Strange ssl results

  • certificate of 2nd customer on this server will also delivered by apache2 for all other ssl enabled sites on this machine!
    i checked all ssl.conf files and i do not see any errors, also cert files stored combined in /var/www/imscp/gui/data/certs are ok
    i have no clue why this can even happen :(


    Code
    1. https://www.ssllabs.com/ssltest/analyze.html?d=erendiz.com


    system ubuntu lts imscp 1.4.7, apache2

  • badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • hmm sorry master !


    but my previous posts an this regards the same server


    version 1.4.7
    os: ubuntu lts ... uname -a
    Linux ksrv140 4.4.0-83-generic #106-Ubuntu SMP Mon Jun 26 17:54:43 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux


    standard install with apache2 and dovcot and postfix, no plugins !


    suggestion .... imscp_diag script producing ALL RELEVANT INFORMATION FOR YOU

  • but my previous posts an this regards the same server

    Do you know how many people are asking me for support per day? Do you really think that I can remember their distribution, codename and so on?


    Anyway, LTS mean nothing for us because we only support LTS versions. LTS is not your distribution codename. So again, your distribution codename is?


    And please, give us further details:

    • All SSL sites are set with trusted SSL certificates or self-signed certificates?
    • Any log?
    • Does the IP addresses for all your sites are correct?

    We cannot really help without further details.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • ubuntu xenial


    all ssl enabled site have Symantec basic certs please look at the report link provided !


    i have no clue how to gather logs for this strange behavior!


    its a root server with only one ip
    I came across this issue by testing site after changing external dns for CCA records!


    regards Gerhard

  • @gwr


    Calm down please ;) Abusing of the exclamation mark will not help here ;)


    Please give us at least two domain names for which SSL is enabled and for which the SSL certificate used is not the expected one. Give us also your server IP (all this privately if you prefer).


    Since you changed your DNS configuration, the issue could be simply due to propagation.



    Thank you.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • sorry, i don't want to yell in previous post :)


    all ssl enabled sites will get a 2nd cert from blahusch-hausverwaltung.de, if i test this with https://www.ssllabs.com/ssltest/index.html


    dns:

    Code
    1. cat prim/blahusch-hausverwaltung.de$ORIGIN de.blahusch-hausverwaltung 86400 IN SOA ns1.netpilot.net. hostmaster.netpilot.net. ( 2017071500 28800 7200 604800 86400 ) 86400 IN NS ns1.netpilot.net. 86400 IN NS ns2.netpilot.net. 86400 IN NS ns3.netpilot.net. 600 IN A 88.99.62.140 86400 IN MX 10 relay3.netpilot.net. 86400 IN MX 10 relay1.netpilot.net. 86400 IN MX 10 relayx.netpilot.net. 86400 IN MX 10 relay.netpilot.net.; 86400 IN MX 40 mail.blahusch-hausverwaltung.de.$ORIGIN blahusch-hausverwaltung.de.www 600 IN A 88.99.62.140mail 86400 IN A 62.67.240.34* 86400 IN A 62.67.240.34blahusch-hausverwaltung.de. IN CAA 0 issue "symantec.com"blahusch-hausverwaltung.de. IN CAA 0 issuewild ";"blahusch-hausverwaltung.de. IN CAA 0 iodef "mailto:[email protected]"blahusch-hausverwaltung.de. 300 IN TXT "201706091753240tlns8zusr9ny6uc35zi5mrhpq9u8nkglsmfxe60buaozbydon"blahusch-hausverwaltung.de. 3600 IN TXT "v=spf1 a mx include:netpilot.net -all" cat prim/erendiz.com$ORIGIN com.erendiz 86400 IN SOA ns1.netpilot.net. hostmaster.netpilot.net. ( 2017071500 28800 7200 604800 86400 ) 86400 IN NS ns1.netpilot.net. 86400 IN NS ns2.netpilot.net. 86400 IN NS ns3.netpilot.net. 600 IN A 88.99.62.140 86400 IN MX 10 relay3.netpilot.net. 86400 IN MX 10 relay1.netpilot.net. 86400 IN MX 10 relayx.netpilot.net. 86400 IN MX 10 relay.netpilot.net.; 86400 IN MX 40 mail.erendiz.com.$ORIGIN erendiz.com.erendiz.com. IN CAA 0 issue "symantec.com"erendiz.com. IN CAA 0 issuewild ";"erendiz.com. IN CAA 0 iodef "mailto:[email protected]"erendiz.com. 300 IN TXT "201707061603070o7snucls7jriagovsigaa3qzar7foschzhhw8urofbwbfambe"www 600 IN A 88.99.62.140imap 86400 IN A 88.99.62.140pop 86400 IN A 88.99.62.140smtp 86400 IN A 88.99.62.140mail 86400 IN A 88.99.62.140* 600 IN A 88.99.62.140erendiz.com. 3600 IN TXT "v=spf1 a mx include:netpilot.net -all"



    Defined sites:

    Code
    1. root@ksrv140 /etc/apache2/sites-enabled # ls -latrtotal 8lrwxrwxrwx 1 root root 37 Feb 14 12:20 00_nameserver.conf -> ../sites-available/00_nameserver.conflrwxrwxrwx 1 root root 34 Feb 14 12:21 01_awstats.conf -> ../sites-available/01_awstats.confdrwxr-xr-x 10 root root 4096 Jul 5 11:39 ..lrwxrwxrwx 1 root root 48 Jul 11 15:48 cityhotel-schoenleber.de.conf -> ../sites-available/cityhotel-schoenleber.de.conflrwxrwxrwx 1 root root 52 Jul 11 15:48 cityhotel-schoenleber.de_ssl.conf -> ../sites-available/cityhotel-schoenleber.de_ssl.conflrwxrwxrwx 1 root root 50 Jul 11 15:48 blahusch-hausverwaltung.de.conf -> ../sites-available/blahusch-hausverwaltung.de.conflrwxrwxrwx 1 root root 54 Jul 11 15:48 blahusch-hausverwaltung.de_ssl.conf -> ../sites-available/blahusch-hausverwaltung.de_ssl.conflrwxrwxrwx 1 root root 46 Jul 11 15:48 blahusch-immobilien.de.conf -> ../sites-available/blahusch-immobilien.de.conflrwxrwxrwx 1 root root 40 Jul 11 15:48 info.cobos-fs.de.conf -> ../sites-available/info.cobos-fs.de.conflrwxrwxrwx 1 root root 44 Jul 11 15:48 info.cobos-fs.de_ssl.conf -> ../sites-available/info.cobos-fs.de_ssl.conflrwxrwxrwx 1 root root 42 Jul 11 15:48 wp2017.cobos-fs.de.conf -> ../sites-available/wp2017.cobos-fs.de.conflrwxrwxrwx 1 root root 35 Jul 11 15:48 erendiz.com.conf -> ../sites-available/erendiz.com.conflrwxrwxrwx 1 root root 39 Jul 11 15:48 erendiz.com_ssl.conf -> ../sites-available/erendiz.com_ssl.conflrwxrwxrwx 1 root root 34 Jul 11 15:48 erendiz.de.conf -> ../sites-available/erendiz.de.conflrwxrwxrwx 1 root root 43 Jul 11 15:48 tekin-necklaces.com.conf -> ../sites-available/tekin-necklaces.com.conflrwxrwxrwx 1 root root 47 Jul 11 15:48 tekin-necklaces.com_ssl.conf -> ../sites-available/tekin-necklaces.com_ssl.conflrwxrwxrwx 1 root root 43 Jul 11 15:48 mrmustiyachting.com.conf -> ../sites-available/mrmustiyachting.com.conflrwxrwxrwx 1 root root 47 Jul 11 15:48 mrmustiyachting.com_ssl.conf -> ../sites-available/mrmustiyachting.com_ssl.conflrwxrwxrwx 1 root root 38 Jul 11 15:48 lykiahiker.com.conf -> ../sites-available/lykiahiker.com.conflrwxrwxrwx 1 root root 42 Jul 11 15:48 lykiahiker.com_ssl.conf -> ../sites-available/lykiahiker.com_ssl.conflrwxrwxrwx 1 root root 38 Jul 11 15:48 lykiabiker.com.conf -> ../sites-available/lykiabiker.com.conflrwxrwxrwx 1 root root 42 Jul 11 15:48 lykiabiker.com_ssl.conf -> ../sites-available/lykiabiker.com_ssl.conflrwxrwxrwx 1 root root 37 Jul 11 15:48 lykiabiker.de.conf -> ../sites-available/lykiabiker.de.conflrwxrwxrwx 1 root root 46 Jul 11 15:48 exploresecretplaces.de.conf -> ../sites-available/exploresecretplaces.de.conflrwxrwxrwx 1 root root 50 Jul 11 15:48 exploresecretplaces.de_ssl.conf -> ../sites-available/exploresecretplaces.de_ssl.conflrwxrwxrwx 1 root root 46 Jul 11 15:48 exploresecretplaces.eu.conf -> ../sites-available/exploresecretplaces.eu.conflrwxrwxrwx 1 root root 46 Jul 14 09:40 strandhotel-diessen.de.conf -> ../sites-available/strandhotel-diessen.de.conflrwxrwxrwx 1 root root 50 Jul 14 09:40 strandhotel-diessen.de_ssl.conf -> ../sites-available/strandhotel-diessen.de_ssl.conflrwxrwxrwx 1 root root 45 Jul 14 16:01 strandhoteldiessen.de.conf -> ../sites-available/strandhoteldiessen.de.confdrwxr-xr-x 2 root root 4096 Jul 15 17:11 .

    confs

    Code
    1. cat blahusch-hausverwaltung.de_ssl.conf<VirtualHost 88.99.62.140:443> ServerAdmin [email protected] ServerName blahusch-hausverwaltung.de ServerAlias www.blahusch-hausverwaltung.de DocumentRoot /var/www/virtual/blahusch-hausverwaltung.de/htdocs DirectoryIndex disabled LogLevel error ErrorLog /var/log/apache2/blahusch-hausverwaltung.de/error.log Alias /errors/ /var/www/virtual/blahusch-hausverwaltung.de/errors/ SSLEngine On SSLCertificateFile /var/www/imscp/gui/data/certs/blahusch-hausverwaltung.de.pem Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" SuexecUserGroup vu2004 vu2004 <Proxy "unix:/run/php/php7.0-fpm-blahusch-hausverwaltung.de.sock|fcgi://blahusch-hausverwaltung.de" retry=0> ProxySet connectiontimeout=5 timeout=7200 </Proxy> <Directory /var/www/virtual/blahusch-hausverwaltung.de/htdocs> Options FollowSymLinks DirectoryIndex index.php AllowOverride All <If "%{REQUEST_FILENAME} =~ /\.ph(?:p[3457]?|t|tml)$/ && -f %{REQUEST_FILENAME}"> SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1 SetHandler proxy:fcgi://blahusch-hausverwaltung.de </If> DirectoryIndex index.html index.xhtml index.htm Require all granted </Directory> Alias /cgi-bin/ /var/www/virtual/blahusch-hausverwaltung.de/cgi-bin/ <Directory /var/www/virtual/blahusch-hausverwaltung.de/cgi-bin> AllowOverride AuthConfig Indexes Limit Options=Indexes,MultiViews \ Fileinfo=RewriteEngine,RewriteOptions,RewriteBase,RewriteCond,RewriteRule Nonfatal=Override DirectoryIndex index.cgi index.pl index.py index.rb Options FollowSymLinks ExecCGI AddHandler cgi-script .cgi .pl .py .rb Require all granted </Directory> Include /etc/apache2/imscp/blahusch-hausverwaltung.de.conf</VirtualHost>

    I checked as already said, all combined cert files and these are totally ok.

  • @gwr


    SSL certificate for the blahusch-hausverwaltung.de site is correct. But SSL certificate for the erendiz.com site is not.


    Please result of the following command:


    Code
    1. # openssl x509 -noout -text -in /var/www/imscp/gui/data/certs/erendiz.com.pem

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • Code
    1. openssl x509 -noout -text -in /var/www/imscp/gui/data/certs/erendiz.com.pemCertificate: Data: Version: 3 (0x2) Serial Number: 3b:e2:43:04:8b:b4:ff:6f:c7:7a:90:68:bb:77:d1:9c Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = Symantec Corporation, OU = Symantec Trust Network, OU = Domain Validated SSL, CN = Symantec Basic DV SSL CA - G2 Validity Not Before: Jul 6 00:00:00 2017 GMT Not After : Jul 6 23:59:59 2018 GMT Subject: CN = erendiz.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:c7:c9:8b:4b:26:3e:d2:af:c5:3d:a0:e5:5f:54: 7b:79:37:ff:50:31:b8:e1:67:d3:21:55:e7:0b:aa: 98:21:3c:57:a8:3d:6c:dd:b0:49:b1:8d:58:a3:ce: 05:31:50:c0:18:87:ee:fa:d0:55:b6:b0:e5:59:b3: 2b:da:f0:6c:05:df:bc:8e:8b:0a:8d:57:34:59:51: 08:9e:59:e8:be:17:8a:19:f5:50:83:d1:bb:75:07: a6:7a:7f:bc:f5:0e:e2:29:f9:93:d4:d8:3c:03:79: 74:38:4a:d5:77:d9:40:f1:9d:01:ba:00:fa:6b:46: 7b:e6:e0:33:8b:11:fb:19:b3:25:43:51:4d:48:d5: 1b:2e:5f:0a:1a:1f:69:a0:73:38:38:fb:e6:50:a6: fe:d7:e0:9f:d8:aa:51:bb:3f:dd:20:c3:28:7c:6d: 26:b1:0a:80:fa:82:c9:1a:85:aa:3f:ee:69:a0:21: f5:ab:d1:db:b7:14:7f:d3:70:b6:32:3c:b1:d6:bb: 65:9b:0f:f4:ee:90:13:3d:19:3f:74:3a:f8:b6:31: ed:69:42:b8:77:f0:71:dd:e6:0d:03:c3:a4:34:f5: 66:5c:56:a0:d6:38:bb:83:f9:8b:c6:a2:50:da:8e: c1:b5:5c:9d:d1:24:b1:f3:41:e4:31:d4:6e:3f:9e: 32:c7 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Subject Alternative Name: DNS:erendiz.com, DNS:www.erendiz.com X509v3 Basic Constraints: CA:FALSE X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 CPS: https://d.symcb.com/cps User Notice: Explicit Text: https://d.symcb.com/rpa X509v3 Authority Key Identifier: keyid:CA:AC:5D:E1:90:2F:F1:EF:8C:D4:9F:35:01:E1:01:3B:A0:CE:C1:77 X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication Authority Information Access: OCSP - URI:http://hd.symcd.com CA Issuers - URI:http://hd.symcb.com/hd.crt CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : DD:EB:1D:2B:7A:0D:4F:A6:20:8B:81:AD:81:68:70:7E: 2E:8E:9D:01:D5:5C:88:8D:3D:11:C4:CD:B6:EC:BE:CC Timestamp : Jul 6 16:04:28.615 2017 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:21:00:9F:2B:CE:D4:5A:AA:E7:CC:E7:6B:D0: 55:49:BB:0B:33:97:8E:6D:D0:66:62:80:23:71:EF:5F: DF:2D:28:E6:2D:02:20:1A:DF:76:9E:9D:8E:9A:EE:F3: A0:52:F0:32:CE:62:88:00:FE:E0:2B:2B:ED:5E:78:BC: D9:CE:93:C2:F4:BC:DA Signed Certificate Timestamp: Version : v1 (0x0) Log ID : A4:B9:09:90:B4:18:58:14:87:BB:13:A2:CC:67:70:0A: 3C:35:98:04:F9:1B:DF:B8:E3:77:CD:0E:C8:0D:DC:10 Timestamp : Jul 6 16:04:28.905 2017 GMT Extensions: none Signature : ecdsa-with-SHA256 30:44:02:20:05:F2:31:A7:C2:5F:C5:85:9F:DE:EC:D4: FF:58:BE:73:BB:D0:25:7D:D1:5C:33:8B:2D:92:CE:76: 11:63:8F:1E:02:20:66:11:2C:CF:FB:55:D2:A1:D4:41: 5D:AC:51:D3:CD:48:7D:93:F3:65:AD:EA:E0:5F:6C:BF: 32:84:27:C5:1E:E3 Signature Algorithm: sha256WithRSAEncryption 99:77:a1:9b:23:a2:e6:da:3a:b2:e7:34:07:cf:f5:c6:b7:de: 18:6c:a7:6b:17:e1:df:1a:59:03:c3:75:0b:c6:70:c3:c8:9c: 7a:de:15:94:aa:ad:c9:41:d6:04:b9:a9:a2:85:1b:e1:ad:23: 90:31:23:cc:af:12:84:de:05:22:71:3d:ea:6f:48:d6:27:36: ed:0d:bf:93:26:50:a2:00:b2:78:6c:b5:85:20:d1:94:f5:2c: c7:d9:39:3c:b3:33:07:e4:11:1d:da:81:84:0f:5d:18:89:29: 84:d2:89:3c:dd:a9:c8:a0:00:92:aa:c8:55:36:00:01:7c:3a: c9:17:eb:08:a9:cc:ad:2a:87:4a:df:fc:91:4c:ec:5d:40:db: 20:c7:42:8a:cf:8f:2a:11:b4:25:a3:f5:68:67:16:f7:54:92: 71:90:be:6d:e4:8f:1c:73:28:30:72:34:a9:51:42:9a:7e:ba: 9d:97:da:67:c4:c5:60:74:21:7b:94:3f:55:fa:a9:3a:30:34: 35:d7:d9:b0:7e:81:b5:12:08:35:cd:a1:f2:3f:38:fd:13:8b: 46:e1:2f:74:38:0f:77:70:25:80:4c:16:fe:36:33:fd:f0:eb: 89:95:36:61:ae:d8:25:fd:14:a2:7b:06:52:74:f5:5e:41:1f: 51:61:43:11
  • @gwr


    I was wrong in my previous post. SSL certificates are valid for both sites. However, for the www.erendiz.com site, the status stay gray because you're mixing content (http and htttps): All URI schemes in your site pages should be https://, or you should make use of relative URIs ;)


    Site www.blahusch-hausverwaltung.de


    site1.png


    Site www.erendiz.com


    site2.png

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206