[BlueOnyx:21791] Re: Strange SSL Error

Richard Morgan :: Morgan Web richard at morgan-web.co.uk
Fri Mar 2 06:14:40 -05 2018 

I have found the reason and a solution to this problem:

The list of vsites is missing from the end of /etc/httpd/conf/httpd.conf but
replacing them still doesn't fix the problem.

I had to add both mod_perl and mod_ssl to the httpd.conf list of
LoadModules, although I'm certain this could be done by changing the load
order.

So to summarise:

Edited httpd.conf, added below the list of modules:

LoadModule perl_module modules/mod_perl.so
LoadModule ssl_module modules/mod_ssl.so

Appended the conf.d and vhost includes to the end of the file (using a
directory list in /etc/httpd/conf/vhosts for the number range):

Include conf.d/*.conf
Include /etc/httpd/conf/vhosts/site1
Include /etc/httpd/conf/vhosts/site2
Include /etc/httpd/conf/vhosts/site3
Include /etc/httpd/conf/vhosts/site4
Include /etc/httpd/conf/vhosts/site5
Include /etc/httpd/conf/vhosts/site6
Include /etc/httpd/conf/vhosts/site7
Include /etc/httpd/conf/vhosts/site8
Include /etc/httpd/conf/vhosts/site9
Include /etc/httpd/conf/vhosts/site10
Include /etc/httpd/conf/vhosts/site11
Include /etc/httpd/conf/vhosts/preview

If a fix is rolled out via YUM, can the fact these files have been manually
edited to get httpd running again be taken into consideration or more
downtime may occur.



-----Original Message-----
From: Blueonyx [mailto:blueonyx-bounces at mail.blueonyx.it] On Behalf Of
Richard Morgan :: Morgan Web
Sent: 02 March 2018 10:12
To: 'BlueOnyx General Mailing List'
Subject: [BlueOnyx:21789] Re: Strange SSL Error

Hi

This morning I've been greeted with httpd failing. When I try and start
httpd I get the following message:

# service httpd start
Starting httpd: Syntax error on line 998 of /etc/httpd/conf/httpd.conf:
Invalid command 'PerlConfigRequire', perhaps misspelled or defined by a
module not included in the server configuration [FAILED]

Looking at /var/log/yum.log shows updates to apache at 06:02 this morning so
I believe it to be related to the changes for the SSL/SNI problems that were
addressed recently.

I have tried disabling SSL and re-enabling it. We're not using Let's Encrypt
for the sites.

Is anyone else experiencing this problem and know of a fix. It would be
appreciated as the server is offline.

Thanks, Richard

-----Original Message-----
From: Blueonyx [mailto:blueonyx-bounces at mail.blueonyx.it] On Behalf Of
Michael Stauber
Sent: 01 March 2018 19:12
To: blueonyx at mail.blueonyx.it
Subject: [BlueOnyx:21787] Re: Strange SSL Error

Hi Michael,

> On all my servers recently I have had a problem where all the SSL 
> sites will stop working. They seem to be redirecting to another site 
> on the server but the user just gets an invalid certificate error.
> 
> I tried restarting but that did not work. I have to click into each 
> site, go to the Web settings and click save. Then that site works.
> This must be done for all sites. Has anyone else seen this? Any ideas 
> how to fix it?

I received reports about this from another client a few days ago and we
looked into it together. We weren't really certain what caused it and bit by
bit we checked off what could have caused it.

We're falling into one of the culprits of SNI when we have multiple Vsites
with SSL on the same IP. If SSL is not working for site B, we get shown the
SSL certificate of site A instead, causing the certificate mismatch.

The underlying problem appears to be related to automated LE-cert renewals.
Meaning: The problem usually only starts to manifest itself after an
auto-renewal of an LE cert.

When we checked the certs were OK, the paths to the certs in the siteX
VirtualHost containers were correct, yet toggling SSL off and back on for
the Vsite in question seemed to solve the issue, whereas an Apache restart
did sometimes not solve it.

I published a set of YUM updates for 5207R/5208R/5209R this morning which
ties into base-apache and base-ssl to improve SSL handling. You may not yet
have these.

I'm not saying these updates fix the problem altogether, as the exact cause
is still a bit muddy. But it should help.

If it happens to you, please do the following to help with the diagnostics.
Check *which* SSL certificate was offered to you instead of the correct one.

- Version of BlueOnyx? 5207R/5208R or 5209R?
- Was it the AdmServ SSL certificate (fqdn of the server)?
- Was it the SSL cert of another Vsite on the same IP?
- If so, was that the first Vsite on that IP?
- Does a httpd restart fix it or did you need to enable/disable SSL?

You can also go to one of the two URLs below and scan the faulty domain to
get more info about the certificate that was shown:

https://sslanalyzer.comodoca.com/
https://www.ssllabs.com/ssltest/index.html

Then pass that information to me either here or or by email or support
ticket.

--
With best regards

Michael Stauber
_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

_______________________________________________
Blueonyx mailing list
Blueonyx at mail.blueonyx.it
http://mail.blueonyx.it/mailman/listinfo/blueonyx

More information about the Blueonyx mailing list