The operating system my web server runs on is: Ubuntu Linux 22.04.3
I can login to a root shell on my machine: yes
I'm using a control panel to manage my site: Virtualmin 7.8.2
The version of my client is: certbot 1.21.0
According to the thread that I started here (currently with any solution), please note that I can't intermittently access to the website: I mean that both browsers Chrome and Firefox notice that the certicate some times is self signed and others not!
Honestly speaking, it seems to me that the certificate is correctly set up through Let's Encrypt:
May you please suggest a scientific troubleshooting in order to fix that issue?
When your webserver restarted, one of the child processes did not exit and is continuing to serve the old certificate. I would do a complete shutdown of the server, ensure no processes remain (kill ones that do) and then start up again.
That domain resolves to two (2) IPs.
giardinodivenere.it. 300 IN A 172.67.204.67
giardinodivenere.it. 300 IN A 104.21.74.163
Both IPs are on Cloudflare's network. That suggests to me that you may have messed up your server, then transitioned to Cloudflare (or enabled auto ssl on them), and due to DNS propagation lagging, you are seeing some requests routed through cloudflare and others routed directly to your IPs. Cloudflare would have obtained certificates for you and is using them correctly, while your server is not.
There are other possible scenarios, but those are the most likely to me.
When this happens are you on the same local network as your server?
What URL are you using when this happens? Perhaps one with an IP address rather than the domain name?
I don't see how the wrong cert could be shown when your domain is proxied through Cloudflare. Because in this case the browser sees a cert obtained by the Cloudflare CDN. (unless you have been modifying the DNS)
Actually 4 as there are 2 for IPv6 but that doesn't change the overall theme.
Based on the cert history (link here) it looks like they have been using Cloudflare since the start so I don't think it likely they have a leftover child process. But, I agree they may have something amiss with the DNS or been modifying it.
Separate from this "wrong cert" issue, your Origin Server is making too many requests for certs. All of the "R3" certs were obtained by you (see history below). The "E1" cert Cloudflare got on your behalf. The E1 is also what you show from your Chrome example above. Which is what is expected when proxying your domain at Cloudflare and accessing your domain from the public internet.
When I see a renewal pattern like yours it is often because a renewal is being forced to renew. They then get rate limited because of the 5 certs / week limit. The Cloudflare E1 certs do not count against your limit.
Maybe you just got 5 certs during setup and it's stable now. But, seeing this often points to something wrong in your server cert renewal. You should monitor this going forward so you only renew every 60 days.
That was for the R3 cert not the E1 cert Cloudflare got. (the latest R3 is not yet in crt.sh but is in censys.io)
The latest R3 issued cert expires Mar9 and I think that is all they are showing. The later example of the failing browser showed a localhost cert. And the Chome example working showed the E1 cert.
Not sure to have understood: did you fix from somewhere in remote or did I miss something?
I see that I can also enable SSLv2, SSLv3, TLSv1, TLSv1.1 on my control panel: do you suggest to flag those protocols in order to place a better configuration? Honestly the others websites I have run with only TLS 1.2 and 1.3.
Most browsers have issues with TLS 1.0 and SSL. This could cause issues with viewing your site. Cloudflare should have settings to disable TLS 1.0 and SSL since they are no longer supported.
It fixed an issue on the Fortinet and SSL Labs testing with the certificate chain not being complete. Could be an Apache2 thing with the CA Certificate. Once, I added it, everything resolved.
No, adding SSLCAcertificateFile to your Apache will not help this problem.
Can you explain more about the pattern of failure?
Example, does the same device / chrome work several times in a row and then fail with the localhost cert? Or, do one or more device's chrome always fail while other device's chrome's always work?
It is highly unlikely the Cloudflare DNS system is failing intermittently only for you. There is almost certainly some other pattern to these failures. We need to find what it is.
