User domain uses wrong (system hostname) certificate

BarryStaes

Verified User
Joined
Sep 6, 2016
Messages
18
Problem is a new users domains with Lets Encrypt use the wrong (system hostname) certificate.
Therefor the Chrome browser shows error "NET::ERR_CERT_COMMON_NAME_INVALID".

So i digged and yes .. it turns out there are multiple certificate file entries in the users httpd.conf file.

I found that the certificate file of that user domain is correct.
However the user domain httpd.conf file contains multipe SSL entries. First 1 correct block, and 5 refering to the system hostname certificate..

What might have caused this?
This is a new user with 6 domains and uses one letsencrypt.
 
Ugh this forum is a throwback..
  • i cant edit my post?!
  • pointless "im not a robot" questions with catchphrases that are not world wide. If i can google-guess them, any bot can.

duck, duck, _____!
 
Ugh this forum is a throwback..
  • i cant edit my post?!
  • pointless "im not a robot" questions with catchphrases that are not world wide. If i can google-guess them, any bot can.

duck, duck, _____!

The "I'm not a robot" questions are definitely a bit annoying. I can tell you that it eventually stops asking you those questions - tho I'm not sure if it's only after X time, or if it's X posts. I'd say you're close to both.

I remember running across a list of answers posted somewhere, but for the life of me I can't find it now.

What might have caused this?
This is a new user with 6 domains and uses one letsencrypt.

What os/distro/version are you using? I'm assuming it's new enough to support SNI?
 
What os/distro/version are you using? I'm assuming it's new enough to support SNI?
Thanks for your response. I am using;
  • CentOS 7.0 64-Bit
  • DirectAdmin 1.51.4 (i'll update to 1.52.1 in a week or two)
  • letsencrypt_sh 1.0.16
  • SNI.. had not doublechecked yet.. but i expect its able. And file directadmin.conf has enable_ssl_sni=1 so yes.

I just noticed the users original "main" domain SSL does work correctly. The other 5 domains are not.
I added those not as a pointer/alias, but normal domains.. to prevent problems like this. Go figure heh..
 
Last edited:
Perhaps it's a bug? Maybe try opening a ticket with DirectAdmin.

Can you post a domain that's not working correctly so I can visit the site and look?
 
Hello,

One of possible reasons is that Apache did not restart after adding a new cert. For any reason.... just try and kill Apache and start it again.

Another reason might be if you used a letsencrypt.sh script instead of Directadmin interface for installing a cert. In certain cases a domain won't get httpd config for HTTPS version of a site...

So please check configs, make sure to restart apache and provide domain names if you still face the issue.
 
I found out that these domains had a problem a week ago. I since found that the server likely killed some processes due to high load (io-wait) a few days before this. So thats a suspect cause.
I restarted entire server since then, did not help. Currently updating Apache amongst others, so thats another restart on its way..

Domains of same user:
The one domain above that does work was the first domain of this user, and first domain in the DA LE checkboxes list. The user was created less than a week ago, so after the server io-wait problem.

Its just that this certificate was not not installed properly for each domain, i guess. The httpd.conf file looks suspicious with its duplicate entries one of which is the hostname.. but i dont feel comfortable manually editing this because i dont know whats nominal here.
 
For posterity;

I just tried setting LetsEncrypt certificates again, and its now working correctly.
I guess recent DirectAdmin / LetsEncrypt script 1.0.19 updates repaired my damanged files.

The file /usr/local/directadmin/data/users/userqlite/httpd.conf now looks normal, no duplicate domain entries (exept :80 and :443 ofcourse).
 
Hello,

One of possible reasons is that Apache did not restart after adding a new cert. For any reason.... just try and kill Apache and start it again.
For posterity, part II: Had the same problem, and this fixed it with me (in my case, the problem was that nginx didn't want to restart - killed it, started again, bingo).

Old advice, but good advice. Thanks! :)
 
Well, this thread seems to be the one I need to be in. I've got somewhat the same problem.

My VPS is vps.mydomain.com and it hosts many domains. As a service provider, I'd like my clients to be able to use webmail.theirdomain.com and panel.theirdomain.com. When I create a wildcard, it fails because my slave-DNS-servers are too slow. So I go into DA, login as the user, select all hostnames (theirdomain.com, mail.theirdomain.com, panel.theirdomain.com, webmail.theirdomain.com, etc and leaving out www.theirdomain.com since it will be forwarded to https://theirdomain.com. The LE-script finishes with no errors, but when I go to webmail.domain.com the certificate lists my vps.mydomain.com as hostname, not their webmail.theirdomain.com.

I have a virtual_host2.conf that contains:

<VirtualHost |IP|:|PORT_80| |MULTI_IP|>
ServerName webmail.|DOMAIN|
ServerAdmin |ADMIN|
RewriteEngine On
RewriteRule "^/$" "https://webmail.|DOMAIN|"
</VirtualHost>

<VirtualHost |IP|:|PORT_443| |MULTI_IP|>
ServerName webmail.|DOMAIN|
ServerAdmin |ADMIN|
DocumentRoot /var/www/html/roundcube/
</VirtualHost>

That should do it, right?
Yet, the certificate lists my primary hostname instead of 'theirdomain.com' or 'webmail.theirdomain.com', even though I selected 'webmail.theirdomain.com' in the LE-page.

What am I missing here?
 
Last edited:
login as the user, select all hostnames (theirdomain.com, mail.theirdomain.com, panel.theirdomain.com, webmail.theirdomain.com, etc
you can use a letsencrypt list for this. Add or remove the records you always want in the list and selected.

letsencrypt_list_selected​


Code:
letsencrypt_list_selected=www

Ability to specify which DNS records will be automatically selected on the Let's Encrypt page.


letsencrypt_list​


Code:
letsencrypt_list=www:mail:ftpop:smtp

Ability to select which DNS records to include in Let's Encrypt certificate.

Here is how to setup webmail.yourdomain.com
 
Hi Brent,

I did all that. I unselected the 'www' to not let LE do a wildcard and the website has a valid certificate. However, the webmail-part (with as DocRoot /var/www/html/roundcube) still gives me vps.mydomain.com as hostname instead of webmail.theirdomain.com. I'll look into your post to see if I've overlooked something. Thanks for your reply!
 
Hi Brent,

I did all that. I unselected the 'www' to not let LE do a wildcard and the website has a valid certificate. However, the webmail-part (with as DocRoot /var/www/html/roundcube) still gives me vps.mydomain.com as hostname instead of webmail.theirdomain.com. I'll look into your post to see if I've overlooked something. Thanks for your reply!
Not sure if this help. Do you have this option force_hostname="vps.mydomain.com" set in directadmin.conf? This option will direct their webmail domain to your hostname if it is enabled. Related to this: https://www.directadmin.com/features.php?id=917
 
Not sure if this help. Do you have this option force_hostname="vps.mydomain.com" set in directadmin.conf? This option will direct their webmail domain to your hostname if it is enabled. Related to this: https://www.directadmin.com/features.php?id=917
Hi Maxi,

I don't have that in my directadmin.conf. I do have 'servername' set to 'vps.mydomain.com' but that has nothing to do with certificates, does it?
 
Could it be that I'm missing something in my proxy-forward? Perhaps Apache is forwarding the request and the docroot has the hostname vps.mydomain.com and sending it along with the page instead of the webmail.theirdomain.com-cert? Not sure how to go about that. I'd like Apache to send the cert belonging to webmail.theirdomain.com instead of the site behind the Proxy-Forward..
 
Back
Top