[ssl:warn] AH01906: server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)

My domain is: giardinodivenere.it

My web server is: Apache 2.4.52

The operating system my web server runs on is: Ubuntu Linux 22.04.3

I can login to a root shell on my machine: yes

I'm using a control panel to manage my site: Virtualmin 7.8.2

The version of my client is: certbot 1.21.0

According to the thread that I started here (currently with any solution), please note that I can't intermittently access to the website: I mean that both browsers Chrome and Firefox notice that the certicate some times is self signed and others not!

Honestly speaking, it seems to me that the certificate is correctly set up through Let's Encrypt:

Cattura3

May you please suggest a scientific troubleshooting in order to fix that issue?

Thank you in advance.

Some further evidences, the case when Chrome notices the certificate as self signed:

Some further evidences, the case when Chrome notices the certificate under Let's Encrypt:

Two likely issues:

  1. When your webserver restarted, one of the child processes did not exit and is continuing to serve the old certificate. I would do a complete shutdown of the server, ensure no processes remain (kill ones that do) and then start up again.

  2. That domain resolves to two (2) IPs.

giardinodivenere.it. 300 IN A 172.67.204.67
giardinodivenere.it. 300 IN A 104.21.74.163

Both IPs are on Cloudflare's network. That suggests to me that you may have messed up your server, then transitioned to Cloudflare (or enabled auto ssl on them), and due to DNS propagation lagging, you are seeing some requests routed through cloudflare and others routed directly to your IPs. Cloudflare would have obtained certificates for you and is using them correctly, while your server is not.

There are other possible scenarios, but those are the most likely to me.

5 Likes

When this happens are you on the same local network as your server?

What URL are you using when this happens? Perhaps one with an IP address rather than the domain name?

I don't see how the wrong cert could be shown when your domain is proxied through Cloudflare. Because in this case the browser sees a cert obtained by the Cloudflare CDN. (unless you have been modifying the DNS)

Actually 4 as there are 2 for IPv6 but that doesn't change the overall theme.

Based on the cert history (link here) it looks like they have been using Cloudflare since the start so I don't think it likely they have a leftover child process. But, I agree they may have something amiss with the DNS or been modifying it.

nslookup giardinodivenere.it
Address: 172.67.204.67
Address: 104.21.74.163
Address: 2606:4700:3035::6815:4aa3
Address: 2606:4700:3034::ac43:cc43
5 Likes

Separate from this "wrong cert" issue, your Origin Server is making too many requests for certs. All of the "R3" certs were obtained by you (see history below). The "E1" cert Cloudflare got on your behalf. The E1 is also what you show from your Chrome example above. Which is what is expected when proxying your domain at Cloudflare and accessing your domain from the public internet.

When I see a renewal pattern like yours it is often because a renewal is being forced to renew. They then get rate limited because of the 5 certs / week limit. The Cloudflare E1 certs do not count against your limit.

Maybe you just got 5 certs during setup and it's stable now. But, seeing this often points to something wrong in your server cert renewal. You should monitor this going forward so you only renew every 60 days.

Your recent cert history

5 Likes

These IPs are definitely from CloudFlare:

These dates are off [by six days]:
image
image

I would follow up with CloudFlare as to why that is happening.

3 Likes

That was for the R3 cert not the E1 cert Cloudflare got. (the latest R3 is not yet in crt.sh but is in censys.io)

The latest R3 issued cert expires Mar9 and I think that is all they are showing. The later example of the failing browser showed a localhost cert. And the Chome example working showed the E1 cert.

4 Likes

Honestly I don't know how to proceed, here it is my verification with Clouflare.

SSL Labs reports issues with your site.

these are in my configuration file for Apache 2.

You want to run TLS 1.2 and 1.3 only. Your site run

SSLProtocol -all +TLSv1.3 +TLSv1.2
Protocols h2 h2c http/1.1 acme-tls/1

I had to add the SSLCACertificateFile manually to every conf file.

SSLCACertificateFile /etc/letsencrypt/live/xxxx.com/chain.pem
SSLCertificateFile /etc/letsencrypt/live/xxxx.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/xxxx.com/privkey.pem

Not sure to have understood: did you fix from somewhere in remote or did I miss something?

I see that I can also enable SSLv2, SSLv3, TLSv1, TLSv1.1 on my control panel: do you suggest to flag those protocols in order to place a better configuration? Honestly the others websites I have run with only TLS 1.2 and 1.3.

Thank you in advance for your kind feedback.

Yes, because the Cloudflare CDN Edge is configured to support older protocols.

This is not controlled in their server config though. It is part of how Cloudflare works for proxied domains. CDN's are very different.

4 Likes

It is probably fine to only use TLS 1.2 and 1.3 but this has nothing to do with your localhost cert issue. Well, I am nearly certain anyway :slight_smile:

3 Likes

Most browsers have issues with TLS 1.0 and SSL. This could cause issues with viewing your site. Cloudflare should have settings to disable TLS 1.0 and SSL since they are no longer supported.

W h y ?

3 Likes

It fixed an issue on the Fortinet and SSL Labs testing with the certificate chain not being complete. Could be an Apache2 thing with the CA Certificate. Once, I added it, everything resolved.

I'd say, yes:

The fullchain.pem should have been enough.

2 Likes

I would agree. I use SSLLabs test your server to find issues.

According to due verification, whereas the content of:

SSLCertificateFile ssl.cert is already in /etc/letsencrypt/live/*.it/fullchain.pem

and

SSLCertificateKeyFile ssl.key is already in /etc/letsencrypt/live/*****.it/privkey.pem

on the other hand, the content of

SSLCACertificateFile ssl.cert is missing in /etc/letsencrypt/live/*****.it/chain.pem

Should I proceed to fill the chain.pem with the content of ssl.cert as suggested in order to fix?

Thank you in advance.

1 Like

No, adding SSLCAcertificateFile to your Apache will not help this problem.

Can you explain more about the pattern of failure?

Example, does the same device / chrome work several times in a row and then fail with the localhost cert? Or, do one or more device's chrome always fail while other device's chrome's always work?

It is highly unlikely the Cloudflare DNS system is failing intermittently only for you. There is almost certainly some other pattern to these failures. We need to find what it is.

4 Likes