SSL Certificate Issue with Subdomains

Help
1

I have set up SSL certificates for three subdomains of my domain. Initially, everything was working well, and the certificates were valid on both desktop and mobile devices. However, I recently started encountering SSL certificate errors on my PC browser, whereas they are working correctly on my mobile.

  1. Domain: https://robert.salazarysalazar.com/
  • Issue: SSL certificate error on PC browser.
  1. Domain: https://avanza.salazarysalazar.com/
  • Issue: SSL certificate error on PC browser.
  1. Domain: https://sigi.salazarysalazar.com/
  • Status: Working as expected on both PC and mobile.

The operating system my web server runs on isUbuntu 18.04:

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine :

The version of my client is certbot 2.6.0

I would appreciate any guidance or suggestions to identify and resolve the SSL certificate issue on my PC browser for the subdomains "robert.salazarysalazar.com" and "avanza.salazarysalazar.com." Additionally, if there are any other potential causes I might have missed, please let me know.

Thank you for your assistance!

1 Like
2

Each domain has a different issue.

This one is missing an intermediate chain. Your server looks like nginx so you maybe you used cert.pem instead of fullchain.pem for your ssl_certificate

See:

For domain #2, I don't see any problem using above SSL Checker. Can you show more details of the error you see?

4 Likes
3

And, your domain #3 has an intermittent problem

You should restart that server. I think your Apache has a stuck worker process serving an older cert. Or, at least an invalid one.

Every other request uses a different cert. Use that same SSL Checker as above and just issue consecutive requests. You should sometimes see below error and other times it is fine.

image
image1779×726 34.5 KB

4 Likes
4

Hi @ccssmania, and welcome to the LE community forum :slight_smile:

This doesn't look right:

Name:      robert.salazarysalazar.com
Addresses: 2600:3c00::f03c:91ff:fe02:2c1a
           45.33.24.38

Name:      avanza.salazarysalazar.com
Addresses: 2600:3c00::f03c:91ff:fe02:2c1a
           66.96.162.140

Name:      sigi.salazarysalazar.com
Addresses: 2600:3c00::f03c:91ff:fe02:2c1a
           45.33.24.38

The IPv6 address is the same for all three.
But the IPv4 addresses are not the same.

5 Likes
5

Thank you for your prompt response. Following @MikeMcQ's feedback, I initiated an investigation into the issues related to our SSL certificates using the SSL Checker tool.

Interestingly, after conducting the investigation, I noticed that all functionalities have been restored without making any significant changes. This indicates that the problems we experienced might have been caused by an intermittent issue or the caching of certificates.

As for @rg305's answer, all 3 have the same A/AAAA Record configuration

So far everything seems to be working fine again.

1 Like
6

No, domain #3 is still using the wrong cert every other request as I pointed out here

You can easily reproduce just by running the SSL Checker twice in a row. Click its big CHECK button to repeat requests

I did not re-check the others

3 Likes
7

What could be causing this intermittency?

I have containerized application and I using nginx as a reverse proxy, the following is the configuration of the reverse proxy:

server {
    if ($host = avanza.salazarysalazar.com) {
        return 301 https://$host$request_uri;
    }


    listen 80;
    listen [::]:80;

    server_name .avanza.salazarysalazar.com;
    return 301 https://$host$request_uri;

}


server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name avanza.salazarysalazar.com;
    server_tokens off;
    client_max_body_size 10M;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS_AES_256_GCM_SHA384:TLS-AES-256-GCM-SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS-CHACHA20-POLY1305-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA;
    ssl_prefer_server_ciphers on;
    ssl_dhparam /etc/nginx/dhparams.pem;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    charset utf-8;

    location /.well-known/acme-challenge {
        auth_basic off;
        allow all;
        alias /home/<user>/.letsencrypt;
    }


    location / {
        proxy_pass https://avanza.salazarysalazar.com:447;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }


    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    access_log off;
    error_log  /var/log/nginx/avanza.salazarysalazar.com-error.log error;

    error_page 404 /index.php;

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_index index.php;
        include fastcgi_params;
        proxy_pass https://avanza.salazarysalazar.com:447;
    }

    location ~ /\.(?!well-known).* {
        deny all;
    }


    ssl_certificate /etc/letsencrypt/live/avanza.salazarysalazar.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/avanza.salazarysalazar.com/privkey.pem; # managed by Certbot

}
8

You might have a firewall that runs Apache server for that domain before it reaches that nginx. Or, you have some kind of routing problem between your containers or something like that.

In any case, it is an Apache server sending the long-expired wildcard cert.

curl -ik https://sigi.salazarysalazar.com
HTTP/1.1 403 Forbidden
Date: Tue, 01 Aug 2023 14:52:31 GMT
Server: Apache/2
Age: 0
2 Likes
9

@ccssmania, your reply shows the vhost configs for name #2 [not #3].

2 Likes
10

Not exaclty.
As shown below, they do use the same IPv6 address - but their IPv4 addresses are NOT the same:

Name:     robert.salazarysalazar.com
Addresses: 2600:3c00::f03c:91ff:fe02:2c1a
           45.33.24.38   <<<<<<<<<<<<<<<<<<<<<<<<<<<<< 45.33.24.38

Name:     avanza.salazarysalazar.com
Addresses: 2600:3c00::f03c:91ff:fe02:2c1a
           45.33.24.38   <<<<<<<<<<<<<<<<<<<<<<<<<<<<< 45.33.24.38

Name:     sigi.salazarysalazar.com
Addresses: 2600:3c00::f03c:91ff:fe02:2c1a
           66.96.162.140 <<<<<<<<<<<<<<<<<<<<<<<<<<<<< NOT 45.33.24.38
4 Likes
11

They may have just fixed it. Did you check the authoritives?

nslookup sigi.salazarysalazar.com ns1.linode.com
Address: 45.33.24.38
Address: 2600:3c00::f03c:91ff:fe02:2c1a

(my resolver does not even show the AAAA)
nslookup sigi.salazarysalazar.com
Address: 66.96.162.140
3 Likes
12

Yes, I was using my default [DNS service] for that output [:zzz: at the wheel].
Which using a DNS cleaning service...
Which must have heard a very long TTL [yesterday]; As it still has time left on that clock:
image

4 Likes
13

The SSL certificate for the domain "sigi.salazarysalazar.com" does not show any errors according to the analysis conducted on the website "https://decoder.link/sslchecker/sigi.salazarysalazar.com/443".

image
image951×463 31.4 KB

However, despite the absence of SSL certificate errors, the webpage for "sigi.salazarysalazar.com" is displaying an error.

And for some reason the Domain points to *.salazarysalazar.com

It's worth noting that the SSL certificate configuration appears to be correct for the other subdomains, as they point correctly to their respective destinations.

14

image
image1242×678 53.1 KB

15

I also see something very unusual with your sigi.salazarysalazar.com domain

Sometimes HTTPS requests see your nginx server and work fine. But, other times an Apache/2 server replies with the expired wildcard cert you show.

I still believe that Apache response is some sort of firewall. From my own test server I was sometimes seeing the correct nginx response but sometime later the wrong Apache response.

I only saw the wrong response with IPv4 address. Your IPv6 seemed fine but I did not test it as thoroughly. You should check your hosting settings for any such firewall. Or, even ask Linode why Apache is intercepting some requests for your domain.

From just a few minutes ago

(IPv6 is correct)
echo | openssl s_client -6 -connect sigi.salazarysalazar.com:443 | head
---
Certificate chain
 0 s:CN = sigi.salazarysalazar.com
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jul 29 16:58:18 2023 GMT; NotAfter: Oct 27 16:58:17 2023 GMT
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256

IPv4 (-4)  fails occasionally
Oddly, SSL Labs showed it working fine just before this 
And, it worked fine from this same test server maybe 10 minutes earlier

echo | openssl s_client -4 -connect sigi.salazarysalazar.com:443 | head
depth=0 CN = *.salazarysalazar.com
verify error:num=10:certificate has expired
notAfter=Sep 17 16:49:03 2019 GMT
verify return:1
---
Certificate chain
 0 s:CN = *.salazarysalazar.com
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jun 19 16:49:03 2019 GMT; NotAfter: Sep 17 16:49:03 2019 GMT
 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
6 Likes
16

Will do, thank you for your help.

2 Likes
17

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.