We had to replace a certificate for a virtual site and now the website is being misdirected. The site certificate for rcs.consulting has been replaced but the site is redirected to cremationsociet.com. However, sslshopper.com lists the correct certificate, as follows: Server Hostname Check SSL These results were cached from July 9, 2020, 6:09 am PST to conserve server resources. If you are diagnosing a certificate installation problem, you can get uncached results by clicking here. rcs.consulting resolves to 71.181.6.216 Server Type: Apache/2.4.29 (Ubuntu) The certificate should be trusted by all major web browsers (all the correct intermediate certificates are installed). The certificate was issued by Sectigo. Write review of Sectigo The certificate will expire in 823 days. Remind me The hostname (rcs.consulting) is correctly listed in the certificate. Common name: rcs.consulting SANs: rcs.consulting, www.rcs.consulting Valid from July 8, 2020 to October 10, 2022 Serial Number: cdfe3fd56c0caaec83e73a579cc5944d Signature Algorithm: sha256WithRSAEncryption Issuer: Sectigo RSA Domain Validation Secure Server CA Common name: Sectigo RSA Domain Validation Secure Server CA Organization: Sectigo Limited Location: Salford, Greater Manchester, GB Valid from November 1, 2018 to December 31, 2030 Serial Number: 7d5b5126b476ba11db74160bbc530da7 Signature Algorithm: sha384WithRSAEncryption Issuer: USERTrust RSA Certification Authority Common name: USERTrust RSA Certification Authority Organization: The USERTRUST Network Location: Jersey City, New Jersey, US Valid from March 11, 2019 to December 31, 2028 Serial Number: 3972443af922b751d7d36c10dd313595 Signature Algorithm: sha384WithRSAEncryption Issuer: AAA Certificate Services Common name: AAA Certificate Services Organization: Comodo CA Limited Location: Salford, Greater Manchester, GB Valid from December 31, 2003 to December 31, 2028 Serial Number: 1 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: AAA Certificate Services Not sure what has the site being misdirected if the cert is correct. The site was working fine with the old certificate and the problem appeared as soon as the certificate was replaced. Any help would be greatly appreciated.
check what files/symlinks exist in /var/www/rcs.consulting/ssl and check the contents of the files match those of the new certificate. also check in /etc/apache2/sites-available check the modified date/time for rcs.consulting.vhost matches the change of certificate. check the contents of that file, there should be a section starting with: <VirtualHost *:80> and ending with: </VirtualHost> and after that there should be another section starting with: <VirtualHost> *:443> this one is your SSL vhost. if it doesn't exist, then no certificate is currently being applied to that site, so apache will load the first site it finds alphabetically with a valid certificate. otherwise check the SSL certificate paths and filenames specified in this section point to the correct folder and files. also check if a rcs.consulting.vhost.err file exists, if it does, it indicates that there's a problem with that config and it went back to the previous config.
Thanks for your reply. Been through all of that and just double-checked it again. Everything looks OK, as far as I can see. No .err file, timestamp is consistent with loading the certs, .crt, .key and .crt all exist in /ssl. The correct cert is indicated when using sslshopper.com to verify.
Do you have www.rcs.consulting also included in that certificate? Is there subdomain www.rcs.consulting? Any redirect to www in place?
was the rcs.consulting site actually created in ispconfig or manually? and if in ispconfig, was it created with the www subdomain, wildcard subdomain, or none? also, if it was created in ispconfig, check the website settings, is the ip for the site set as * or an actual ip? if an actual ip, does it match the one the dns resolves to? make sure that you don't have a mixture of sites with some using * and some using an ip. not sure the websites created right, a wget https://rcs.consutling results in a 301 redirect to www.rcs.consulting which is ok, but if you actually try to browse to http://www.rcs.consulting you get the apache default page, not the ispconfig welcome to your website page, or whatever is on the rcs.consulting page, or even the cremation society of vermont page which i get if i ignore the certificate issue using https.
Thanks to both of you for reply. Yes to creating in ispconfig. Includes www sub-domain in cert and ISPConfig. All was working fine until the cert had to be installed becasue it was due for renewal.. Same cert provider, no config changes. The www redirect was working fine. All sites should be using * (as it's the default in ISPConfig, I believe. Too many to check each of them).
The point is, if you have one set to www.rcs.consulting's ip address, but www.rcs.consulting is using '*', you will have a problem; you really should take the time to check. While you're at it, you might ensure that rcs.consulting's autosubdomain setting is actually set to 'www'. 'apachectl -S' will show your virtualhost config in an easy-to-scan fashion.
regardless of the certificate issue, there must be something wrong with the vhost configuration, either for rcs.consulting config itself, or a config error on another which will affect the whole server, such as the mixed usage of ip's and *. if as you say, it was working before, and i assume there is an actual CMS or static website with relevant rcs.consulting content there, then accessing the http version of www.rcs.consulting should not be displaying the apache default page, that can only happen if the rcs.consulting port 80 virtualhost configuration is wrong, or can't be found.
also, in regards to having too many sites to check all the configs, that isn't a problem. the following mysql command, run against the master dbispconfig database will list all vhosts in order, along with their ip settings. Code: select domain, ip_address, ipv6_address from web_domain where type like 'vhost%' order by domain; it could be limited further by querying where the ip_address is not equal to "*", but this should be enough, shouldn't take long to scan through that result list.
Thanks again. The command indicated all sites are listed with "*" and none with an IP. I also checked several sites and they are coming up without issue. The site was created through ISPConfig CP and is running WordPress CMS. Again, until the cert was replaced, everything was fine. I've gone through the .vhost file and cannot see any issues, although I'm certainly not that familiar with the config files.
The original index.html had been renamed so that the WP site files would load. I just removed the ssl tick from ISPConfig, renamed the index.html back to it's original name and the default Apache page loads under http://rcs.consulting which is redirected to www.rcs.consulting. With the index.html renamed to index.html.bk again, and with the ssl tick still removed, the address bar indicates www.rcs.consulting but the Cremation Society site is returned. So, my guess is that it isn't a cert issue but I have no idea where to go with this. I tried running a sync in ISPConfig (long shot) but that didn't help.
what is actually on www.rcs.consulting? is it a cms like wordpress? a static hard-coded site? i would suggest now, posting screenshots of the website settings, primarily the domain and redirect tabs, as well as any custom php.ini or apache directives if applied, as well as the contents of the .htaccess file if it exists, and the entire rcs.consulting.vhost file.
As mentioned previously, Wordpress site and all sites are using "*" for an IP addr. To be absolutely clear, the only steps taken at the beginning of June were: 1. Delete the existing certificate through Control Panel, as it was due to expire. 2. Create new CSR through CP. 3. Submit CSR and receive new cert and bundle from CA. 4. Delete the self-signed cert and install new cert and bundle from CA through CP. 5. Test site and found it was directing to another site. 6. Tested cert through sslshopper.com and found cert was fine. No other changes were made. Nothing to the site files, nothing to php.ini. No redirects on the redirect tab in CP. If changes were made to .vhost, it was as a result of scripts running during the certificate install by ISPConfig.
you can post part of it in one post and the rest in a second post. regardless of that though, that screenshot shows that auto-subdomain is set to none. this is why it's not working. either the www subdomain doesn't exist in a vhost config, you added it manually to the vhost config file, or it exists as a separate vhost. since http://www.rcs.consulting loads the default ubuntu apache welcome page, i'm going to assume it just doesn't exist. set auto-subdomain to www. and you'll find most of your issues will magically disappear like a Trumpian coronavirus. it explains the certificate showing the correct details as well, https://rcs.consulting will be returning the correct cert details to sslshopper.com, it's the redirect to www.rcs.consulting (probably what's set as the host url / home in the wordpress wp_options table where it can't find the vhost and loads the cremation one, and returns that vhosts cert.
Partial .vhost file (note the www. ServerAlia - not sure why it's not showing in CP - definitely not added by hand. Never touched .vhost file): <Directory /var/www/rcs.consulting> AllowOverride None Require all denied </Directory> <VirtualHost *:80> DocumentRoot /var/www/rcs.consulting/web ServerName rcs.consulting ServerAlias www.ti-vault.com ti-vault.com ServerAlias www.rcsconsulting.com rcsconsulting.com ServerAdmin [email protected] ErrorLog /var/log/ispconfig/httpd/rcs.consulting/error.log Alias /error/ "/var/www/rcs.consulting/web/error/" ErrorDocument 400 /error/400.html ErrorDocument 401 /error/401.html ErrorDocument 403 /error/403.html ErrorDocument 404 /error/404.html ErrorDocument 405 /error/405.html ErrorDocument 500 /error/500.html ErrorDocument 502 /error/502.html ErrorDocument 503 /error/503.html <IfModule mod_ssl.c> </IfModule> <Directory /var/www/rcs.consulting/web> # Clear PHP settings of this website <FilesMatch ".+\.ph(p[345]?|t|tml)$"> SetHandler None </FilesMatch> Options +SymlinksIfOwnerMatch AllowOverride All Require all granted </Directory> <Directory /var/www/clients/client1/web45/web> # Clear PHP settings of this website <FilesMatch ".+\.ph(p[345]?|t|tml)$"> SetHandler None </FilesMatch> Options +SymlinksIfOwnerMatch AllowOverride All Require all granted </Directory> # suexec enabled <IfModule mod_suexec.c> SuexecUserGroup web45 client1 </IfModule> # php as fast-cgi enabled # For config options see: http://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html <IfModule mod_fcgid.c> FcgidIdleTimeout 300 FcgidProcessLifeTime 3600 # FcgidMaxProcesses 1000 FcgidMaxRequestsPerProcess 5000 FcgidMinProcessesPerClass 0 FcgidMaxProcessesPerClass 10 FcgidConnectTimeout 3 FcgidIOTimeout 600 FcgidBusyTimeout 3600 FcgidMaxRequestLen 1073741824 </IfModule> <Directory /var/www/rcs.consulting/web> <FilesMatch "\.php[345]?$"> SetHandler fcgid-script </FilesMatch> FCGIWrapper /var/www/php-fcgi-scripts/web45/.php-fcgi-starter .php FCGIWrapper /var/www/php-fcgi-scripts/web45/.php-fcgi-starter .php3 FCGIWrapper /var/www/php-fcgi-scripts/web45/.php-fcgi-starter .php4 FCGIWrapper /var/www/php-fcgi-scripts/web45/.php-fcgi-starter .php5 Options +ExecCGI AllowOverride All Require all granted </Directory> <Directory /var/www/clients/client1/web45/web> <FilesMatch "\.php[345]?$"> SetHandler fcgid-script </FilesMatch> FCGIWrapper /var/www/php-fcgi-scripts/web45/.php-fcgi-starter .php FCGIWrapper /var/www/php-fcgi-scripts/web45/.php-fcgi-starter .php3 FCGIWrapper /var/www/php-fcgi-scripts/web45/.php-fcgi-starter .php4 FCGIWrapper /var/www/php-fcgi-scripts/web45/.php-fcgi-starter .php5 Options +ExecCGI AllowOverride All Require all granted </Directory> RewriteEngine on RewriteCond %{REQUEST_URI} ^/\.well-known/acme-challenge/ RewriteRule ^ - [END] RewriteCond %{HTTP_HOST} ^ti-vault\.com$ [NC] RewriteRule ^/(.*)$ https://www.rcs.consulting/our-offerings/online-backups/$1 [R=301,L] RewriteCond %{HTTP_HOST} ^www\.ti-vault\.com$ [NC] RewriteRule ^/(.*)$ https://www.rcs.consulting/our-offerings/online-backups/$1 [R=301,L] # add support for apache mpm_itk <IfModule mpm_itk_module> AssignUserId web45 client1 </IfModule> <IfModule mod_dav_fs.c> # Do not execute PHP files in webdav directory <Directory /var/www/clients/client1/web45/webdav> <ifModule mod_security2.c> SecRuleRemoveById 960015 SecRuleRemoveById 960032 </ifModule> <FilesMatch "\.ph(p3?|tml)$"> SetHandler None </FilesMatch> </Directory> DavLockDB /var/www/clients/client1/web45/tmp/DavLock # DO NOT REMOVE THE COMMENTS! # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE! # WEBDAV BEGIN # WEBDAV END </IfModule> </VirtualHost>
2nd part of .vhost <VirtualHost *:443> DocumentRoot /var/www/rcs.consulting/web ServerName rcs.consulting ServerAlias www.ti-vault.com ti-vault.com ServerAlias www.rcsconsulting.com rcsconsulting.com ServerAdmin [email protected] ErrorLog /var/log/ispconfig/httpd/rcs.consulting/error.log Alias /error/ "/var/www/rcs.consulting/web/error/" ErrorDocument 400 /error/400.html ErrorDocument 401 /error/401.html ErrorDocument 403 /error/403.html ErrorDocument 404 /error/404.html ErrorDocument 405 /error/405.html ErrorDocument 500 /error/500.html ErrorDocument 502 /error/502.html ErrorDocument 503 /error/503.html <IfModule mod_ssl.c> SSLEngine on SSLProtocol All -SSLv2 -SSLv3 # SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384HE-RSA-AES128-GCM-SHA256HE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHAHE-RSA-AES128-SHA256HE-RSA-AES128-SHAHE-RSA-AES256-SHA256HE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHAES-CBC3-SHA:!DSS SSLHonorCipherOrder on # <IfModule mod_headers.c> # Header always add Strict-Transport-Security "max-age=15768000" # </IfModule> SSLCertificateFile /var/www/clients/client1/web45/ssl/rcs.consulting.crt SSLCertificateKeyFile /var/www/clients/client1/web45/ssl/rcs.consulting.key SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off </IfModule> <Directory /var/www/rcs.consulting/web> # Clear PHP settings of this website <FilesMatch ".+\.ph(p[345]?|t|tml)$"> SetHandler None </FilesMatch> Options +SymlinksIfOwnerMatch AllowOverride All Require all granted </Directory> <Directory /var/www/clients/client1/web45/web> # Clear PHP settings of this website <FilesMatch ".+\.ph(p[345]?|t|tml)$"> SetHandler None </FilesMatch> Options +SymlinksIfOwnerMatch AllowOverride All Require all granted </Directory> # suexec enabled <IfModule mod_suexec.c> SuexecUserGroup web45 client1 </IfModule> # php as fast-cgi enabled # For config options see: http://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html <IfModule mod_fcgid.c> FcgidIdleTimeout 300 FcgidProcessLifeTime 3600 # FcgidMaxProcesses 1000 FcgidMaxRequestsPerProcess 5000 FcgidMinProcessesPerClass 0 FcgidMaxProcessesPerClass 10 FcgidConnectTimeout 3 FcgidIOTimeout 600 FcgidBusyTimeout 3600 FcgidMaxRequestLen 1073741824 </IfModule> <Directory /var/www/rcs.consulting/web> <FilesMatch "\.php[345]?$"> SetHandler fcgid-script </FilesMatch> FCGIWrapper /var/www/php-fcgi-scripts/web45/.php-fcgi-starter .php FCGIWrapper /var/www/php-fcgi-scripts/web45/.php-fcgi-starter .php3 FCGIWrapper /var/www/php-fcgi-scripts/web45/.php-fcgi-starter .php4 FCGIWrapper /var/www/php-fcgi-scripts/web45/.php-fcgi-starter .php5 Options +ExecCGI AllowOverride All Require all granted </Directory> <Directory /var/www/clients/client1/web45/web> <FilesMatch "\.php[345]?$"> SetHandler fcgid-script </FilesMatch> FCGIWrapper /var/www/php-fcgi-scripts/web45/.php-fcgi-starter .php FCGIWrapper /var/www/php-fcgi-scripts/web45/.php-fcgi-starter .php3 FCGIWrapper /var/www/php-fcgi-scripts/web45/.php-fcgi-starter .php4 FCGIWrapper /var/www/php-fcgi-scripts/web45/.php-fcgi-starter .php5 Options +ExecCGI AllowOverride All Require all granted </Directory> RewriteEngine on RewriteCond %{REQUEST_URI} ^/\.well-known/acme-challenge/ RewriteRule ^ - [END] RewriteCond %{HTTP_HOST} ^ti-vault\.com$ [NC] RewriteRule ^/(.*)$ https://www.rcs.consulting/our-offerings/online-backups/$1 [R=301,L] RewriteCond %{HTTP_HOST} ^www\.ti-vault\.com$ [NC] RewriteRule ^/(.*)$ https://www.rcs.consulting/our-offerings/online-backups/$1 [R=301,L] # add support for apache mpm_itk <IfModule mpm_itk_module> AssignUserId web45 client1 </IfModule> <IfModule mod_dav_fs.c> # Do not execute PHP files in webdav directory <Directory /var/www/clients/client1/web45/webdav> <ifModule mod_security2.c> SecRuleRemoveById 960015 SecRuleRemoveById 960032 </ifModule> <FilesMatch "\.ph(p3?|tml)$"> SetHandler None </FilesMatch> </Directory> DavLockDB /var/www/clients/client1/web45/tmp/DavLock # DO NOT REMOVE THE COMMENTS! # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE! # WEBDAV BEGIN # WEBDAV END </IfModule> </VirtualHost> <IfModule mod_ssl.c> SSLStaplingCache shmcb:/var/run/ocsp(128000) </IfModule>
