Certificate replacement issue

Discussion in 'General' started by rsteuer, Jul 9, 2020.

  1. rsteuer

    rsteuer Member

    We had to replace a certificate for a virtual site and now the website is being misdirected. The site certificate for rcs.consulting has been replaced but the site is redirected to cremationsociet.com. However, sslshopper.com lists the correct certificate, as follows:

    Server Hostname
    Check SSL
    These results were cached from July 9, 2020, 6:09 am PST to conserve server resources.
    If you are diagnosing a certificate installation problem, you can get uncached results by clicking here.

    rcs.consulting resolves to 71.181.6.216

    Server Type: Apache/2.4.29 (Ubuntu)

    The certificate should be trusted by all major web browsers (all the correct intermediate certificates are installed).

    The certificate was issued by Sectigo. Write review of Sectigo


    The certificate will expire in 823 days. Remind me


    The hostname (rcs.consulting) is correctly listed in the certificate.
    [​IMG] Common name: rcs.consulting
    SANs: rcs.consulting, www.rcs.consulting
    Valid from July 8, 2020 to October 10, 2022
    Serial Number: cdfe3fd56c0caaec83e73a579cc5944d
    Signature Algorithm: sha256WithRSAEncryption
    Issuer: Sectigo RSA Domain Validation Secure Server CA
    [​IMG]
    [​IMG] Common name: Sectigo RSA Domain Validation Secure Server CA
    Organization: Sectigo Limited
    Location: Salford, Greater Manchester, GB
    Valid from November 1, 2018 to December 31, 2030
    Serial Number: 7d5b5126b476ba11db74160bbc530da7
    Signature Algorithm: sha384WithRSAEncryption
    Issuer: USERTrust RSA Certification Authority
    [​IMG]
    [​IMG] Common name: USERTrust RSA Certification Authority
    Organization: The USERTRUST Network
    Location: Jersey City, New Jersey, US
    Valid from March 11, 2019 to December 31, 2028
    Serial Number: 3972443af922b751d7d36c10dd313595
    Signature Algorithm: sha384WithRSAEncryption
    Issuer: AAA Certificate Services
    [​IMG]
    [​IMG] Common name: AAA Certificate Services
    Organization: Comodo CA Limited
    Location: Salford, Greater Manchester, GB
    Valid from December 31, 2003 to December 31, 2028
    Serial Number: 1 (0x1)
    Signature Algorithm: sha1WithRSAEncryption
    Issuer: AAA Certificate Services

    Not sure what has the site being misdirected if the cert is correct. The site was working fine with the old certificate and the problem appeared as soon as the certificate was replaced.

    Any help would be greatly appreciated.
     
  2. nhybgtvfr

    nhybgtvfr Active Member

    check what files/symlinks exist in /var/www/rcs.consulting/ssl
    and check the contents of the files match those of the new certificate.

    also check in /etc/apache2/sites-available
    check the modified date/time for rcs.consulting.vhost matches the change of certificate.
    check the contents of that file, there should be a section starting with:
    <VirtualHost *:80>
    and ending with:
    </VirtualHost>

    and after that there should be another section starting with:
    <VirtualHost> *:443>
    this one is your SSL vhost. if it doesn't exist, then no certificate is currently being applied to that site, so apache will load the first site it finds alphabetically with a valid certificate.
    otherwise check the SSL certificate paths and filenames specified in this section point to the correct folder and files.

    also check if a rcs.consulting.vhost.err file exists, if it does, it indicates that there's a problem with that config and it went back to the previous config.
     
  3. rsteuer

    rsteuer Member

    Thanks for your reply. Been through all of that and just double-checked it again. Everything looks OK, as far as I can see. No .err file, timestamp is consistent with loading the certs, .crt, .key and .crt all exist in /ssl. The correct cert is indicated when using sslshopper.com to verify.
     
  4. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  5. nhybgtvfr

    nhybgtvfr Active Member

    was the rcs.consulting site actually created in ispconfig or manually? and if in ispconfig, was it created with the www subdomain, wildcard subdomain, or none?
    also, if it was created in ispconfig, check the website settings, is the ip for the site set as * or an actual ip?
    if an actual ip, does it match the one the dns resolves to?
    make sure that you don't have a mixture of sites with some using * and some using an ip.

    not sure the websites created right, a wget https://rcs.consutling results in a 301 redirect to www.rcs.consulting which is ok, but if you actually try to browse to http://www.rcs.consulting you get the apache default page, not the ispconfig welcome to your website page, or whatever is on the rcs.consulting page, or even the cremation society of vermont page which i get if i ignore the certificate issue using https.
     
  6. rsteuer

    rsteuer Member

    Thanks to both of you for reply. Yes to creating in ispconfig. Includes www sub-domain in cert and ISPConfig. All was working fine until the cert had to be installed becasue it was due for renewal.. Same cert provider, no config changes. The www redirect was working fine. All sites should be using * (as it's the default in ISPConfig, I believe. Too many to check each of them).
     
  7. Jesse Norell

    Jesse Norell ISPConfig Developer ISPConfig Developer

    The point is, if you have one set to www.rcs.consulting's ip address, but www.rcs.consulting is using '*', you will have a problem; you really should take the time to check. While you're at it, you might ensure that rcs.consulting's autosubdomain setting is actually set to 'www'. 'apachectl -S' will show your virtualhost config in an easy-to-scan fashion.
     
  8. nhybgtvfr

    nhybgtvfr Active Member

    regardless of the certificate issue, there must be something wrong with the vhost configuration, either for rcs.consulting config itself, or a config error on another which will affect the whole server, such as the mixed usage of ip's and *.
    if as you say, it was working before, and i assume there is an actual CMS or static website with relevant rcs.consulting content there, then accessing the http version of www.rcs.consulting should not be displaying the apache default page, that can only happen if the rcs.consulting port 80 virtualhost configuration is wrong, or can't be found.
     
  9. nhybgtvfr

    nhybgtvfr Active Member

    also, in regards to having too many sites to check all the configs, that isn't a problem.
    the following mysql command, run against the master dbispconfig database will list all vhosts in order, along with their ip settings.
    Code:
    select domain, ip_address, ipv6_address from web_domain where type like 'vhost%' order by domain;
    
    it could be limited further by querying where the ip_address is not equal to "*", but this should be enough, shouldn't take long to scan through that result list.
     
    Last edited: Jul 9, 2020
  10. rsteuer

    rsteuer Member

    Thanks again. The command indicated all sites are listed with "*" and none with an IP. I also checked several sites and they are coming up without issue. The site was created through ISPConfig CP and is running WordPress CMS. Again, until the cert was replaced, everything was fine.

    I've gone through the .vhost file and cannot see any issues, although I'm certainly not that familiar with the config files.
     
  11. rsteuer

    rsteuer Member

    The original index.html had been renamed so that the WP site files would load. I just removed the ssl tick from ISPConfig, renamed the index.html back to it's original name and the default Apache page loads under http://rcs.consulting which is redirected to www.rcs.consulting. With the index.html renamed to index.html.bk again, and with the ssl tick still removed, the address bar indicates www.rcs.consulting but the Cremation Society site is returned.

    So, my guess is that it isn't a cert issue but I have no idea where to go with this. I tried running a sync in ISPConfig (long shot) but that didn't help.
     
  12. nhybgtvfr

    nhybgtvfr Active Member

    what is actually on www.rcs.consulting? is it a cms like wordpress? a static hard-coded site?

    i would suggest now, posting screenshots of the website settings, primarily the domain and redirect tabs, as well as any custom php.ini or apache directives if applied, as well as the contents of the .htaccess file if it exists, and the entire rcs.consulting.vhost file.
     
  13. rsteuer

    rsteuer Member

    As mentioned previously, Wordpress site and all sites are using "*" for an IP addr.

    To be absolutely clear, the only steps taken at the beginning of June were:
    1. Delete the existing certificate through Control Panel, as it was due to expire.
    2. Create new CSR through CP.
    3. Submit CSR and receive new cert and bundle from CA.
    4. Delete the self-signed cert and install new cert and bundle from CA through CP.
    5. Test site and found it was directing to another site.
    6. Tested cert through sslshopper.com and found cert was fine.
    No other changes were made. Nothing to the site files, nothing to php.ini. No redirects on the redirect tab in CP. If changes were made to .vhost, it was as a result of scripts running during the certificate install by ISPConfig.
     
  14. rsteuer

    rsteuer Member

    Anyone?
     
  15. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  16. rsteuer

    rsteuer Member

    While I didn't post screenshots, I replied in 13. But, screenshots:
    upload_2020-7-13_9-31-28.png


    upload_2020-7-13_9-32-30.png
     
  17. rsteuer

    rsteuer Member

    can't post .vhost as it exceeds allowed characters. Don't see an option for uploading files.
     
  18. nhybgtvfr

    nhybgtvfr Active Member

    you can post part of it in one post and the rest in a second post.

    regardless of that though, that screenshot shows that auto-subdomain is set to none. this is why it's not working. either the www subdomain doesn't exist in a vhost config, you added it manually to the vhost config file, or it exists as a separate vhost.
    since http://www.rcs.consulting loads the default ubuntu apache welcome page, i'm going to assume it just doesn't exist.
    set auto-subdomain to www. and you'll find most of your issues will magically disappear like a Trumpian coronavirus.

    it explains the certificate showing the correct details as well, https://rcs.consulting will be returning the correct cert details to sslshopper.com, it's the redirect to www.rcs.consulting (probably what's set as the host url / home in the wordpress wp_options table where it can't find the vhost and loads the cremation one, and returns that vhosts cert.
     
  19. rsteuer

    rsteuer Member

    Partial .vhost file (note the www. ServerAlia - not sure why it's not showing in CP - definitely not added by hand. Never touched .vhost file):

    <Directory /var/www/rcs.consulting>
    AllowOverride None
    Require all denied
    </Directory>
    <VirtualHost *:80>
    DocumentRoot /var/www/rcs.consulting/web
    ServerName rcs.consulting
    ServerAlias www.ti-vault.com ti-vault.com
    ServerAlias www.rcsconsulting.com rcsconsulting.com
    ServerAdmin [email protected]
    ErrorLog /var/log/ispconfig/httpd/rcs.consulting/error.log
    Alias /error/ "/var/www/rcs.consulting/web/error/"
    ErrorDocument 400 /error/400.html
    ErrorDocument 401 /error/401.html
    ErrorDocument 403 /error/403.html
    ErrorDocument 404 /error/404.html
    ErrorDocument 405 /error/405.html
    ErrorDocument 500 /error/500.html
    ErrorDocument 502 /error/502.html
    ErrorDocument 503 /error/503.html
    <IfModule mod_ssl.c>
    </IfModule>
    <Directory /var/www/rcs.consulting/web>
    # Clear PHP settings of this website
    <FilesMatch ".+\.ph(p[345]?|t|tml)$">
    SetHandler None
    </FilesMatch>
    Options +SymlinksIfOwnerMatch
    AllowOverride All
    Require all granted
    </Directory>
    <Directory /var/www/clients/client1/web45/web>
    # Clear PHP settings of this website
    <FilesMatch ".+\.ph(p[345]?|t|tml)$">
    SetHandler None
    </FilesMatch>
    Options +SymlinksIfOwnerMatch
    AllowOverride All
    Require all granted
    </Directory>
    # suexec enabled
    <IfModule mod_suexec.c>
    SuexecUserGroup web45 client1
    </IfModule>
    # php as fast-cgi enabled
    # For config options see: http://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html
    <IfModule mod_fcgid.c>
    FcgidIdleTimeout 300
    FcgidProcessLifeTime 3600
    # FcgidMaxProcesses 1000
    FcgidMaxRequestsPerProcess 5000
    FcgidMinProcessesPerClass 0
    FcgidMaxProcessesPerClass 10
    FcgidConnectTimeout 3
    FcgidIOTimeout 600
    FcgidBusyTimeout 3600
    FcgidMaxRequestLen 1073741824
    </IfModule>
    <Directory /var/www/rcs.consulting/web>
    <FilesMatch "\.php[345]?$">
    SetHandler fcgid-script
    </FilesMatch>
    FCGIWrapper /var/www/php-fcgi-scripts/web45/.php-fcgi-starter .php
    FCGIWrapper /var/www/php-fcgi-scripts/web45/.php-fcgi-starter .php3
    FCGIWrapper /var/www/php-fcgi-scripts/web45/.php-fcgi-starter .php4
    FCGIWrapper /var/www/php-fcgi-scripts/web45/.php-fcgi-starter .php5
    Options +ExecCGI
    AllowOverride All
    Require all granted
    </Directory>
    <Directory /var/www/clients/client1/web45/web>
    <FilesMatch "\.php[345]?$">
    SetHandler fcgid-script
    </FilesMatch>
    FCGIWrapper /var/www/php-fcgi-scripts/web45/.php-fcgi-starter .php
    FCGIWrapper /var/www/php-fcgi-scripts/web45/.php-fcgi-starter .php3
    FCGIWrapper /var/www/php-fcgi-scripts/web45/.php-fcgi-starter .php4
    FCGIWrapper /var/www/php-fcgi-scripts/web45/.php-fcgi-starter .php5
    Options +ExecCGI
    AllowOverride All
    Require all granted
    </Directory>
    RewriteEngine on
    RewriteCond %{REQUEST_URI} ^/\.well-known/acme-challenge/
    RewriteRule ^ - [END]
    RewriteCond %{HTTP_HOST} ^ti-vault\.com$ [NC]
    RewriteRule ^/(.*)$ https://www.rcs.consulting/our-offerings/online-backups/$1 [R=301,L]
    RewriteCond %{HTTP_HOST} ^www\.ti-vault\.com$ [NC]
    RewriteRule ^/(.*)$ https://www.rcs.consulting/our-offerings/online-backups/$1 [R=301,L]
    # add support for apache mpm_itk
    <IfModule mpm_itk_module>
    AssignUserId web45 client1
    </IfModule>
    <IfModule mod_dav_fs.c>
    # Do not execute PHP files in webdav directory
    <Directory /var/www/clients/client1/web45/webdav>
    <ifModule mod_security2.c>
    SecRuleRemoveById 960015
    SecRuleRemoveById 960032
    </ifModule>
    <FilesMatch "\.ph(p3?|tml)$">
    SetHandler None
    </FilesMatch>
    </Directory>
    DavLockDB /var/www/clients/client1/web45/tmp/DavLock
    # DO NOT REMOVE THE COMMENTS!
    # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
    # WEBDAV BEGIN
    # WEBDAV END
    </IfModule>
    </VirtualHost>
     
  20. rsteuer

    rsteuer Member

    2nd part of .vhost

    <VirtualHost *:443>
    DocumentRoot /var/www/rcs.consulting/web
    ServerName rcs.consulting
    ServerAlias www.ti-vault.com ti-vault.com
    ServerAlias www.rcsconsulting.com rcsconsulting.com
    ServerAdmin [email protected]
    ErrorLog /var/log/ispconfig/httpd/rcs.consulting/error.log
    Alias /error/ "/var/www/rcs.consulting/web/error/"
    ErrorDocument 400 /error/400.html
    ErrorDocument 401 /error/401.html
    ErrorDocument 403 /error/403.html
    ErrorDocument 404 /error/404.html
    ErrorDocument 405 /error/405.html
    ErrorDocument 500 /error/500.html
    ErrorDocument 502 /error/502.html
    ErrorDocument 503 /error/503.html
    <IfModule mod_ssl.c>
    SSLEngine on
    SSLProtocol All -SSLv2 -SSLv3
    # SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
    SSLHonorCipherOrder on
    # <IfModule mod_headers.c>
    # Header always add Strict-Transport-Security "max-age=15768000"
    # </IfModule>
    SSLCertificateFile /var/www/clients/client1/web45/ssl/rcs.consulting.crt
    SSLCertificateKeyFile /var/www/clients/client1/web45/ssl/rcs.consulting.key
    SSLUseStapling on
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off
    </IfModule>
    <Directory /var/www/rcs.consulting/web>
    # Clear PHP settings of this website
    <FilesMatch ".+\.ph(p[345]?|t|tml)$">
    SetHandler None
    </FilesMatch>
    Options +SymlinksIfOwnerMatch
    AllowOverride All
    Require all granted
    </Directory>
    <Directory /var/www/clients/client1/web45/web>
    # Clear PHP settings of this website
    <FilesMatch ".+\.ph(p[345]?|t|tml)$">
    SetHandler None
    </FilesMatch>
    Options +SymlinksIfOwnerMatch
    AllowOverride All
    Require all granted
    </Directory>
    # suexec enabled
    <IfModule mod_suexec.c>
    SuexecUserGroup web45 client1
    </IfModule>
    # php as fast-cgi enabled
    # For config options see: http://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html
    <IfModule mod_fcgid.c>
    FcgidIdleTimeout 300
    FcgidProcessLifeTime 3600
    # FcgidMaxProcesses 1000
    FcgidMaxRequestsPerProcess 5000
    FcgidMinProcessesPerClass 0
    FcgidMaxProcessesPerClass 10
    FcgidConnectTimeout 3
    FcgidIOTimeout 600
    FcgidBusyTimeout 3600
    FcgidMaxRequestLen 1073741824
    </IfModule>
    <Directory /var/www/rcs.consulting/web>
    <FilesMatch "\.php[345]?$">
    SetHandler fcgid-script
    </FilesMatch>
    FCGIWrapper /var/www/php-fcgi-scripts/web45/.php-fcgi-starter .php
    FCGIWrapper /var/www/php-fcgi-scripts/web45/.php-fcgi-starter .php3
    FCGIWrapper /var/www/php-fcgi-scripts/web45/.php-fcgi-starter .php4
    FCGIWrapper /var/www/php-fcgi-scripts/web45/.php-fcgi-starter .php5
    Options +ExecCGI
    AllowOverride All
    Require all granted
    </Directory>
    <Directory /var/www/clients/client1/web45/web>
    <FilesMatch "\.php[345]?$">
    SetHandler fcgid-script
    </FilesMatch>
    FCGIWrapper /var/www/php-fcgi-scripts/web45/.php-fcgi-starter .php
    FCGIWrapper /var/www/php-fcgi-scripts/web45/.php-fcgi-starter .php3
    FCGIWrapper /var/www/php-fcgi-scripts/web45/.php-fcgi-starter .php4
    FCGIWrapper /var/www/php-fcgi-scripts/web45/.php-fcgi-starter .php5
    Options +ExecCGI
    AllowOverride All
    Require all granted
    </Directory>
    RewriteEngine on
    RewriteCond %{REQUEST_URI} ^/\.well-known/acme-challenge/
    RewriteRule ^ - [END]
    RewriteCond %{HTTP_HOST} ^ti-vault\.com$ [NC]
    RewriteRule ^/(.*)$ https://www.rcs.consulting/our-offerings/online-backups/$1 [R=301,L]
    RewriteCond %{HTTP_HOST} ^www\.ti-vault\.com$ [NC]
    RewriteRule ^/(.*)$ https://www.rcs.consulting/our-offerings/online-backups/$1 [R=301,L]
    # add support for apache mpm_itk
    <IfModule mpm_itk_module>
    AssignUserId web45 client1
    </IfModule>
    <IfModule mod_dav_fs.c>
    # Do not execute PHP files in webdav directory
    <Directory /var/www/clients/client1/web45/webdav>
    <ifModule mod_security2.c>
    SecRuleRemoveById 960015
    SecRuleRemoveById 960032
    </ifModule>
    <FilesMatch "\.ph(p3?|tml)$">
    SetHandler None
    </FilesMatch>
    </Directory>
    DavLockDB /var/www/clients/client1/web45/tmp/DavLock
    # DO NOT REMOVE THE COMMENTS!
    # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
    # WEBDAV BEGIN
    # WEBDAV END
    </IfModule>
    </VirtualHost>
    <IfModule mod_ssl.c>
    SSLStaplingCache shmcb:/var/run/ocsp(128000)
    </IfModule>
     

Share This Page