[BlueOnyx:21788] Re: Strange SSL Error

Michael Aronoff maronoff at gmail.com
Thu Mar 1 16:02:47 -05 2018 

Michael wrote:
> If it happens to you, please do the following to help with the
diagnostics.
> Check *which* SSL certificate was offered to you instead of the correct
one.

It was offering the SSL certificate from another site on the server. This
made me think it was a problem with how something wrote the vhost conf
files.

> - Version of BlueOnyx? 5207R/5208R or 5209R?
All servers are 5209 in my case.

> - Was it the AdmServ SSL certificate (fqdn of the server)?
No it was another site on the server.

> - Was it the SSL cert of another Vsite on the same IP?
Yes

> - If so, was that the first Vsite on that IP?
Yes

> - Does a httpd restart fix it or did you need to enable/disable SSL?
No, a restart of HTTPD did not fix it. I had to manually go to each site and
toggle a setting so the vhost was rewritten. In my case I changed PHP and
click save. I did not turn of SSL.

The steps I made appears to fix it but now I have a whole other set of
problems since the update and what I did this morning. Now some sites work
fine but some cannot access MySQL (MariaDB). Sites on the same IP with the
same settings  respond differently.  I will go submit a help ticket with
non-public details.

______________________________
M Aronoff Out – maronoff at gmail.com 

I'm a great believer in luck, and I find the harder I work the more I have
of it.
  - Thomas Jefferson

-----Original Message-----
From: Blueonyx [mailto:blueonyx-bounces at mail.blueonyx.it] On Behalf Of
Michael Stauber
Sent: Thursday, March 1, 2018 11:12 AM
To: blueonyx at mail.blueonyx.it
Subject: [BlueOnyx:21787] Re: Strange SSL Error

Hi Michael,

> On all my servers recently I have had a problem where all the SSL 
> sites will stop working. They seem to be redirecting to another site 
> on the server but the user just gets an invalid certificate error.
> 
> I tried restarting but that did not work. I have to click into each 
> site, go to the Web settings and click save. Then that site works. 
> This must be done for all sites. Has anyone else seen this? Any ideas 
> how to fix it?

I received reports about this from another client a few days ago and we
looked into it together. We weren't really certain what caused it and bit by
bit we checked off what could have caused it.

We're falling into one of the culprits of SNI when we have multiple Vsites
with SSL on the same IP. If SSL is not working for site B, we get shown the
SSL certificate of site A instead, causing the certificate mismatch.

The underlying problem appears to be related to automated LE-cert renewals.
Meaning: The problem usually only starts to manifest itself after an
auto-renewal of an LE cert.

When we checked the certs were OK, the paths to the certs in the siteX
VirtualHost containers were correct, yet toggling SSL off and back on for
the Vsite in question seemed to solve the issue, whereas an Apache restart
did sometimes not solve it.

I published a set of YUM updates for 5207R/5208R/5209R this morning which
ties into base-apache and base-ssl to improve SSL handling. You may not yet
have these.

I'm not saying these updates fix the problem altogether, as the exact cause
is still a bit muddy. But it should help.

If it happens to you, please do the following to help with the diagnostics.
Check *which* SSL certificate was offered to you instead of the correct one.

- Version of BlueOnyx? 5207R/5208R or 5209R?
- Was it the AdmServ SSL certificate (fqdn of the server)?
- Was it the SSL cert of another Vsite on the same IP?
- If so, was that the first Vsite on that IP?
- Does a httpd restart fix it or did you need to enable/disable SSL?

You can also go to one of the two URLs below and scan the faulty domain to
get more info about the certificate that was shown:

https://sslanalyzer.comodoca.com/
https://www.ssllabs.com/ssltest/index.html

Then pass that information to me either here or or by email or support
ticket.

--
With best regards

Michael Stauber
_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list