[BlueOnyx:22260] Re: Strange SSL Error

[Colin Jack]

Hi Michael,

We are still seeing this after an LE update.
> > On all my servers recently I have had a problem where all the SSL
> > sites will stop working. They seem to be redirecting to another site
> > on the server but the user just gets an invalid certificate error.
> >
> > I tried restarting but that did not work. I have to click into each
> > site, go to the Web settings and click save. Then that site works.
> > This must be done for all sites. Has anyone else seen this? Any ideas
> > how to fix it?
> 
> I received reports about this from another client a few days ago and we looked
> into it together. We weren't really certain what caused it and bit by bit we
> checked off what could have caused it.
> 
> We're falling into one of the culprits of SNI when we have multiple Vsites with
> SSL on the same IP. If SSL is not working for site B, we get shown the SSL
> certificate of site A instead, causing the certificate mismatch.
> 
> The underlying problem appears to be related to automated LE-cert renewals.
> Meaning: The problem usually only starts to manifest itself after an auto-
> renewal of an LE cert.
> 
> When we checked the certs were OK, the paths to the certs in the siteX
> VirtualHost containers were correct, yet toggling SSL off and back on for the
> Vsite in question seemed to solve the issue, whereas an Apache restart did
> sometimes not solve it.
> 
> I published a set of YUM updates for 5207R/5208R/5209R this morning which
> ties into base-apache and base-ssl to improve SSL handling. You may not yet
> have these.
> 
> I'm not saying these updates fix the problem altogether, as the exact cause is
> still a bit muddy. But it should help.
> 
> If it happens to you, please do the following to help with the diagnostics. Check
> *which* SSL certificate was offered to you instead of the correct one.
> 
> - Version of BlueOnyx? 5207R/5208R or 5209R?
> - Was it the AdmServ SSL certificate (fqdn of the server)?
> - Was it the SSL cert of another Vsite on the same IP?
> - If so, was that the first Vsite on that IP?
> - Does a httpd restart fix it or did you need to enable/disable SSL?

Basically if we manually update an LE certificate on any of the vsites (some don't seem to want to automatically update) then the SSL redirects to the AdmServ SSL.
Toggling the SSL cert off and on doesn't work but killing all apache and restarting apache seems to solve it.
5208R - fully up to date.

This is the same server where an apache update kills the Open Basedir settings. You are aware of this. 😊

Thoughts?

Colin