofami.growerpdemo.com.conf
vaadin-test.growerpdemo.com.conf

I have removed the old one 10000 and try to configured 16070 with

Sorry for change subdomain to test because I have to fix 16070 (urgent).

Steps

  1. Request cert on ubuntu vm
  2. I have copied 2 folders to apache2 container after request cert.
    sudo docker cp /etc/letsencrypt/archive/16070.growerpdemo.com apache2:/etc/letsencrypt/archive/
    sudo docker cp /etc/letsencrypt/live/16070.growerpdemo.com apache2:/etc/letsencrypt/live/
  3. Configure the domain 16070 following below:
    SSLCertificateFile /etc/letsencrypt/live/16070.growerpdemo.com/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/16070.growerpdemo.com/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/16070.growerpdemo.com/chain.pem

It works before. Any idea?

There is a cert mismatch.
16070 is showing a cert from “15780.growerpdemo.com” and also a cert from "10000.growerpdemo.com"
and it is serving the cert twice:
Certificate chain
0 s:/CN=15780.growerpdemo.com
i:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
1 s:/CN=15780.growerpdemo.com
i:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
2 s:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
Certificate chain
0 s:/CN=10000.growerpdemo.com
i:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
1 s:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3

Show:
1. /etc/letsencrypt/live/16070.growerpdemo.com/cert.pem
2. apache2:/etc/letsencrypt/live/16070.growerpdemo.com/cert.pem
3. grep -r 15780 /Data/Apache2
4. top

My best guess at this time is that your system is lacking resources - probably extremely short on memory.

1. /etc/letsencrypt/live/16070.growerpdemo.com/cert.pem
-----BEGIN CERTIFICATE-----
MIIFDTCCA/WgAwIBAgISA8DJqD6QNY/Pj7NjZxpVKpjcMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzExMDMwMzM3MjZaFw0x
ODAyMDEwMzM3MjZaMCAxHjAcBgNVBAMTFTE2MDcwLmdyb3dlcnBkZW1vLmNvbTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM1LYT9hT9OCLx8oFmksAPVY
m5f7mlM/6QVXPsSXyyEIO0cXQf1RJmodf8qXh8r+LQANGKbDwiSaJ9NEQfYiDPaa
5ztPCE0VkYfZCPQzXO5npvqsYpCEoGQIqPGUsdJcfDdFRw2HibAw3VZ27v2HTRTv
bGjw1Q8Anwk+fGXT5t/iTvy/OGA8ZqfNJ62Pf0W+R3QTSeRBL3X91pBef7zbjQJo
dlm5lzgBbEftOx9GxF0YFxDCMvLWUEDhWCM8QDcESCAfW+brCEdK1liIt7zR6iNg
mk8v6wPvHDPPLtqNiLvvcqArHtRd+LtuBr/Z48S7ZEbOt1jzZGdd/wKzMr624VcC
AwEAAaOCAhUwggIRMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcD
AQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQURzC6cp6YX/lV6KjK
RMbvnQHDiCQwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYB
BQUHAQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2Vu
Y3J5cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2Vu
Y3J5cHQub3JnLzAgBgNVHREEGTAXghUxNjA3MC5ncm93ZXJwZGVtby5jb20wgf4G
A1UdIASB9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUF
BwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4M
gZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJl
bHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENl
cnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9y
Zy9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEACvn8LXeMQb24eADyGmlk
f3HD4twsmjaMSqLEVg7VPF9uBKcLjdns8VcJpp+r74v8i+EaHIhpYkvCnlIbmnNz
USiuL5OOASIt91Qsj5VzPoqX7mWYc+JX1G6Y58yePL/XI5hNw8f6pHGiopGTed70
j8AXVxBB6K4mNQZCgT1Wxzv3QYiIQI5iAEqOAk783vNUo/Ij5YhhD1ADDpIoMxq4
CGazvxDnNcoPB+Nw9hxTy4kTPzLFSOPNOIUjmI0nviSqt2X2dLix1reDm7Qom8Ua
oZzHauYYCsWBry1g9ojcKPMS54lN/nFHBL6Yoq4mmx1JOMN7O+Tk34mJS6B/7rZj
ag==
-----END CERTIFICATE-----

2. apache2:/etc/letsencrypt/live/16070.growerpdemo.com/cert.pem
-----BEGIN CERTIFICATE-----
MIIFDTCCA/WgAwIBAgISA8DJqD6QNY/Pj7NjZxpVKpjcMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzExMDMwMzM3MjZaFw0x
ODAyMDEwMzM3MjZaMCAxHjAcBgNVBAMTFTE2MDcwLmdyb3dlcnBkZW1vLmNvbTCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM1LYT9hT9OCLx8oFmksAPVY
m5f7mlM/6QVXPsSXyyEIO0cXQf1RJmodf8qXh8r+LQANGKbDwiSaJ9NEQfYiDPaa
5ztPCE0VkYfZCPQzXO5npvqsYpCEoGQIqPGUsdJcfDdFRw2HibAw3VZ27v2HTRTv
bGjw1Q8Anwk+fGXT5t/iTvy/OGA8ZqfNJ62Pf0W+R3QTSeRBL3X91pBef7zbjQJo
dlm5lzgBbEftOx9GxF0YFxDCMvLWUEDhWCM8QDcESCAfW+brCEdK1liIt7zR6iNg
mk8v6wPvHDPPLtqNiLvvcqArHtRd+LtuBr/Z48S7ZEbOt1jzZGdd/wKzMr624VcC
AwEAAaOCAhUwggIRMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcD
AQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQURzC6cp6YX/lV6KjK
RMbvnQHDiCQwHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYB
BQUHAQEEYzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2Vu
Y3J5cHQub3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2Vu
Y3J5cHQub3JnLzAgBgNVHREEGTAXghUxNjA3MC5ncm93ZXJwZGVtby5jb20wgf4G
A1UdIASB9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUF
BwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4M
gZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJl
bHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENl
cnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9y
Zy9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEACvn8LXeMQb24eADyGmlk
f3HD4twsmjaMSqLEVg7VPF9uBKcLjdns8VcJpp+r74v8i+EaHIhpYkvCnlIbmnNz
USiuL5OOASIt91Qsj5VzPoqX7mWYc+JX1G6Y58yePL/XI5hNw8f6pHGiopGTed70
j8AXVxBB6K4mNQZCgT1Wxzv3QYiIQI5iAEqOAk783vNUo/Ij5YhhD1ADDpIoMxq4
CGazvxDnNcoPB+Nw9hxTy4kTPzLFSOPNOIUjmI0nviSqt2X2dLix1reDm7Qom8Ua
oZzHauYYCsWBry1g9ojcKPMS54lN/nFHBL6Yoq4mmx1JOMN7O+Tk34mJS6B/7rZj
ag==
-----END CERTIFICATE-----

3. grep -r 15780 /Data/Apache2

/Data/Apache2/sites-available/BL-15780.growerpdemo.com.conf-backup: ServerName BL-15780.growerpdemo.com
/Data/Apache2/sites-available/BL-15780.growerpdemo.com.conf-backup: CustomLog /var/log/apache2/BL-15780.growerpdemo.com-access.log combined
/Data/Apache2/sites-available/BL-15780.growerpdemo.com.conf-backup: ErrorLog /var/log/apache2/BL-15780.growerpdemo.com-error.log
/Data/Apache2/sites-available/BL-15780.growerpdemo.com.conf-backup: ServerName BL-15780.growerpdemo.com
/Data/Apache2/sites-available/BL-15780.growerpdemo.com.conf-backup: CustomLog /var/log/apache2/ssl-BL-15780.growerpdemo.com-access.log combined
/Data/Apache2/sites-available/BL-15780.growerpdemo.com.conf-backup: ErrorLog /var/log/apache2/ssl-BL-15780.growerpdemo.com-error.log
/Data/Apache2/sites-available/BL-15780.growerpdemo.com.conf-backup: SSLCertificateFile /etc/apache2/ssl/BL-15780.growerpdemo.com/fullchain.pem
/Data/Apache2/sites-available/BL-15780.growerpdemo.com.conf-backup: SSLCertificateKeyFile /etc/apache2/ssl/BL-15780.growerpdemo.com/privkey.pem
/Data/Apache2/sites-available/BL-15780.growerpdemo.com.conf-backup: SSLCertificateChainFile /etc/apache2/ssl/BL-15780.growerpdemo.com/chain.pem
/Data/Apache2/sites-available/BL-15780.growerpdemo.com.conf: ServerName BL-15780.growerpdemo.com
/Data/Apache2/sites-available/BL-15780.growerpdemo.com.conf: CustomLog /var/log/apache2/BL-15780.growerpdemo.com-access.log combined
/Data/Apache2/sites-available/BL-15780.growerpdemo.com.conf: ErrorLog /var/log/apache2/BL-15780.growerpdemo.com-error.log
/Data/Apache2/sites-available/15780.growerpdemo.com.conf:ServerName 15780.growerpdemo.com
/Data/Apache2/sites-available/15780.growerpdemo.com.conf:ProxyPass / ajp://15780.local:8009/
/Data/Apache2/sites-available/15780.growerpdemo.com.conf:ProxyPassReverse / ajp://15780.local:8009/
/Data/Apache2/sites-available/15780.growerpdemo.com.conf:CustomLog /var/log/apache2/15780.growerpdemo.com-access.log combined
/Data/Apache2/sites-available/15780.growerpdemo.com.conf:ErrorLog /var/log/apache2/15780.growerpdemo.com-error.log
/Data/Apache2/sites-available/15780.growerpdemo.com.conf:ServerName 15780.growerpdemo.com
/Data/Apache2/sites-available/15780.growerpdemo.com.conf:ProxyPass / ajp://15780.local:8009/
/Data/Apache2/sites-available/15780.growerpdemo.com.conf:ProxyPassReverse / ajp://15780.local:8009/
/Data/Apache2/sites-available/15780.growerpdemo.com.conf:CustomLog /var/log/apache2/ssl-15780.growerpdemo.com-access.log combined
/Data/Apache2/sites-available/15780.growerpdemo.com.conf:ErrorLog /var/log/apache2/ssl-15780.growerpdemo.com-error.log
/Data/Apache2/sites-available/15780.growerpdemo.com.conf: SSLCertificateFile /etc/apache2/ssl/15780.growerpdemo.com/cert.pem
/Data/Apache2/sites-available/15780.growerpdemo.com.conf: SSLCertificateKeyFile /etc/apache2/ssl/15780.growerpdemo.com/privkey.pem
/Data/Apache2/sites-available/15780.growerpdemo.com.conf: SSLCertificateChainFile /etc/apache2/ssl/15780.growerpdemo.com/fullchain.pem
/Data/Apache2/sites-available/15780.growerpdemo.com.conf-backup:ServerName 15780.growerpdemo.com
/Data/Apache2/sites-available/15780.growerpdemo.com.conf-backup:ProxyPass / ajp://15780.local:8009/
/Data/Apache2/sites-available/15780.growerpdemo.com.conf-backup:ProxyPassReverse / ajp://15780.local:8009/
/Data/Apache2/sites-available/15780.growerpdemo.com.conf-backup:CustomLog /var/log/apache2/15780.growerpdemo.com-access.log combined
/Data/Apache2/sites-available/15780.growerpdemo.com.conf-backup:ErrorLog /var/log/apache2/15780.growerpdemo.com-error.log
/Data/Apache2/sites-available/15780.growerpdemo.com.conf-backup:ServerName 15780.growerpdemo.com
/Data/Apache2/sites-available/15780.growerpdemo.com.conf-backup:ProxyPass / ajp://15780.local:8009/
/Data/Apache2/sites-available/15780.growerpdemo.com.conf-backup:ProxyPassReverse / ajp://15780.local:8009/
/Data/Apache2/sites-available/15780.growerpdemo.com.conf-backup:CustomLog /var/log/apache2/ssl-15780.growerpdemo.com-access.log combined
/Data/Apache2/sites-available/15780.growerpdemo.com.conf-backup:ErrorLog /var/log/apache2/ssl-15780.growerpdemo.com-error.log
/Data/Apache2/sites-available/15780.growerpdemo.com.conf-backup: SSLCertificateFile /etc/apache2/ssl/15780.growerpdemo.com/cert.pem
/Data/Apache2/sites-available/15780.growerpdemo.com.conf-backup: SSLCertificateKeyFile /etc/apache2/ssl/15780.growerpdemo.com/privkey.pem
/Data/Apache2/sites-available/15780.growerpdemo.com.conf-backup: SSLCertificateChainFile /etc/apache2/ssl/15780.growerpdemo.com/fullchain.pem

4. top

The two certs match and they are for the correct domain name.
I think the problem is the lack of adequate memory as shown by the high use of swap file:

If you add the memory in use and the swap file space used
7537364+4989460
You get the necessary memory size to avoid having to use the swap file (more or less)=
1526824 KB or 11.94 GB.
Or you could simply increase the physical memory allocated by a number >= 4989460 (+4.758 GB)

But I can’t be sure without having taken a previous measurement if these numbers are accurate or if there is a memory leak somewhere. As the system shows up for 40 days, I would restart the system and monitor the memory usage for a couple of days to see if the reboot helped and if the memory goes up and up over time.

1 Like

I disagree with the interpretation of lacking memory here, and I think the problem is just something in the Apache configuration. If the Apache configuration files are written incorrectly, Apache may not be able to choose the correct certificate to serve for a particular inbound request.

I’ve looked everywhere else.
Maybe @schoen can find something I missed.

So, are you using /etc/apache2 at all, or only /Data/Apache2 on this server?