Vhost resolving wrong certificate

rucaza · November 12, 2021, 3:02pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://briccentre.bbk.ac.uk/

I ran this command: sudo certbot --apache

It produced this output:

My web server is (include version): apache

The operating system my web server runs on is (include version):ubuntu 18.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.21.0

as you can see the site is looking at a certificate from a different site, hosted in the same server. i can see both certificates with certbot certificates but is not resolving properly. I plan to install more certificates using the certbot in other sites we have with similar setup in the server, it would be great if they can all work.
many thanks, the certbot and letsencrypt have been of great help.

MikeMcQ · November 12, 2021, 3:33pm

@rucaza Welcome to the community!

This almost certainly is a problem with your Apache vhost definition for that server. Please show the output of:
sudo apachectl -t -D DUMP_VHOSTS

rucaza · November 12, 2021, 3:39pm

HI

thanks for your answer. here is the output:

VirtualHost configuration:
193.61.4.246:443 is a NameVirtualHost
default server psyc.bbk.ac.uk (/etc/apache2/sites-enabled/psyc.bbk.ac.uk.conf:51)
port 443 namevhost psyc.bbk.ac.uk (/etc/apache2/sites-enabled/psyc.bbk.ac.uk.conf:51)
alias www.psyc.bbk.ac.uk
port 443 namevhost www.unlocke.org (/etc/apache2/sites-enabled/unlocke.org.conf:35)
alias unlocke.org
*:443 briccentre.bbk.ac.uk (/etc/apache2/sites-enabled/briccenter.bbk.ac.uk-le-ssl.conf:2)
*:80 is a NameVirtualHost
default server 193.61.4.246 (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost 193.61.4.246 (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost basisnetwork.org (/etc/apache2/sites-enabled/basisnetwork.org.conf:1)
alias www.basisnetwork.org
port 80 namevhost brainb.psyc.bbk.ac.uk (/etc/apache2/sites-enabled/brainb.psyc.bbk.ac.uk.conf:1)
alias www.brainb.psyc.bbk.ac.uk
port 80 namevhost braintools.bbk.ac.uk (/etc/apache2/sites-enabled/braintools.bbk.ac.uk.conf:1)
alias www.braintools.bbk.ac.uk
port 80 namevhost briccentre.bbk.ac.uk (/etc/apache2/sites-enabled/briccenter.bbk.ac.uk.conf:1)
alias www.briccentre.bbk.ac.uk
port 80 namevhost bridgelab.bbk.ac.uk (/etc/apache2/sites-enabled/bridgelab.bbk.ac.uk.conf:1)
alias www.bridgelab.bbk.ac.uk
port 80 namevhost cbcd.bbk.ac.uk (/etc/apache2/sites-enabled/cbcd.bbk.ac.uk.conf:1)
alias www.cbcd.bbk.ac.uk
port 80 namevhost cccm.bbk.ac.uk (/etc/apache2/sites-enabled/cccm.bbk.ac.uk.conf:1)
alias www.cccm.bbk.ac.uk
port 80 namevhost ccnl.bbk.ac.uk (/etc/apache2/sites-enabled/ccnl.bbk.ac.uk.conf:1)
alias www.ccnl.bbk.ac.uk
port 80 namevhost cirmh.bbk.ac.uk (/etc/apache2/sites-enabled/cirmh.bbk.ac.uk.conf:1)
alias www.cirmh.bbk.ac.uk
port 80 namevhost familieschildrenchildcare.org (/etc/apache2/sites-enabled/familieschildrenchildcare.org.conf:1)
alias www.familieschildrenchildcare.org
port 80 namevhost gel.bbk.ac.uk (/etc/apache2/sites-enabled/gel.bbk.ac.uk.conf:1)
alias www.gel.bbk.ac.uk
port 80 namevhost ipa.bbk.ac.uk (/etc/apache2/sites-enabled/ipa.bbk.ac.uk.conf:1)
alias www.ipa.bbk.ac.uk
port 80 namevhost pathlab.bbk.ac.uk (/etc/apache2/sites-enabled/pathlab.bbk.ac.uk.conf:1)
alias www.pathlab.bbk.ac.uk
port 80 namevhost prosopagnosia.bbk.ac.uk (/etc/apache2/sites-enabled/prosopagnosia.bbk.ac.uk.conf:1)
alias www.prosopagnosia.bbk.ac.uk
port 80 namevhost psyc.bbk.ac.uk (/etc/apache2/sites-enabled/psyc.bbk.ac.uk.conf:1)
alias www.psyc.bbk.ac.uk
port 80 namevhost psychology.bbk.ac.uk (/etc/apache2/sites-enabled/psychology.bbk.ac.uk.conf:1)
alias www.psychology.bbk.ac.uk
port 80 namevhost unlocke.org (/etc/apache2/sites-enabled/unlocke.org.conf:1)
alias www.unlocke.org

MikeMcQ · November 12, 2021, 3:44pm

Thanks. Now please show contents of these two files.
/etc/apache2/sites-enabled/psyc.bbk.ac.uk.conf
/etc/apache2/sites-enabled/briccenter.bbk.ac.uk-le-ssl.conf

awslabspl · November 12, 2021, 4:08pm

@rucaza Please use proper formatting

MikeMcQ · November 12, 2021, 4:45pm

Is it possible for you to upload this file instead? It looks like there is something missing. The dump info shows a port 443 vhost from line 51 in that file but I do not see it defined in what you pasted.

Would also like to see:
/etc/apache2/sites-enabled/unlocke.org.conf
It is defined differently than the briccentre vhost and returns the right cert.

I see that requests to briccentre are using the default server's ssl certs, as you note, it is just not yet clear to me what exact definitions are causing that. Update: More clearly, it looks like Apache is using the default server definitions for requests to briccentre - not just the certs. Probably related to mixed vhost definitions for IP and names - if I had to guess right now.

rg305 · November 13, 2021, 2:02am

When was the last time that Apache (or the entire server) was restarted?

Please show the output of:
ps -ef | grep -v grep | grep -Ei 'uid|apache'

rucaza · November 13, 2021, 9:34am

The whole server was restarted this week, and the apached last restarted when i was setting the certs, so very recently.
here is the output:

UID        PID  PPID  C STIME TTY          TIME CMD
www-data 16132 29853  0 06:45 ?        00:00:13 /usr/sbin/apache2 -k start
www-data 20246 29853  0 08:57 ?        00:00:00 /usr/sbin/apache2 -k start
www-data 20598 29853  0 09:09 ?        00:00:00 /usr/sbin/apache2 -k start
www-data 20716 29853  0 09:18 ?        00:00:00 /usr/sbin/apache2 -k start
www-data 20717 29853  0 09:18 ?        00:00:00 /usr/sbin/apache2 -k start
www-data 20751 29853  0 09:20 ?        00:00:00 /usr/sbin/apache2 -k start
www-data 20771 29853  0 09:24 ?        00:00:00 /usr/sbin/apache2 -k start
www-data 20812 29853  0 09:30 ?        00:00:00 /usr/sbin/apache2 -k start
www-data 20813 29853  0 09:30 ?        00:00:00 /usr/sbin/apache2 -k start
www-data 20814 29853  0 09:30 ?        00:00:00 /usr/sbin/apache2 -k start
www-data 20826 29853  0 09:32 ?        00:00:00 /usr/sbin/apache2 -k start
root     29853     1  0 Nov12 ?        00:00:03 /usr/sbin/apache2 -k start

MikeMcQ · November 13, 2021, 12:11pm

@rucaza Excellent. Thanks

I think the issue is you have:

<VirtualHost psyc.bbk.ac.uk:443>
<VirtualHost unlocke.org:443>

But, for briccentre just:

<VirtualHost *:443>

Note no fully qualified domain name and instead just a wildcard. The FQDN just represents the related IP address.

I think you can resolve this by making all of them *:443 instead of using the FQDN for psyc and unlocke.

Per Apache docs:

When a request is received, the server first maps it to the best matching based on the local IP address and port combination only. Non-wildcards have a higher precedence. If no match based on IP and port occurs at all, the "main" server configuration is used.

So, what is happening is a request for briccentre arrives. Apache sees that both pysc and unlocke match the IP address. Then it matches the host header on the request but finds no matching name in these two so uses the default (psyc) server.

In other words, the use of the FQDN limits the candidates of which servers will be selected.

There is a time and place for IP based selection but yours does not seem like it.
All of the domains resolve to the same IP. Note, also, this "not recommended" notation in the VirtualHost definition:

A fully qualified domain name for the IP address of the virtual host (not recommended);
core - Apache HTTP Server Version 2.4

Also, just for consistency I noticed you use different IfModule but these are normally the same so is probably not a problem. I generally prefer consistency so if you are setting up a pattern you may want to standardize on one.

For briccentre you wrap the VirtualHost with:
<IfModule mod_ssl.c>
For the other ssl VirtualHost you use:
<IfModule ssl_module>

I am curious to know how this turns out. Cheers

rg305 · November 13, 2021, 5:18pm

This seems significant:

And likely both are unnecessary.
[we already know the system can do SSL - there is no "IF" question about it]

MikeMcQ · November 13, 2021, 5:20pm

I agree they are both unnecessary in this situation. They would know if ssl is not available on their server so do not need the wrapper. But, they should have the same result with either statement - one using the module name and the other the file name.

rg305 · November 13, 2021, 5:21pm

We are talking about Apache here - LOL

rucaza · November 15, 2021, 9:18am

thanks for the help.
i removed the IfModule wrapper and added the wildcard for the psyc and unlocke config files and it works now! I really appreciate it. I only have to sort out some images and content that is coming in http but that should be straight forward.
all the best to you guys.

system · December 15, 2021, 9:18am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.