[BlueOnyx:21787] Re: Strange SSL Error

Michael Stauber mstauber at blueonyx.it
Thu Mar 1 14:12:05 -05 2018 

Hi Michael,

> On all my servers recently I have had a problem where all the SSL sites
> will stop working. They seem to be redirecting to another site on the
> server but the user just gets an invalid certificate error.
> 
> I tried restarting but that did not work. I have to click into each
> site, go to the Web settings and click save. Then that site works. This
> must be done for all sites. Has anyone else seen this? Any ideas how to
> fix it?

I received reports about this from another client a few days ago and we
looked into it together. We weren't really certain what caused it and
bit by bit we checked off what could have caused it.

We're falling into one of the culprits of SNI when we have multiple
Vsites with SSL on the same IP. If SSL is not working for site B, we get
shown the SSL certificate of site A instead, causing the certificate
mismatch.

The underlying problem appears to be related to automated LE-cert
renewals. Meaning: The problem usually only starts to manifest itself
after an auto-renewal of an LE cert.

When we checked the certs were OK, the paths to the certs in the siteX
VirtualHost containers were correct, yet toggling SSL off and back on
for the Vsite in question seemed to solve the issue, whereas an Apache
restart did sometimes not solve it.

I published a set of YUM updates for 5207R/5208R/5209R this morning
which ties into base-apache and base-ssl to improve SSL handling. You
may not yet have these.

I'm not saying these updates fix the problem altogether, as the exact
cause is still a bit muddy. But it should help.

If it happens to you, please do the following to help with the
diagnostics. Check *which* SSL certificate was offered to you instead of
the correct one.

- Version of BlueOnyx? 5207R/5208R or 5209R?
- Was it the AdmServ SSL certificate (fqdn of the server)?
- Was it the SSL cert of another Vsite on the same IP?
- If so, was that the first Vsite on that IP?
- Does a httpd restart fix it or did you need to enable/disable SSL?

You can also go to one of the two URLs below and scan the faulty domain
to get more info about the certificate that was shown:

https://sslanalyzer.comodoca.com/
https://www.ssllabs.com/ssltest/index.html

Then pass that information to me either here or or by email or support
ticket.

-- 
With best regards

Michael Stauber

More information about the Blueonyx mailing list