• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Resolved SSL certificate error (multiple certificates)

W

webolot

New Pleskian
Server operating system version
Ubuntu 20.04.6
Plesk version and microupdate number
Version 18.0.53 Update #2, last updated on June 21, 2023 06:26 AM
I'm using plesk for years and obsidian for the last two years. No problems until a few days ago.

I'm using the let's encrypt extension for SSL certificates.

Now, sometimes (not always), when I visit one of my hosted sites, I see an SSL certificate error on my browser (tested on multiple browsers: firefox, safari and chrome. tested on multiple devices: android phones, iphone, computers) ...


1688982697218.png

Seems that Apache has two certificates for the domain restaurantsumac.com ...


1688982993430.png

1688982792482.png


1688982798720.png


How is that possible?!

I got a lot of other domains, for example now-photo.com and works well: SSL Server Test: now-photo.com (Powered by Qualys SSL Labs)

If can help... restaurantsumac.com is the latest domain (by date) added to this plesk server.
 
For more information, plesk db says webolot.com certificates is only used for webolot.com, not for restaurantsumac.com ....

MariaDB [psa]> select id, name from certificates where name = 'Lets Encrypt webolot.com'; +-----+--------------------------+ | id | name | +-----+--------------------------+ | 103 | Lets Encrypt webolot.com | +-----+--------------------------+ 1 row in set (0,001 sec) MariaDB [psa]> select d.name from domains d inner join hosting h on h.dom_id = d.id where h.certificate_id = 103; +-------------+ | name | +-------------+ | webolot.com | +-------------+ 1 row in set (0,000 sec) MariaDB [psa]> select d.name,certificate_id from domains d inner join hosting h on h.dom_id = d.id where d.name = 'restaurantsumac.com'; +---------------------+----------------+ | name | certificate_id | +---------------------+----------------+ | restaurantsumac.com | 137 | +---------------------+----------------+ 1 row in set (0,000 sec) MariaDB [psa]> select d.name from domains d inner join hosting h on h.dom_id = d.id where h.certificate_id = 137; +---------------------+ | name | +---------------------+ | restaurantsumac.com | +---------------------+ 1 row in set (0,000 sec)
 
webolot said:
I'm using plesk for years and obsidian for the last two years. No problems until a few days ago.
I'm using the let's encrypt extension for SSL certificates.
Now, sometimes (not always), when I visit one of my hosted sites, I see an SSL certificate error on my browser (tested on multiple browsers: firefox, safari and chrome. tested on multiple devices: android phones, iphone, computers) ...
Click to expand...
"Sometimes" isn't a confidence building result that's derived from accurate testing and/or a correctly configured domain / hosting server ;)
webolot said:
Seems that Apache has two certificates for the domain restaurantsumac.com ...
Click to expand...
Only, if your own / the current configuration has been set up in such a way as to to require that... It's not two certificates for one domain. It's one certificate for a domain (restaurantsumac.com in your first example) and one certificate for the host name / hosting server in the certificate chain. If the 2nd (and/or 3rd etc) certificate in the chain isn't covered with say; a SAN certificate** being utilised by the host name / hosting server in the certificate chain, one which does include the domain (restaurantsumac.com in your example), then depending on the fine details of the config, there will (usually) always be a name mismatch shown on the 2nd Certificate (and/or 3rd etc) in the chain on Qualy SSL Labs tests. ** There are other config possibilities but this one is an easy one to show.

Indeed, that is the case on both of the domains that you have included in your post i.e restaurantsumac.com (Name Mismatch on both 2nd and 3rd Certificate) and now-photo.com (Name Mismatch on 2nd Certificate). You might have misread the the test page on now-photo.com but there's definitely a Name Mismatch showing on its current Qualy SSL Labs test.

restaurantsumac.com >>> SSL Server Test: restaurantsumac.com (Powered by Qualys SSL Labs)
now-photo.com >>> SSL Server Test: now-photo.com (Powered by Qualys SSL Labs)
Plus FWIW
www.webalot.com >>> SSL Server Test: www.webolot.com (Powered by Qualys SSL Labs)
webolot said:
How is that possible?!
Click to expand...
See above, but for absolute clarity, from a different perspective, also have a look at these:
restaurantsumac.com >>> SSL Checker
now-photo.com >>> SSL Checker
Nothing wrong with the certificates when viewed here, but have a look at the Reverse IP lookup on those two ^^ domains...
Plus, again just for FWIW
www.webalot.com >>> https://decoder.link/sslchecker/www.webolot.com/443
This one ^ obviously has the correct Reverse IP lookup value on it.

There's many other ways / sites available, to run lots of different checks and tests on this, but this one ^^ is fast and it's easy to see the Reverse IP lookup on
webolot said:
I got a lot of other domains, for example now-photo.com and works well: SSL Server Test: now-photo.com (Powered by Qualys SSL Labs)
Click to expand...
That's not the case unfortunately (see previous ^^) i.e. using now-photo.com as an example
webolot said:
If can help... restaurantsumac.com is the latest domain (by date) added to this plesk server.
Click to expand...
It's not just that domain.
Not sure if www.webalot.com is your own host named server (guessing it might be?) but regardless of if it is, or if it is not, the certificates that you currently hold for domains on that host name / hosting server, will all, probably always show a Name Mismatch the 2nd (and/or 3rd etc) certificates in the chain, on Qualy SSL Labs tests unless some re-configuration is carried out etc.
 
WOW! thank's for your answer @learning_curve

"Sometimes" isn't a confidence building result that's derived from accurate testing and/or a correctly configured domain / hosting server ;)
Click to expand...
True! but it is so... I have been able to see the error 1 time out of the 100 tests I have done and the final customer also says that it only happens with some users without finding a specific pattern o_O

There's many other ways / sites available, to run lots of different checks and tests on this, but this one ^^ is fast and it's easy to see the Reverse IP lookup on
Click to expand...
Thank's!

It's not just that domain.
Not sure if www.webalot.com is your own host named server (guessing it might be?) but regardless of if it is, or if it is not, the certificates that you currently hold for domains on that host name / hosting server, will all, probably always show a Name Mismatch the 2nd (and/or 3rd etc) certificates in the chain, on Qualy SSL Labs tests unless some re-configuration is carried out etc.
Click to expand...
Again, you are right: It's not just that domain, I misread the qualis test and always show a name mismatch for a 2nd certificate. But with a with a subtle difference in the SNI section.

FYI: webolot.com (not webalot.com) is one of my domain too.

By now, seems I found the solution. Really not me, the plesk support team:

checked the server and I see that there is a thread that was launched on Jun 7th:
Click to expand...
ps aux|grep apache | grep -v grep root 16055 0.0 10.1 28560168 6697724 ? Ss Mar10 3:47 /usr/sbin/apache2 -k start www-data 351120 0.0 0.4 28500112 315336 ? S 16:32 0:00 /usr/sbin/apache2 -k start www-data 351121 0.0 0.4 28501288 314812 ? S 16:32 0:00 /usr/sbin/apache2 -k start www-data 351125 0.3 0.5 30565344 340912 ? Sl 16:32 0:18 /usr/sbin/apache2 -k start www-data 351153 0.8 0.5 30565112 350612 ? Sl 16:32 0:48 /usr/sbin/apache2 -k start www-data 2870813 0.0 0.4 24048024 294324 ? Sl Jun07 36:37 /usr/sbin/apache2 -k start <<<!!!!
This thread survived Apache reloads and still has old configuration and old certificates in memory.
Click to expand...

I restarted apache2 service and I hope this is the solution.
 
webolot said:
FYI: webolot.com (not webalot.com) is one of my domain too.
Click to expand...
Sorry! Yes for some odd reason, we mistyped the text part :rolleyes: (webalot) which has been repeated, but all of the test links were for the correct domain; webolot
webolot said:
By now, seems I found the solution. Really not me, the plesk support team:

ps aux|grep apache | grep -v grep root 16055 0.0 10.1 28560168 6697724 ? Ss Mar10 3:47 /usr/sbin/apache2 -k start www-data 351120 0.0 0.4 28500112 315336 ? S 16:32 0:00 /usr/sbin/apache2 -k start www-data 351121 0.0 0.4 28501288 314812 ? S 16:32 0:00 /usr/sbin/apache2 -k start www-data 351125 0.3 0.5 30565344 340912 ? Sl 16:32 0:18 /usr/sbin/apache2 -k start www-data 351153 0.8 0.5 30565112 350612 ? Sl 16:32 0:48 /usr/sbin/apache2 -k start www-data 2870813 0.0 0.4 24048024 294324 ? Sl Jun07 36:37 /usr/sbin/apache2 -k start <<<!!!!

I restarted apache2 service and I hope this is the solution.
Click to expand...
Can you post a link to the actual thread that you found this ^ in? Assuming, that you've completed that exercise^ now, so.... what's the result? i.e. Are those Name MisMatch warnings still in place? It will be interesting if they are not, as surely, you'll still be hosting your domains on your own webolot.com server (unchanged status from previous) even after your apache2 fix above, which (depending on what you may have changed certificate config-wise very recently) almost certainly means that the Qualy SSL Labs tests would still issue these warnings.
 
learning_curve said:
Can you post a link to the actual thread that you found this ^ in?
Click to expand...

I can't post the link because is a private conversation between me and the plesk support team (paid support at https://support.plesk.com).

learning_curve said:
Assuming, that you've completed that exercise^ now, so.... what's the result?
Click to expand...

Yes, I restarted apache2 and the "survivor" process has desappeared.

By now, I cannot confirm the isse has been solved because (as I said on previous messages) this happens randomly.

learning_curve said:
i.e. Are those Name MisMatch warnings still in place?
Click to expand...

Yes and no ;) Take a look ...

1689061248085.png

1689061206473.png

Now, the qualis tests results are the same for restaurantsumac.com, now-photo.com or any other hosted domain.

I hope that indicates the problem is solved.

We will find out in the next few days. Meanwhile, the Plesk team keeps the ticket on hold.
 

Attachments

  • 1689061211508.png
    1689061211508.png
    161.7 KB · Views: 4
webolot said:
I can't post the link because is a private conversation between me and the plesk support team (paid support at https://support.plesk.com).
Click to expand...
Understood. From the original post, thought it was somebody else, that had included some details of their Plesk Support Team findings, within another thread.
webolot said:
Yes, I restarted apache2 and the "survivor" process has desappeared.
Click to expand...
That will be just as the Plesk Support Team and yourself expected. That's good.

However, unless you've made some pretty significant changes to the newer certificates that are now correctly being used (changes that you've not yet posted details of, which is unlikley) pretty sure that this fix alone, will not solve your Qualy SSL Labs test, Name MisMatch warnings (on the 2nd and/or 3rd etc certificates in the chain) on all of your domains, that are hosted on your own server (webolot.com).
webolot said:
By now, I cannot confirm the isse has been solved because (as I said on previous messages) this happens randomly.
Click to expand...
Again, pretty sure this will not be random at all now & that as per the last point above, they will remain consistent, unless / until you make some config changes
webolot said:
Yes and no ;) Take a look ...
Click to expand...
Yes, see further (below)
webolot said:
Now, the qualis tests results are the same for restaurantsumac.com, now-photo.com or any other hosted domain.
Click to expand...
The changes that you've highlighted i.e. certificate #1 transparency and certificate #2 No SNI & DNS CAA & transparency on the snapshots that you've posted from the Qualy SSL Labs tests, are those driven by the Plesk Support Team's apache_2 fix and its subsequent restart by you are great progress, but... they were not the reason for the Name MisMatch warnings anyway. That's attributable to the certificate chain, as administered by yourself / your current config / setup etc. You can quite safely just ignore these (as many people regularly do) but to completely remove them, you would need to change your current configuration (as mentioned in post #3 above). If you're still concerned about SSL certificate warnings, these shouldn't really happen any more, if, they were originally relevant only to the items contained within the apache_2 fix. You'll have to double-check this by testing yourself, viewing the full reports, seeing the warning cause(s).

FWIW one relatively simple thing that you could do, is to improve your choice of cipher suites that are being used (on webolot.com and all the hosted domains).
If you look at all of your own Qualy SSL Labs test results, you'll see lots and lots of weak cipher suites still in use. Some (sensitive) security checks might (due to their own acceptance criteria...) produce warnings as a result of this. For cross reference, attached, is a screen-grab image, from one of our own hosted domains.CS.jpg
webolot said:
I hope that indicates the problem is solved.
We will find out in the next few days. Meanwhile, the Plesk team keeps the ticket on hold.
Click to expand...
Without doubt, the Plesk Team's fix was and should continue to remain successful. That ticket will be closed in due course.

The irony really, is, that because of this ^ issue and subsequent fix, you've now seen a different set of 'warnings' which are unrelated to that ^ issue and fix.
It's your own free choice what to do next (if anything - depends on your own importance rating) re: All of those Qualy SSL Labs Name MisMatch warnings.
 
learning_curve said:
However, unless you've made some pretty significant changes to the newer certificates that are now correctly being used (changes that you've not yet posted details of, which is unlikley) pretty sure that this fix alone, will not solve your Qualy SSL Labs test, Name MisMatch warnings (on the 2nd and/or 3rd etc certificates in the chain) on all of your domains, that are hosted on your own server (webolot.com).
Click to expand...
Yes, I know, but I'm not concerned about that point. Anyway, thanks for letting me know

learning_curve said:
Again, pretty sure this will not be random at all now & that as per the last point above, they will remain consistent, unless / until you make some config changes
Click to expand...

The most consistent option that I can think of (and my hope, because I would like to say that the problem has been solved) is that this process of this one that was "zombie" had an erroneous certificate in memory. This erroneous certificate would be a certificate that I used temporarily while doing the web migration (before I migrated the domain permanently).

That's why it happened randomly: If the apache process serving the web was this zombie, the certificate error appeared, if it was one of the other apache processes, the error did not appear.

But it's just a guess!

learning_curve said:
The changes that you've highlighted i.e. certificate #1 transparency and certificate #2 No SNI & DNS CAA & transparency on the snapshots that you've posted from the Qualy SSL Labs tests, are those driven by the Plesk Support Team's apache_2 fix and its subsequent restart by you are great progress, but... they were not the reason for the Name MisMatch warnings anyway. That's attributable to the certificate chain, as administered by yourself / your current config / setup etc. You can quite safely just ignore these (as many people regularly do) but to completely remove them, you would need to change your current configuration (as mentioned in post #3 above). If you're still concerned about SSL certificate warnings, these shouldn't really happen any more, if, they were originally relevant only to the items contained within the apache_2 fix. You'll have to double-check this by testing yourself, viewing the full reports, seeing the warning cause(s).

FWIW one relatively simple thing that you could do, is to improve your choice of cipher suites that are being used (on webolot.com and all the hosted domains).
If you look at all of your own Qualy SSL Labs test results, you'll see lots and lots of weak cipher suites still in use. Some (sensitive) security checks might (due to their own acceptance criteria...) produce warnings as a result of this. For cross reference, attached, is a screen-grab image, from one of our own hosted domains.
Click to expand...

learning_curve said:
Without doubt, the Plesk Team's fix was and should continue to remain successful. That ticket will be closed in due course.

The irony really, is, that because of this ^ issue and subsequent fix, you've now seen a different set of 'warnings' which are unrelated to that ^ issue and fix.
It's your own free choice what to do next (if anything - depends on your own importance rating) re: All of those Qualy SSL Labs Name MisMatch warnings.
Click to expand...

Thank's again, but as I said I'm not concerned about that point.
 
You must log in or register to reply here.

Similar threads

D
Issue certificate of VPS host still used after SSL configuration for newly added domain
Replies
4
Views
616
deepnpisgah
D
T
Issue Some sites don't send email when Let's Encrypt ssl certificate will expire
Replies
1
Views
269
tanasis
T
F
Question How can I renew the Lets Encrypt certificates on a VPS Server from the Ionos company?
Replies
0
Views
230
fonorola
F
J
Resolved WordPress Network setup on Alias -- how to add alternative domains with Lets Encrypt SSL Certs?
Replies
3
Views
340
joell
J
Nextgen-Networks
Issue Lets Encrypt - error in certificate renew process
2
Replies
21
Views
2K
Peter Debik
P
Back
Top