Strange TLS problem with "some" users on "some" domains


#1

I have a group of domains on one server. They share the ssl certificates generated by the getssl script. The sites are served by Apache 2.4 on a Debian server. For most users, including me, it works fine. Firefox and IE shows the green lock symbol with the Let’s Encrypt certificate information.

The strange thing is, some users, on some of these domains, cannot access the sites. In IE, they get the error message:
Activate TLS 1.0, TLS 1.1 and TLS 1.2 in the extended settings…
These settings are active.

All these sites have the same entries in the apache virtual host settings. However, even the same users that get the error, can access other of my domains, that also have the same settings.

Here is my apache config:

SSLEngine on
SSLCompression off
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
SSLHonorCipherOrder on
SSLProtocol All -SSLv2 -SSLv3

#2

Can you provide an example domain that they can not connect to ( and what that they can ) ?


#3

https://www.daec-berlin.de/ is the problematic domain.
https://www.aerofly-sim.de/ workes.
Both are on the same server and have the same IP.
The users that report the error seem to run Windows 8 or 10. I have Linux Mint and Windows 7, both can access the sites w/o problem.


#4

It seems to depend on IPv6. The error can be reproduced when IPv6 is activated on the client.


#5
www.aerofly-sim.de.  (unsigned)  86400  CNAME  aerofly-sim.de.
aerofly-sim.de.      (unsigned)  86400  A      188.68.38.144
aerofly-sim.de.      (unsigned)  86400  AAAA   2a03:4000:13:28e::1002

www.daec-berlin.de.  (unsigned)  86372  CNAME  daec-berlin.de.
daec-berlin.de.      (unsigned)  86373  A      188.68.38.144
daec-berlin.de.      (unsigned)  86373  AAAA   2a03:4000:13:28e::1005

Indeed, https://www.aerofly-sim.de/ works for me over IPv6, but the web server for https://www.daec-berlin.de/'s IPv6 address isn’t configured correctly. It’s trying to run plain, unencrypted HTTP on the HTTPS port! So you can visit http://www.daec-berlin.de:443/ but not https://www.daec-berlin.de/.

It sounds like your configuration is missing an “SSLEngine on” somewhere, or some important part of the configuration is IPv4-only.


#6

Which is strange,because all virtual hosts are defined as macros that are expanded for the IPv4 and the IPv6 address. So the config should be identical.


#7

Going by the DNS, those two sites have slightly different IPv6 addresses. Is the Apache configuration taking that into account?


#8

Yes, this was intended, but maybe indeed be a problem. Both sites have the same IPv4 address and different IPv6 addresses. Could there a problem with the certificate this way? My knowledget is limited here.


#9

No, Let’s Encrypt certificates are for DNS names (FQDNs) only, the IP address (whether IPv4 or IPv6) doesn’t matter at all.


#10

@eehmke, it might help if you could post your full Apache config, either here or in a gist, so we can see the VirtualHost and SSLEngine directives.


#11

Will do. But indeed I seem to have solved the problem by changing the DNS configuration for that domains. They now share not only the same IPv4 address, but also the same IPv6 address. After that DNS change was propagated, I could access the sites via https and IPv6 without problems. Of course, I also had to adapt the vhost configuration.

Still I would like to have different IPv6 addresses for the domains. Would it be an option to generate separate certificates for IPv4 and IPv6? At the moment, they all share the same SAN certificate.


#12

Excellent, congrats!

As @tialaramex says, so long as your IPv4 and IPv6 addresses are serving for the same domain name, it is correct to use the same certificate for both.


#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.