Subdomain cert not recognized by SSL Labs


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: drills.enorugby.com

I ran this command: certbot --staging

It produced this output:
Congratulations! You have successfully enabled https://drills.enorugby.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=drills.enorugby.com

My web server is (include version): Apache2

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): VestaCP

I already have a certificate for enorugby.com & www.enorugby.com. I am trying to add a separate cert for drills.enorugby.com. These all share the same IP address. Certbot seemed to run successfully, but when I run the SSL Labs test, it gives me a name mismatch. It seems to be looking at the other cert (enorugby.com).

Additionally, I have drills.enorugby.com setup as a separate web domain in VestaCP. When I edit the domain and select SSL Support - Lets Encrypt Support and save my changes, I get the following error: Error: Invalid response from http://drills.enorugby.com/.well-known/acme-challenge/julivmVddbxxAjqd2JDWUbaJfWWQpKC65FkMb6NmhBk: \

(Side note, before creating the new cert, I tried adding this subdomain to the existing cert using certbot certonly --cert-name enorugby.com -d enorugby.org,www.enorugby.org,drills.enorugby.com - this did not give me any errors, but it did not seem to update the Apache configuration, and I could not enable SSL Support in Vesta CP. I used that same command to remove drills.enorugby.com from the certificate, and then tried creating this new one. I really don’t care if it is on the same cert or not. I moved to creating a new one, because I was concerned that it would fail too many times in VestaCP, I would hit my rate limit, and I would lose the cert for enorugby.com, which is a public-facing website.)

Appreciate any advice you can give me. Thanks.


#2

Hi @boredomisagift

if you use such a control panel with an own SSL menu, you should never use Certbot parallel. That can’t work.

And you shouldn’t change your Apache configuration with Certbot, if you use VestaCP.


#3

Hi @JuergenAuer, I’m not sure I understand. I used certbot to install the cert for my primary domains a few weeks ago, and it worked just fine with VestaCP. Unfortunately, I cannot remember the exact steps I took to get it working, and now I cannot make it work with my secondary subdomain.

How would I do this without using Certbot? I do not see any options in VestaCP to obtain and install a certificate.


#4

FYI Certbot does not change the files in /etc/apache2. It detects the files that VestaCP created in the /home/admin/conf/web/ folder. For my primary domain, VestaCP created a file in that folder called enorugby.com.apache.conf, and then Certbot created a new file there called enorugby.com.apache.ssl.conf.
This folder also contains a file called drills.enorugby.com.apache.conf (created by VestaCP.) When I added drills.enorugby.com to my existing certificate, a new SSL conf file was NOT created as I expected. However, when I created a new cert for that subdomain, a new file was generated, though with a slightly different filename than I expected: drills.enorugby.com.apache-le-ssl.conf


#5

If the new name was added to an existing cert, why would it need to create a new conf?
[to add] the new name was probably already included in the existing conf or overlapped with it.

new cert = new conf.
This is expected.
Otherwise, where/how would you handle the new cert at all?


#6

@rg305 That makes sense. With VestaCP, I have a separate .conf file for each web domain. (Domain 1 = enorugby.com & www.enorugby.com, Domain 2 = drills.enorugby.com) Since I need to have separate.conf files for each, it sounds like I need separate certificates for each.

This brings me back to my original problem. I have installed a staging cert for drills.enorugby.com, but it is not working properly. According to Lets Debug, there are no issues: https://letsdebug.net/drills.enorugby.com/15971
But according to SSL Labs, I have a name mismatch. It seems to be reading my other existing certificate for enorugby.com, not my new certificate for drills.enorugby.com.
https://www.ssllabs.com/ssltest/analyze.html?d=drills.enorugby.com&hideResults=on

And VestaCP does not seem to recognize the new cert either. (See original post for that error message.)


#7

It seems the drills conf is using the wrong cert.

Please show (adjust if conf folder is elsewhere):
grep -Eri 'servername|serveralias|sslcert' /etc/apache2

and also show:
certbot certificates


#8

(Note: .conf file directory is /home.admin/conf/web)
/home/admin/conf/web/enorugby.com.apache2.ssl.conf: ServerName enorugby.com
/home/admin/conf/web/enorugby.com.apache2.ssl.conf: ServerAlias www.enorugby.com
/home/admin/conf/web/enorugby.com.apache2.ssl.conf:SSLCertificateFile /etc/letsencrypt/live/enorugby.com/fullchain.pem
/home/admin/conf/web/enorugby.com.apache2.ssl.conf:SSLCertificateKeyFile /etc/letsencrypt/live/enorugby.com/privkey.pem
/home/admin/conf/web/enorugby.com.apache2.conf: ServerName enorugby.com
/home/admin/conf/web/enorugby.com.apache2.conf: ServerAlias www.enorugby.com
/home/admin/conf/web/drills.enorugby.com.apache2-le-ssl.conf: ServerName drills.enorugby.com
/home/admin/conf/web/drills.enorugby.com.apache2-le-ssl.conf:SSLCertificateFile /etc/letsencrypt/live/drills.enorugby.com/fullchain.pem
/home/admin/conf/web/drills.enorugby.com.apache2-le-ssl.conf:SSLCertificateKeyFile /etc/letsencrypt/live/drills.enorugby.com/privkey.pem
/home/admin/conf/web/drills.enorugby.com.apache2.conf: ServerName drills.enorugby.com

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/www.enorugby.com.conf produced an unexpected error: expected /etc/letsencrypt/live/www.enorugby.com/cert.pem to be a symlink. Skipping.


Found the following certs:
Certificate Name: enorugby.com
Domains: enorugby.com www.enorugby.com
Expiry Date: 2019-04-12 19:46:16+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/enorugby.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/enorugby.com/privkey.pem
Certificate Name: drills.enorugby.com
Domains: drills.enorugby.com
Expiry Date: 2019-04-12 19:47:31+00:00 (INVALID: TEST_CERT)
Certificate Path: /etc/letsencrypt/live/drills.enorugby.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/drills.enorugby.com/privkey.pem

The following renewal configuration files were invalid:
/etc/letsencrypt/renewal/www.enorugby.com.conf


Note: At the very beginning of this adventure, I tried to add my drills subdomain to the existing cert using certbot --certname www.enorugby.com -d enorugby.com,www.enorugby.com,drills.enorugby.com
I should have done --certname enorugby.com, as this is how I first registered the certificate. Including the “www.” was a mistake, and I think it may have created a new cert. I deleted those cert files, though maybe I should have revoked the cert instead? Anyway, I think this is where the error is coming from.
It appears I’ve made quite the mess of this!


#9

So far, so good.
Except the “TEST_CERT” status.

And this needs to be addressed:

Please show that file.


#10

I wonder if this is part of the problem. I have this file: /etc/apache2/conf.d/vesta.conf, which contains the following lines:
Include /home/admin/conf/web/enorugby.com.apache2.conf
Include /home/admin/conf/web/enorugby.com.apache2.ssl.conf
Include /home/admin/conf/web/drills.enorugby.com.apache2.conf

Note that it does not contain a line for the drills.enorugby.com SSL conf file. I tried adding this manually:
Include /home/admin/conf/web/drills.enorugby.com.apache2-le-ssl.conf
However, when I do this, I get errors when restarting the apache2 service, so I took that line out.


#11

Please show this file then:

Without it, Apache is forced to use the closest matching conf.
In this case the only other SSL enabled conf:
/home/admin/conf/web/enorugby.com.apache2.ssl.conf
Which explains why you get the wrong content and cert for drills - there is no drills TLS conf enabled.


#12

renew_before_expiry = 30 days

version = 0.26.1
archive_dir = /etc/letsencrypt/archive/www.enorugby.com
cert = /etc/letsencrypt/live/www.enorugby.com/cert.pem
privkey = /etc/letsencrypt/live/www.enorugby.com/privkey.pem
chain = /etc/letsencrypt/live/www.enorugby.com/chain.pem
fullchain = /etc/letsencrypt/live/www.enorugby.com/fullchain.pem

Options used in the renewal process

[renewalparams]
account = b73f1a065cd4029d0f05cb64121d2f6b
authenticator = apache
server = https://acme-v02.api.letsencrypt.org/directory


#13
ServerName drills.enorugby.com

ServerAdmin info@drills.enorugby.com
DocumentRoot /home/admin/web/drills.enorugby.com/django
ScriptAlias /cgi-bin/ /home/admin/web/drills.enorugby.com/cgi-bin/
Alias /vstats/ /home/admin/web/drills.enorugby.com/stats/
Alias /error/ /home/admin/web/drills.enorugby.com/document_errors/
Alias /static/ /home/admin/web/drills.enorugby.com/django/static/
#SuexecUserGroup admin admin
CustomLog /var/log/apache2/domains/drills.enorugby.com.bytes bytes
CustomLog /var/log/apache2/domains/drills.enorugby.com.log combined
ErrorLog /var/log/apache2/domains/drills.enorugby.com.error.log
<Directory /home/admin/web/drills.enorugby.com/django>
    AllowOverride All
    Options +Includes -Indexes +ExecCGI
    php_admin_value open_basedir /home/admin/web/drills.enorugby.com/django:/home/admin/tmp
    php_admin_value upload_tmp_dir /home/admin/tmp
    php_admin_value session.save_path /home/admin/tmp
</Directory>
<Directory /home/admin/web/drills.enorugby.com/stats>
    AllowOverride All
</Directory>
<Directory /home/admin/web/drills.enorugby.com/django/static>
    Require all granted
</Directory>
<Directory /home/admin/web/drills.enorugby.com/django/rugbysite>
    <Files wsgi.py>
        Require all granted
    </Files>
</Directory>

<IfModule mod_ruid2.c>
    RMode config
    RUidGid admin admin
    RGroups www-data
</IfModule>
<IfModule itk.c>
    AssignUserID admin admin
</IfModule>

WSGIDaemonProcess rugbysite python-home=/home/admin/web/drills.enorugby.com/django/env python-path=/home/admin/web/drills.en$
WSGIProcessGroup rugbysite
WSGIScriptAlias / /home/admin/web/drills.enorugby.com/django/rugbysite/wsgi.py

IncludeOptional /home/admin/conf/web/apache2.drills.enorugby.com.conf*

SSLCertificateFile /etc/letsencrypt/live/drills.enorugby.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/drills.enorugby.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf


#14

That looks out-of-place

Try rem that out and include this file back in and restart Apache.


#15

That did not copy over properly. Those last three lines should have been included with the rest of the code, following by closing tags for VirtualHost and IfModule.

It seems strange to me that the SSL config file for enorugby.com is enorugby.com.apache2.ssl.conf but the new SSL config file is drills.enorugby.com.apache2-le-ssl.conf - why the different name structure? Presumably these files were both created by certbot.


#16

All of the .conf files in that directory have that weird line in them. What do you mean by “rem that out and include the file back in”? I can comment the line out easily enough. Thing is, that file does not exist, so I can’t really include the file back in.


#17

Certbot (from my experience) has only added the -le-ssl.conf files and content to existing files.
So, I don’t know how those files got created.
But we can work with them just the same.


#18

OK that was three instructions in one line.
So I apologize for the congestion.

  1. comment out that line.
  2. re-include that entire file into the config (using include … like the others are included)
  3. restart Apache

and 4. if it errors out, show the error.


#19

ok, I realized what you meant right before you posted the clarifying comment. :slightly_smiling_face:

Still no luck. I included the file in the vesta.conf file again and restarted apache:
Job for apache2.service failed because the control process exited with error code.
See “systemctl status apache2.service” and “journalctl -xe” for details.

systemctl status apache2.service:
● apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Drop-In: /lib/systemd/system/apache2.service.d
└─apache2-systemd.conf
Active: failed (Result: exit-code) since Mon 2019-01-14 16:56:36 UTC; 1min 1s ago
Process: 23898 ExecStop=/usr/sbin/apachectl stop (code=exited, status=1/FAILURE)
Process: 23861 ExecReload=/usr/sbin/apachectl graceful (code=exited, status=0/SUCCESS)
Process: 23904 ExecStart=/usr/sbin/apachectl start (code=exited, status=1/FAILURE)
Main PID: 23645 (code=exited, status=0/SUCCESS)

journalctl -xe:
Dec 07 22:55:46 ubuntu-eno1 systemd[2121]: Startup finished in 44ms.
– Subject: User manager start-up is now complete
– Defined-By: systemd
– Support: http://www.ubuntu.com/support

– The user manager instance for user 1000 has been started. All services queued
– for starting have been started. Note that other services might still be starting
– up or be started at any later time.

– Startup of the manager took 44356 microseconds.
Jan 11 01:02:49 enorugby.com polkit-agent-helper-1[386]: pam_unix(polkit-1:auth): authentication failure; logname= uid=1000 euid=0 tty= ruser=pi rhost= user=pi


#20

Ok, trying journalctl -xe again with sudo:

– The result is RESULT.
Jan 14 16:56:46 enorugby.com sshd[23933]: Invalid user fwupgrade from 106.12.151.121 port 49362
Jan 14 16:56:46 enorugby.com sshd[23933]: pam_unix(sshd:auth): check pass; user unknown
Jan 14 16:56:46 enorugby.com sshd[23933]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=106.12.151.121
Jan 14 16:56:49 enorugby.com sshd[23933]: Failed password for invalid user fwupgrade from 106.12.151.121 port 49362 ssh2
Jan 14 16:56:49 enorugby.com sshd[23933]: Received disconnect from 106.12.151.121 port 49362:11: Bye Bye [preauth]
Jan 14 16:56:49 enorugby.com sshd[23933]: Disconnected from invalid user fwupgrade 106.12.151.121 port 49362 [preauth]
Jan 14 16:57:15 enorugby.com sshd[23936]: Connection closed by 212.129.138.226 port 55410 [preauth]
Jan 14 16:57:20 enorugby.com systemd-resolved[6451]: Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.
Jan 14 16:57:38 enorugby.com sshd[23938]: Invalid user hzh from 104.131.84.103 port 44308
Jan 14 16:57:38 enorugby.com sshd[23938]: pam_unix(sshd:auth): check pass; user unknown
Jan 14 16:57:38 enorugby.com sshd[23938]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=104.131.84.103
Jan 14 16:57:40 enorugby.com sshd[23938]: Failed password for invalid user hzh from 104.131.84.103 port 44308 ssh2
Jan 14 16:58:31 enorugby.com sshd[23996]: Invalid user jean from 125.134.251.45 port 53946
Jan 14 16:58:31 enorugby.com sshd[23996]: pam_unix(sshd:auth): check pass; user unknown
Jan 14 16:58:31 enorugby.com sshd[23996]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=125.134.251.45
Jan 14 16:58:33 enorugby.com sshd[23996]: Failed password for invalid user jean from 125.134.251.45 port 53946 ssh2
Jan 14 17:00:01 enorugby.com CRON[24084]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 14 17:00:01 enorugby.com CRON[24086]: pam_unix(cron:session): session opened for user admin by (uid=0)
Jan 14 17:00:01 enorugby.com CRON[24085]: pam_unix(cron:session): session opened for user admin by (uid=0)
Jan 14 17:00:01 enorugby.com CRON[24087]: (root) CMD (/usr/local/vesta/php/bin/php -d disable_functions="" /usr/local/vesta/softaculous/do_backups.php >> /dev/null 2>&1)
Jan 14 17:00:01 enorugby.com CRON[24088]: (admin) CMD (sudo /usr/local/vesta/bin/v-update-sys-queue backup)
Jan 14 17:00:01 enorugby.com CRON[24089]: (admin) CMD (sudo /usr/local/vesta/bin/v-update-sys-rrd)
Jan 14 17:00:01 enorugby.com sudo[24091]: pam_unix(sudo:session): session opened for user root by (uid=0)
Jan 14 17:00:01 enorugby.com sudo[24092]: pam_unix(sudo:session): session opened for user root by (uid=0)
Jan 14 17:00:01 enorugby.com sudo[24092]: pam_unix(sudo:session): session closed for user root
Jan 14 17:00:01 enorugby.com CRON[24086]: pam_unix(cron:session): session closed for user admin
Jan 14 17:00:02 enorugby.com sudo[24154]: root : TTY=unknown ; PWD=/usr/local/vesta/web/softaculous ; USER=root ; COMMAND=/usr/local/vesta/bin/v-list-user admin json
Jan 14 17:00:02 enorugby.com sudo[24154]: pam_unix(sudo:session): session opened for user root by (uid=0)
Jan 14 17:00:02 enorugby.com sudo[24154]: pam_unix(sudo:session): session closed for user root
Jan 14 17:00:02 enorugby.com CRON[24084]: pam_unix(cron:session): session closed for user root
Jan 14 17:00:02 enorugby.com sudo[24091]: pam_unix(sudo:session): session closed for user root
Jan 14 17:00:02 enorugby.com CRON[24085]: pam_unix(cron:session): session closed for user admin
Jan 14 17:00:09 enorugby.com sshd[24286]: Invalid user pokemon from 221.148.30.232 port 48161
Jan 14 17:00:09 enorugby.com sshd[24286]: pam_unix(sshd:auth): check pass; user unknown
Jan 14 17:00:09 enorugby.com sshd[24286]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=221.148.30.232
Jan 14 17:00:11 enorugby.com sshd[24286]: Failed password for invalid user pokemon from 221.148.30.232 port 48161 ssh2
Jan 14 17:00:34 enorugby.com sshd[24341]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.92.1.150 user=root
Jan 14 17:00:36 enorugby.com sshd[24341]: Failed password for root from 218.92.1.150 port 57918 ssh2
Jan 14 17:00:39 enorugby.com systemd-resolved[6451]: Server returned error NXDOMAIN, mitigating potential DNS violation DVE-2018-0001, retrying transaction with reduced feature level UDP.
Jan 14 17:00:39 enorugby.com sshd[24341]: Failed password for root from 218.92.1.150 port 57918 ssh2
Jan 14 17:00:41 enorugby.com sshd[24341]: Failed password for root from 218.92.1.150 port 57918 ssh2
Jan 14 17:00:42 enorugby.com sshd[24341]: Received disconnect from 218.92.1.150 port 57918:11: [preauth]
Jan 14 17:00:42 enorugby.com sshd[24341]: Disconnected from authenticating user root 218.92.1.150 port 57918 [preauth]
Jan 14 17:00:42 enorugby.com sshd[24341]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.92.1.150 user=root
Jan 14 17:00:46 enorugby.com sshd[24348]: Connection closed by 212.129.138.226 port 36172 [preauth]
Jan 14 17:01:24 enorugby.com sshd[24340]: Invalid user 0 from 188.92.75.248 port 22018
Jan 14 17:01:25 enorugby.com sshd[24340]: pam_unix(sshd:auth): check pass; user unknown
Jan 14 17:01:25 enorugby.com sshd[24340]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=188.92.75.248
Jan 14 17:01:27 enorugby.com sshd[24340]: Failed password for invalid user 0 from 188.92.75.248 port 22018 ssh2
Jan 14 17:01:30 enorugby.com sshd[24350]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=218.92.1.150 user=root
Jan 14 17:01:32 enorugby.com sshd[24350]: Failed password for root from 218.92.1.150 port 11843 ssh2
Jan 14 17:01:48 enorugby.com sshd[24340]: Disconnecting invalid user 0 188.92.75.248 port 22018: Change of username or service not allowed: (0,ssh-connection) -> (22,ssh-connection) [preauth]
Jan 14 17:01:57 enorugby.com sshd[24405]: Invalid user zabbix from 198.23.130.253 port 56560
Jan 14 17:01:57 enorugby.com sshd[24405]: pam_unix(sshd:auth): check pass; user unknown
Jan 14 17:01:57 enorugby.com sshd[24405]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=198.23.130.253
Jan 14 17:01:59 enorugby.com sshd[24405]: Failed password for invalid user zabbix from 198.23.130.253 port 56560 ssh2
Jan 14 17:02:01 enorugby.com sudo[24460]: pi : TTY=pts/0 ; PWD=/home/admin/conf/web ; USER=root ; COMMAND=/bin/journalctl -xe
Jan 14 17:02:01 enorugby.com sudo[24460]: pam_unix(sudo:session): session opened for user root by pi(uid=0)