Where are all references to my domain name?

dr0 · June 19, 2024, 1:02pm

Actually, I removed the virtual host that was in ssl.conf but kept that file for general SSL configuration. Here is the file with comments removed:

Listen 443 https

SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300
SSLCryptoDevice builtin

ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

SSLEngine on
SSLHonorCipherOrder on
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM

SSLCertificateFile /etc/letsencrypt/live/dr0.ch-0001/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/dr0.ch-0001/privkey.pem

<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

BrowserMatch "MSIE [2-5]" nokeepalive ssl-unclean-shutdown downgrade-1.0 force-response-1.0

Here it is:

VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server dr0.ch (/etc/httpd/conf.d/dr0-le-ssl.conf:2)
         port 443 namevhost dr0.ch (/etc/httpd/conf.d/dr0-le-ssl.conf:2)
         port 443 namevhost jargon.dr0.ch (/etc/httpd/conf.d/jargon-le-ssl.conf:2)
         port 443 namevhost photos.dr0.ch (/etc/httpd/conf.d/photos-le-ssl.conf:2)
*:80                   is a NameVirtualHost
         default server dr0.ch (/etc/httpd/conf.d/dr0.conf:1)
         port 80 namevhost dr0.ch (/etc/httpd/conf.d/dr0.conf:1)
         port 80 namevhost jargon.dr0.ch (/etc/httpd/conf.d/jargon.conf:1)
         port 80 namevhost photos.dr0.ch (/etc/httpd/conf.d/photos.conf:1)

MikeMcQ · June 19, 2024, 1:08pm

I am lost. Where is the self-signed cert coming from? Because the only cert I see in your ssl.conf is the one from Let's Encrypt. That is not a self-signed cert and has the below domain names in it. Nothing to do with that vps-65ee61ee.vps.ovh.net I see when connecting to your domain on port 80.

dr0 · June 19, 2024, 1:16pm

The self-signed cert from vps-65ee61ee.vps.ovh.net was in ssl.conf. I replaced it with the LE cert.

Running openssl s_client -connect dr0.ch:80 now returns the LE cert.

MikeMcQ · June 19, 2024, 1:31pm

I see.

Still, you should not see any cert when using port 80. Port 80 is for HTTP. Certs are used for HTTPS.

You need to trace the path of the incoming HTTP request through every component. Find out why when it reaches Apache that it gets treated like an HTTPS request

You might also try commenting out these lines from the ssl.conf file. They are in each VirtualHost so are just duplicates.

SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/dr0.ch-0001/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/dr0.ch-0001/privkey.pem

Maybe by forcing SSLEngine On in your base conf it is forcing HTTPS for all incoming. I'm not sure and don't want to chase Apache docs. In any case, they are redundant. You may need to consult an Apache forum or your hosting site if that doesn't work.

dr0 · June 19, 2024, 1:51pm

MikeMcQ:

You might also try commenting out these lines from the ssl.conf file. They are in each VirtualHost so are just duplicates.
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/dr0.ch-0001/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/dr0.ch-0001/privkey.pem
Maybe by forcing SSLEngine On in your base conf it is forcing HTTPS for all incoming. I'm not sure

Good catch! This was the problem.

Now I like it more:

[root@dr0 ~]# openssl s_client -connect dr0.ch:80
CONNECTED(00000003)
802B040D947F0000:error:0A00010B:SSL routines:ssl3_get_record:wrong version number:ssl/record/ssl3_record.c:354:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 5 bytes and written 310 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
[root@dr0 ~]# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/dr0.ch-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for dr0.ch and 2 more domains

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/dr0.ch.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Simulating renewal of an existing certificate for dr0.ch and 2 more domains

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations, all simulated renewals succeeded:
  /etc/letsencrypt/live/dr0.ch-0001/fullchain.pem (success)
  /etc/letsencrypt/live/dr0.ch-0001/fullchain.pem (success)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Thanks a lot for your help. Marking the thread as solved.

system · July 19, 2024, 1:52pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Where does Certbot store it's list of domains to renew? Server	6	8024	March 29, 2019
What file is the list of domains for my cert stored in Help	4	7266	August 2, 2017
Change certbot's internal name for a certificate Help	4	1356	August 18, 2023
Certbot 1.21.0 fails with The error was: renewal config file {} is missing a required file reference Help	7	760	March 26, 2024
Certbot renew fails under RHEL 9 Help	11	1380	October 6, 2022

Where are all references to my domain name?

Related topics