Author Topic: Problem with auto SSL  (Read 1362 times)

0 Members and 2 Guests are viewing this topic.

Offline
*
Problem with auto SSL
« on: February 05, 2024, 06:12:31 PM »
Hello, I'm having problems when trying to generate a new certificate, in the panel it is generated normally, but even after restarting the http services it continues to be an invalid certificate when accessing the website.

in the log /root/.acme.sh/acme.sh.log the following is displayed:

Code: [Select]
[Mon Feb  5 15:07:08 -03 2024] Cert success.
[Mon Feb  5 15:07:08 -03 2024] Your cert is in: /root/.acme.sh/cwp_certs/www.domainname.com.br_ecc/www.domainname.com.br.cer
[Mon Feb  5 15:07:08 -03 2024] Your cert key is in: /root/.acme.sh/cwp_certs/www.domainname.com.br_ecc/www.domainname.com.br.key
[Mon Feb  5 15:07:08 -03 2024] The intermediate CA cert is in: /root/.acme.sh/cwp_certs/www.domainname.com.br_ecc/ca.cer
[Mon Feb  5 15:07:08 -03 2024] And the full chain certs is there: /root/.acme.sh/cwp_certs/www.domainname.com.br_ecc/fullchain.cer
[Mon Feb  5 15:07:09 -03 2024] Installing cert to: /etc/pki/tls/certs/domainname.com.br.cert
[Mon Feb  5 15:07:09 -03 2024] Installing key to: /etc/pki/tls/private/domainname.com.br.key
[Mon Feb  5 15:07:09 -03 2024] Installing full chain to: /etc/pki/tls/certs/domainname.com.br.bundle
[Mon Feb  5 15:07:09 -03 2024] _on_issue_success
[Mon Feb  5 15:07:09 -03 2024] '' does not contain 'dns'

Offline
*
Re: Problem with auto SSL
« Reply #1 on: February 05, 2024, 06:23:27 PM »
Log off /usr/local/apache/domain.logs/domain.com.br.error.log

Code: [Select]
[ssl:warn] [pid 113854:tid 139925367125888] AH01909: domain.com.br:443:0 server certificate does NOT include an ID which matches the server name

Offline
*****
Re: Problem with auto SSL
« Reply #2 on: February 05, 2024, 07:19:02 PM »
Would need the actual domain name to do some remote testing for you.

What you posted doesn't look fully generated from CWP. As there is no directory /usr/local/apache/domain.logs.
/usr/local/apache isn't even used for domains or SSL certificates.
The certificate name also has the wrong extension than what CWP uses.

Is this a public IP VPS/Dedicated server or NAT?

How was this certificate supposedly generated?

What does it show under WebServer Settings -> SSL Certificates under the 'Signed' column?

Maybe do a screenshot of that and post also.
« Last Edit: February 05, 2024, 07:26:58 PM by Starburst »

Offline
*
Re: Problem with auto SSL
« Reply #3 on: February 06, 2024, 11:31:57 AM »
Firstly, thank you very much!
And here is the answer to the questions:

The domain is casaautomacao.com.br

Yes, it is a machine with two public addresses linking directly to it.

I am generating the certificate directly in 'SSL Certificates -> AutoSSL [FREE]'
When generating it, it is generated without any problem, even displaying the completed message without errors.

Signed by Let's Encrypt

« Last Edit: February 06, 2024, 11:37:22 AM by jefersonsens »

Offline
*****
Re: Problem with auto SSL
« Reply #4 on: February 06, 2024, 12:23:29 PM »
Try this:

Under WebServer Settings -> SSL Certificates, remove all the certificates.
(Tests show a valid certificate for domain, but not hostname)

https://www.hardenize.com/report/casaautomacao.com.br/1707220320#www_certs
https://www.sslcerty.com/certificate?h=casaautomacao.com.br%3A443
https://www.geocerts.com/ssl-checker
https://www.ssllabs.com/ssltest/analyze.html?d=casaautomacao.com.br


The hostname/server name should not be your main domain name, but a subdomain like srv1.domain.com (I'll use this as an example below)

Then under the CLI run:
/root/.acme.sh/acme.sh --set-default-chain --preferred-chain  "ISRG Root X1"

Then back to the admin interface, under Server Settings -> Change Hostname
It should show (Should show your sub-domainname for server here):

Your Hostname is: srv1.domain.com
rDNS/PTR = srv1.domain.com [SUCCESS]

Click on the Blue Bar if everything is OK, and wait a few seconds.

Then log out, and close that browser window.
Re-login to the admin console at https://srv1.domain.com:2031/login/index.php
You should show the page as being secure.

No go back under WebServer Settings -> SSL Certificates and generate a new Free certificate for the domain, and the test links above should all be green, with no problems showing a certificate mismatch.

Let me know.

Offline
*
Re: Problem with auto SSL
« Reply #5 on: February 06, 2024, 01:17:05 PM »
I did what you said, but the problem continues.
When generating certificates for other domains on the same server, the certificate is generated without a problem.

Regarding rDNS/ptr it is shown as:
rDNS/PTR = FAILED, check with your hosting provider!

However my rnds is configured correctly
cwp02.ht.inf.br -> 198.49.71.200
cwp02.ht.inf.br -> 198.49.71.199

198.49.71.200 -> cwp02.ht.inf.br
198.49.71.199 -> cwp02.ht.inf.br

Carrying out the tests using nslookup, I already identify that both are ok.
To ensure I still used the website https://mail.terra.com.br/postmaster/ inserting my server addresses.
The certificate used when accessing the server cwp02.ht.inf.br:2087 is presented correctly, without any problems.

Offline
*****
Re: Problem with auto SSL
« Reply #6 on: February 06, 2024, 01:21:38 PM »
Go to your providers and get your rDNS for the hostname fixed, then generate that certificate.

This isn't handled by your DNS.

I think that's the root cause of your problems.

What is the hostname?, and I can check that in a little while.

Offline
*
Re: Problem with auto SSL
« Reply #7 on: February 06, 2024, 01:34:36 PM »
My rnds is ok.
Follow the tests below
Using the website provided previously:

IP: 198.49.71.199

IP: 198.49.71.200


Using nslookup with google dns servers




Or is there some other way to check rDNS that I don't know about?

Offline
*****
Re: Problem with auto SSL
« Reply #8 on: February 06, 2024, 03:35:47 PM »
When I run a SSL check on the hostname: cwp02.ht.inf.br

On 1 test I get:
None of the common names in the certificate match the name that was entered (cwp02.ht.inf.br). You may receive an error when accessing this site in a web browser. Learn more about name mismatch errors.

The certificate comes back to abaelevadores.com.br

So there is clearly a misconfiguration with the hostname, the hostname should be only going to 1 IP address, the base IP.
You have it going to 2 different IP's for some reason. 198.49.71.199 & .200.
That is not the correct way to setup the hostname IP.

The correct way to setup the hostname, would create the subdomain, like you did, point it to 1 IP, which will be your servers base IP.
Create the rDNS at the upstream, and then create the hostname SSL.

Now if you want to do 2 DNS servers, and example would be:
dns1.ht.inf.br 198.49.71.199
dns2.ht.inf.br 198.49.71.200

of course you couldn't create a rDNS for .199, since it's already pointing to the hostname. But that is a minor issue, that really shouldn't affect anything.

From the looks of it, .200 is your base IP, and you have .199 setup as your shared IP.
If that is so, remove the DNS & rDNS entries for cwp02.ht.inf.br that points to .199, and do the certificates over.

You will also have to look at how your host file is setup.