SSL Inconsistent server configuration

January 22, 2017 3.2k views
Nginx Ubuntu 16.04
damir
By:
damir

Hi,

I have a Droplet with several domains with SSL and everything works fine when I visit all my sites. Everything is green and beautiful and no errors at all.

So, I tested one of my sites with SSLabs and found out that I have an inconsistent server configuration.

I tested my site https://www.webkreativ.hr and found out here that Certificate #2 is from my other website on the server.

I checked and double checked all the certificates for webkreativ.hr and there is no link or anything to the other certifixcate that is supposed to be on the other website.

Has anyone had this issue before? I cannot figure out why the Cert #2 is from my other website.

Best regards.

Log In to Comment
3 Answers
ioanmoldovan January 22, 2017

You need to delete the balkanmat.se certificate. If the certificates of the 2 domains are in separate files, delete the file which contains balkanmat.se and remove this domain from nginx config.

Otherwise you will need to open the single certificate file (that contains both) with vim/nano and delete the lines where the balkanmat.se one is found and save the file.

To properly identify the certificate in the file, you can use https://www.sslshopper.com/certificate-decoder.html

All certificates have a start header and an end header (and if the same files contains more than 1, the headers are repeated for each).

Hope this helps!

Reply
  • damir January 22, 2017

    Hi,

    I have tested all certificates with the decoder and everything is fine. I did not see anything strange.

    Now, i disabled my site balkanmat.se and restared NGINX and now the Cert #2 points to my website of damircalusic.com, here is the result.

    I don't get it... I looked into the folder settings and it seems that the Cert #2 chain is going in alphabetical order where balkanmat.se site was first and now it is damircalusic.com.

    Now this must have something with my settings to do in the NGINX config.
    Do you have a clue on what it can be?

    This is my NGINX config:

    user www-data;
worker_processes 4;
pid /run/nginx.pid;

events {
    worker_connections 1024;
    # multi_accept on;
}

http {

    ##
    # Basic Settings
    ##

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;

    keepalive_timeout 70;
    types_hash_max_size 2048;

    fastcgi_read_timeout 300;

    client_body_buffer_size 10K;
    client_header_buffer_size 1K;
    client_max_body_size 8m;

    large_client_header_buffers 4 16K;
    client_body_timeout 12;
    client_header_timeout 12;

    send_timeout 10;
    server_tokens off;

    server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    charset_types text/xml text/plain text/vnd.wap.wml application/x-javascript application/rss+xml text/css application/javascript application/json;

    ##
    # Logging Settings
    ##

    log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"';
    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    ##
    # Gzip Settings
    ##

    gzip on;
    gzip_disable "msie6";
    gzip_comp_level 2;
    gzip_vary on;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private auth;
    #gzip_buffers 16 8k;
    gzip_types application/atom+xml application/javascript application/json application/rss+xml application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/svg+xml image/x-icon text/css text/plain text/x-component;

    ##
    # nginx-naxsi config
    ##
    # Uncomment it if you installed nginx-naxsi
    ##

    #include /etc/nginx/naxsi_core.rules;

    ##
    # nginx-passenger config
    ##
    # Uncomment it if you installed nginx-passenger
    ##

    #passenger_root /usr;
    #passenger_ruby /usr/bin/ruby;

    ##
    # Virtual Host Configs
    ##

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;

    ##
    # SSL Configs
    ##

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:20m;
    ssl_session_timeout 180m;
    ssl_stapling on;
    ssl_stapling_verify on;
    ssl_dhparam /etc/nginx/pem/dhparams.pem;
    ssl_ciphers "ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5";
    resolver 8.8.8.8 8.8.4.4;
}
ioanmoldovan January 22, 2017

You must create separate certificate files for each vhost (each site in sites-enabled/available), you can't just have 1 ssl for all, you may instead use same key, but you need 1 .crt for each (otherwise you get this mismatch error)

So, a balkanmatse.crt, a webkreativhr.crt and so on for each site you want to host. Good luck!

Reply
  • damir January 22, 2017

    That's the thing, I do have a unique SSL file for each domain on the droplet as you described.
    Maybe I need to put the global SSL config in every single vhost config file?

    • ioanmoldovan January 23, 2017

      No, but you should have a
      sslcertificate and sslcertificate_key set in each.

      Also, make sure that none of the separate certificates file contain certificates for other domains (by mistake).

      • damir January 23, 2017

        I have checked all certificate files and all of them are correct.

        This my config file for each single domain. The sslcertificate, sslcertificate_key and trustchain are unique to every single domain.

        ##
# You should look at the following URL's in order to grasp a solid understanding
# of Nginx configuration files in order to fully unleash the power of Nginx.
# http://wiki.nginx.org/Pitfalls
# http://wiki.nginx.org/QuickStart
# http://wiki.nginx.org/Configuration
##

limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name website website;

    return 301 https://www.website$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name website;

    ssl_certificate /etc/nginx/ssl/website/ssl-bundle.crt;
    ssl_certificate_key /etc/nginx/ssl/website/website.key;
    ssl_trusted_certificate /etc/nginx/ssl/website/trustchain.crt;

    add_header Strict-Transport-Security "max-age=31536000" always;

    return 301 https://www.website$request_uri;
}

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name website;

    root /var/www/website/html;
    index index.php index.html index.htm;

    ssl_certificate /etc/nginx/ssl/website/ssl-bundle.crt;
    ssl_certificate_key /etc/nginx/ssl/website/website.key;
    ssl_trusted_certificate /etc/nginx/ssl/website/trustchain.crt;

    add_header Strict-Transport-Security "max-age=31536000" always;

    error_page 403 /error/403.html;
    error_page 404 /error/404.html;

    include /etc/nginx/general.top;

    location / {
        limit_req zone=one burst=10 nodelay;
        try_files $uri $uri/ /index.php?$args;
    }

    rewrite /wp-admin$ $scheme://$host$uri/ permanent;

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+?\.php)(/.*)$;

        if (!-f $document_root$fastcgi_script_name) {
            return 404;
        }

        fastcgi_pass unix:/run/php/php7.0-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
    }

    include /etc/nginx/general.bottom;

    location = /error/403.html {
        root /var/www/website/html;
        allow all;
    }

    location = /error/404.html {
        root /var/www/website/html;
        allow all;
    }
}
        • ioanmoldovan January 23, 2017

          Try removing http2 from the listen of all servers.

          Also, I noticed you have ssl_certificate /etc/nginx/ssl/website/ssl-bundle.crt, this means one commun SSL certificate, you must separate the commun bundle into multiple separate .crt files.

          If you have a vhost "apple" and one "orange", apple will have /etc/nginx/website/apple.crt and orange /etc/nginx/website/orange.crt

          Also if you plan to host Wordpress sites, it would be best to isolate the wordpress instances (to avoid making a big mistake that could result in a lot of data loss) in separate docker containers or even droplets.

          • damir January 23, 2017

            I have removed http2 from the listen and and renamed the .crt files to the specific domain name and still the problem persists... This is really insane...

            I do not get it... It is driving me crazy... On the good side I have fixed my grade from A to A+ with IP4 and from nothing to A+ with IP6 haha lol.

            I will look into docker containers, my friend said the same as you did.

            But, the Cert 2 issue is really getting on my nerves, maybe I need some containers to solve this?

ioanmoldovan January 23, 2017

Containers would only fix a security issue with multiple wordpress installs. I am not sure how this issue can still happen if the certificates have been separated into files and each file contains only one BEGIN header and one END header.

Reply
Have another answer? Share your knowledge.

Related Questions