SSL Configuration File Precedence - Apache with Webmin

mrockett · May 24, 2017, 5:42pm

I have a VPS with Centos 7 minimal, Apache 2.4.6, Webmin, and LE. Initially, the certificate I issued for the domain worked, and was served correctly. The certificate has been renewed, but Apache doesn’t seem to serve it correcty. Interesting thing is that Webmin does, and they both point to the exact same files.

SSLCertificateFile /etc/letsencrypt/live/s0.domain/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/s0.domain/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/s0.domain/chain.pem

This is the Apache vhost config for *:443, as generated by LE. When loading up the domain in a browser, it says the certificate authority is invalid. Upon inspection of the certificate being issued, it looks like a self-signed certificate is being served, instead of the LE one. What’s interesting here as well as that there are 4 other vhosts with identical configuration, and their certs are being served correctly, and auto-renew works.

What could I do to investigate this further and solve the problem?

PS: I know our domains should be made public, but this isn’t a public site; it’s a private VPS for internal staff systems.

mrockett · May 24, 2017, 5:48pm

Okay, I went ahead and changed it in ssl.conf, but I’m still really curious to know why it stopped working after a while. Can’t tell when it stopped…

If I’ve changed it in ssl.conf (default SSL), is it safe to remove it from the server host vhost config to avoid the double-up?

ahaw021 · May 27, 2017, 10:25am

Hi @mrockett

I think you are facing precedence issues

What i mean by that is that root configs are trusted over leaf configs.

SSL.conf I believe is the root config and should not have any SSL related configs.

Saying that I am not an apache expert.

@sahsanu @mnordhoff @serverco – thoughts

Andrei

mrockett · May 27, 2017, 11:11am

Thanks @ahaw021 - I gathered something was going on along those lines. I’ve kept it as is for now, but will look into removing the configuration from ssl.conf as I’d like only vhost confs to specify certificate locations.

system · June 26, 2017, 11:12am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.