one more bit of weirdness today - testing ssl on domain.com and www.domain.com

I have people saying they are getting insecure pages and have been trying to get to the bottom of it!
when I go to digicert.com (test ssl) and check out knightkingdelivery.com and www.knightkingdelivery.com they seem to have 2 different certs.
www.knightkingdelivery.com gives proper and expect valid cert:

Code:

Common Name = knightkingdelivery.com
Subject Alternative Names = knightkingdelivery.com, www.knightkingdelivery.com
Issuer = R3
Serial Number = 47846E0E241C52C28B3120A3011A5D57677
SHA1 Thumbprint = A522B28AE1834D2E2D34C28B252300726A100C61
Key Length = 4096
Signature algorithm = SHA256-RSA

note knightkingdelivery.com is listed as an alternate as it should be.
but when I check out knightkingdelivery.com (no www) it gives a different and incorrect cert!
in fact it gives the cert from the nameserver - ns1.knight-kingdelivery.com

Code:

Common Name = ns1.knightking-delivery.com
Organization = Unspecified
Country = US
Subject Alternative Names = ns1.knightking-delivery.com
Issuer = ns1.knightking-delivery.com
Serial Number = 60B59BA55C737EB1
SHA1 Thumbprint = F92FF8A2E8634C623DA46FF8ED7D61BF1214C6B5
Key Length = 2048
Signature algorithm = SHA256-RS
Secure Renegotiation:

and this is obviously NOT correct. I also was trying to force all access to be https so I added to .htaccess:
# END WordPress
RewriteCond %{HTTPS} on
RewriteCond %{HTTP_HOST} !^www\.
RewriteRule ^(.*)$ https://www.%{HTTP_HOST}/$1 [R=301,L]
[root@ns1 web]#

could I not do this better inside ispconfig? but in anycase why is domain.com being served the wrong cert and www.domain.com has the correct one??

 

used the curl command to maybe get some more info - from ns10 i did curls to the domains that dont serve properly

Code:

first curl to knightkingdelivery.com (no www)
[root@ns10 web]# curl -Lv http://knightkingdelivery.com
* Rebuilt URL to: http://knightkingdelivery.com/
*   Trying 173.73.223.218...
* TCP_NODELAY set
* Connected to knightkingdelivery.com (173.73.223.218) port 80 (#0)
> GET / HTTP/1.1
> Host: knightkingdelivery.com
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Date: Sun, 08 Oct 2023 23:17:12 GMT
< Server: Apache
< Location: https://knightkingdelivery.com/
< Content-Length: 239
< Content-Type: text/html; charset=iso-8859-1
<
* Ignoring the response-body
* Connection #0 to host knightkingdelivery.com left intact
* Issue another request to this URL: 'https://knightkingdelivery.com/'
*   Trying 173.73.223.218...
* TCP_NODELAY set
* Connected to knightkingdelivery.com (173.73.223.218) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self signed certificate in certificate chain
* Closing connection 1
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

now same command to the www.domain.com:

Code:

[root@ns10 web]# curl -Lv http://www.knightkingdelivery.com
* Rebuilt URL to: http://www.knightkingdelivery.com/
*   Trying 173.73.223.218...
* TCP_NODELAY set
* Connected to www.knightkingdelivery.com (173.73.223.218) port 80 (#0)
> GET / HTTP/1.1
> Host: www.knightkingdelivery.com
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Date: Sun, 08 Oct 2023 23:18:43 GMT
< Server: Apache
< Location: https://www.knightkingdelivery.com/
< Content-Length: 243
< Content-Type: text/html; charset=iso-8859-1
<
* Ignoring the response-body
* Connection #0 to host www.knightkingdelivery.com left intact
* Issue another request to this URL: 'https://www.knightkingdelivery.com/'
*   Trying 173.73.223.218...
* TCP_NODELAY set
* Connected to www.knightkingdelivery.com (173.73.223.218) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, [no content] (0):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=knightkingdelivery.com
*  start date: Sep 29 11:29:15 2023 GMT
*  expire date: Dec 28 11:29:14 2023 GMT
*  subjectAltName: host "www.knightkingdelivery.com" matched cert's "www.knightkingdelivery.com"
*  issuer: C=US; O=Let's Encrypt; CN=R3
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* Using Stream ID: 1 (easy handle 0x55d09b91f3d0)
* TLSv1.3 (OUT), TLS app data, [no content] (0):
> GET / HTTP/2
> Host: www.knightkingdelivery.com
> User-Agent: curl/7.61.1
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, [no content] (0):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS app data, [no content] (0):
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
* TLSv1.3 (OUT), TLS app data, [no content] (0):
* TLSv1.3 (IN), TLS app data, [no content] (0):
* TLSv1.3 (IN), TLS app data, [no content] (0):
< HTTP/2 200
< date: Sun, 08 Oct 2023 23:18:43 GMT
< server: Apache
< x-powered-by: PHP/7.4.33
< link: <https://www.knightkingdelivery.com/wp-json/>; rel="https://api.w.org/", <https://www.knightkingdelivery.com/wp-json/wp/v2/pages/2135>; rel="alternate"; type="application/json", <https://www.knightkingdelivery.com/>; rel=shortlink
< vary: Accept-Encoding
< content-type: text/html; charset=UTF-8
<
* TLSv1.3 (IN), TLS app data, [no content] (0):

**now comes the webpage **
<!DOCTYPE html>
<html lang="en-US" dir="ltr">
<head>
<meta charset="UTF-8">
<link rel="profile" href="https://gmpg.org/xfn/11">
<link rel="pingback" href="https://www.knightkingdelivery.com/xmlrpc.php">
...etc.

so without the www it somehow finds a self-signed cert?

I even forced le to reissue the cert:
acme.sh -f -r -d knightkingdelivery.com
and it said all was good. then systemctl restart httpd
but cert is still not right for the non-www name!

inquiring minds!

 

ENLIGHTEMENT!!!!
The file ssl.conf in /etc/httpd/conf.d has a virtual 'default' host in it.
DELETE all the lines starting with:

<VirtualHost _default_:443>
save, restart httpd, and now the non-www resolves properly same as the www domain!
did I miss something? should not perfect server delete this 'default' virtual host? ISPCONFIG creates all hosts - so this extranneous one can ONLY cause problems, no?

 

lets look at these one by one.
[root@ns1 etc]# cat hostname
ns1.knight-kingdelivery.com
so thats fine.
there is no website or subdomain ns1.knight-kingdelivery.com so thats not it.
ip mismatch for the main domain? website knightkingdelivery.com has * for ipv4 site. this is on a local network server is 192.168.2.10 but router port forwards all 80 (and lots more) to this address. router has a static ip assigned which is correct.
also website knightkingdelivery.com has auto www subdomain set.
under system-server config-ip address the ip address is 192.168.2.10
now on the system- server config- general - the ip originally was the static ip I used to set the server up at the shop. I forgot to change it to 192.168.2.10. might this be the mismatch? I've changed it now to 192.168.2.10. If so I'll have to make a note to check this in case of this odd behaviour! I guess I can put the original ssl.conf back in place and see if we still resolve correctly. I'll give that a try for further information.
but in any case how would the website entry knighkingdelivery.com with auto-www NOT be matched ahead of the default??
if removing the default causes the correct resolution, should it not be the last entry looked at?

 

I agree - but the knightkingdelivery.com with auto-www IS a better match!!!! how can it not be selected?
any log to look at anywhere??

 

the centos command is just apachectl -S
But look: with the default vhost deleted from ssl.conf:

Code:

[root@ns1 ~]# apachectl -S
AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/httpd/conf/httpd.conf:359
[Tue Oct 10 16:40:15.783842 2023] [alias:warn] [pid 1452928:tid 140061423589696] AH00671: The Alias directive in /etc/httpd/conf/httpd.conf at line 364 will probably never match because it overlaps an earlier Alias.
[Tue Oct 10 16:40:15.783916 2023] [alias:warn] [pid 1452928:tid 140061423589696] AH00671: The Alias directive in /etc/httpd/conf/httpd.conf at line 371 will probably never match because it overlaps an earlier Alias.
VirtualHost configuration:
*:8081                 knightkingdelivery.com (/etc/httpd/conf/sites-enabled/000-apps.vhost:9)
*:8080                 knightkingdelivery.com (/etc/httpd/conf/sites-enabled/000-ispconfig.vhost:9)
*:80                   is a NameVirtualHost
         default server knight-kingdelivery.com (/etc/httpd/conf/sites-enabled/100-knight-kingdelivery.com.vhost:7)
         port 80 namevhost knight-kingdelivery.com (/etc/httpd/conf/sites-enabled/100-knight-kingdelivery.com.vhost:7)
                 alias www.knight-kingdelivery.com
         port 80 namevhost knightkingdelivery.com (/etc/httpd/conf/sites-enabled/100-knightkingdelivery.com.vhost:7)
                 alias www.knightkingdelivery.com
         port 80 namevhost lesismoredmv.com (/etc/httpd/conf/sites-enabled/100-lesismoredmv.com.vhost:7)
                 alias www.lesismoredmv.com
         port 80 namevhost nechtanmarketing.com (/etc/httpd/conf/sites-enabled/100-nechtanmarketing.com.vhost:7)
                 alias www.nechtanmarketing.com
*:443                  is a NameVirtualHost
         default server knight-kingdelivery.com (/etc/httpd/conf/sites-enabled/100-knight-kingdelivery.com.vhost:126)
         port 443 namevhost knight-kingdelivery.com (/etc/httpd/conf/sites-enabled/100-knight-kingdelivery.com.vhost:126)
                 alias www.knight-kingdelivery.com
         port 443 namevhost knightkingdelivery.com (/etc/httpd/conf/sites-enabled/100-knightkingdelivery.com.vhost:131) <-- CORRECT!!
                 alias www.knightkingdelivery.com
         port 443 namevhost lesismoredmv.com (/etc/httpd/conf/sites-enabled/100-lesismoredmv.com.vhost:126)
                 alias www.lesismoredmv.com
         port 443 namevhost nechtanmarketing.com (/etc/httpd/conf/sites-enabled/100-nechtanmarketing.com.vhost:126)
                 alias www.nechtanmarketing.com
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/etc/httpd/logs/error_log"
...rest omitted.

note knightkingdelivery.com is the third entry under *443 - and is the proper vhost 100-knightkingdelivery.com
after I reinstall the original ssl.conf:

Code:

root@ns1 conf.d]# apachectl -S
AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/httpd/conf/httpd.conf:359
[Tue Oct 10 16:44:50.996865 2023] [alias:warn] [pid 1453660:tid 140082887240000] AH00671: The Alias directive in /etc/httpd/conf/httpd.conf at line 364 will probably never match because it overlaps an earlier Alias.
[Tue Oct 10 16:44:50.996933 2023] [alias:warn] [pid 1453660:tid 140082887240000] AH00671: The Alias directive in /etc/httpd/conf/httpd.conf at line 371 will probably never match because it overlaps an earlier Alias.
VirtualHost configuration:
*:8081                 knightkingdelivery.com (/etc/httpd/conf/sites-enabled/000-apps.vhost:9)
*:8080                 knightkingdelivery.com (/etc/httpd/conf/sites-enabled/000-ispconfig.vhost:9)
*:80                   is a NameVirtualHost
         default server knight-kingdelivery.com (/etc/httpd/conf/sites-enabled/100-knight-kingdelivery.com.vhost:7)
         port 80 namevhost knight-kingdelivery.com (/etc/httpd/conf/sites-enabled/100-knight-kingdelivery.com.vhost:7)
                 alias www.knight-kingdelivery.com
         port 80 namevhost knightkingdelivery.com (/etc/httpd/conf/sites-enabled/100-knightkingdelivery.com.vhost:7)
                 alias www.knightkingdelivery.com
         port 80 namevhost lesismoredmv.com (/etc/httpd/conf/sites-enabled/100-lesismoredmv.com.vhost:7)
                 alias www.lesismoredmv.com
         port 80 namevhost nechtanmarketing.com (/etc/httpd/conf/sites-enabled/100-nechtanmarketing.com.vhost:7)
                 alias www.nechtanmarketing.com
*:443                  is a NameVirtualHost
         default server knightkingdelivery.com (/etc/httpd/conf.d/ssl.conf:40)  <<<<<BOGUS ENTRY <<<<<
         port 443 namevhost knightkingdelivery.com (/etc/httpd/conf.d/ssl.conf:40)
         port 443 namevhost knight-kingdelivery.com (/etc/httpd/conf/sites-enabled/100-knight-kingdelivery.com.vhost:126)
                 alias www.knight-kingdelivery.com
         port 443 namevhost knightkingdelivery.com (/etc/httpd/conf/sites-enabled/100-knightkingdelivery.com.vhost:131)
                 alias www.knightkingdelivery.com
         port 443 namevhost lesismoredmv.com (/etc/httpd/conf/sites-enabled/100-lesismoredmv.com.vhost:126)
                 alias www.lesismoredmv.com
         port 443 namevhost nechtanmarketing.com (/etc/httpd/conf/sites-enabled/100-nechtanmarketing.com.vhost:126)
                 alias www.nechtanmarketing.com
ServerRoot: "/etc/httpd"

and now the FIRST entry under *443 is the default host in ssl.conf!!
and that has NOTHING not commented. knightkingdelivery.com is nowhere in that file!!!
here is the full ssl.conf file (starting with the lines I deleted)

Code:

##
## SSL Virtual Host Context
##

<VirtualHost _default_:443>

# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"
#ServerName www.example.com:443

# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

#   List the protocol versions which clients are allowed to connect with.
#   The OpenSSL system profile is used by default.  See
#   update-crypto-policies(8) for more details.
#SSLProtocol all -SSLv3
#SSLProxyProtocol all -SSLv3

#   User agents such as web browsers are not configured for the user's
#   own preference of either security or performance, therefore this
#   must be the prerogative of the web server administrator who manages
#   cpu load versus confidentiality, so enforce the server's cipher order.
SSLHonorCipherOrder on

#   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate.
#   See the mod_ssl documentation for a complete list.
#   The OpenSSL system profile is configured by default.  See
#   update-crypto-policies(8) for more details.
SSLCipherSuite PROFILE=SYSTEM
SSLProxyCipherSuite PROFILE=SYSTEM

#   Point SSLCertificateFile at a PEM encoded certificate.  If
#   the certificate is encrypted, then you will be prompted for a
#   pass phrase.  Note that restarting httpd will prompt again.  Keep
#   in mind that if you have both an RSA and a DSA certificate you
#   can configure both in parallel (to also allow the use of DSA
#   ciphers, etc.)
#   Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
#   require an ECC certificate which can also be configured in
#   parallel.
SSLCertificateFile /etc/pki/tls/certs/localhost.crt

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
#   ECC keys, when in use, can also be configured in parallel
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
#   ECC keys, when in use, can also be configured in parallel
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

#   Server Certificate Chain:
#   Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate. Alternatively
#   the referenced file can be the same as SSLCertificateFile
#   when the CA certificates are directly appended to the server
#   certificate for convenience.
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt

#   Certificate Authority (CA):
#   Set the CA certificate verification path where to find CA
#   certificates for client authentication or alternatively one
#   huge file containing all of them (file must be PEM encoded)
#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt

#   Client Authentication (Type):
#   Client certificate verification type and depth.  Types are
#   none, optional, require and optional_no_ca.  Depth is a
#   number which specifies how deeply to verify the certificate
#   issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth  10

#   Access Control:
#   With SSLRequire you can do per-directory access control based
#   on arbitrary complex boolean expressions containing server
#   variable checks and other lookup directives.  The syntax is a
#   mixture between C and Perl.  See the mod_ssl documentation
#   for more details.
#<Location />
#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>

#   SSL Engine Options:
#   Set various options for the SSL engine.
#   o FakeBasicAuth:
#     Translate the client X.509 into a Basic Authorisation.  This means that
#     the standard Auth/DBMAuth methods can be used for access control.  The
#     user name is the `one line' version of the client's X.509 certificate.
#     Note that no password is obtained from the user. Every entry in the user
#     file needs this password: `xxj31ZMTZzkVA'.
#   o ExportCertData:
#     This exports two additional environment variables: SSL_CLIENT_CERT and
#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
#     server (always existing) and the client (only existing when client
#     authentication is used). This can be used to import the certificates
#     into CGI scripts.
#   o StdEnvVars:
#     This exports the standard SSL/TLS related `SSL_*' environment variables.
#     Per default this exportation is switched off for performance reasons,
#     because the extraction step is an expensive operation and is usually
#     useless for serving static content. So one usually enables the
#     exportation for CGI and SSI requests only.
#   o StrictRequire:
#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
#     under a "Satisfy any" situation, i.e. when it applies access is denied
#     and no other module can change it.
#   o OptRenegotiate:
#     This enables optimized SSL connection renegotiation handling when SSL
#     directives are used in per-directory context.
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

#   SSL Protocol Adjustments:
#   The safe and default but still SSL/TLS standard compliant shutdown
#   approach is that mod_ssl sends the close notify alert but doesn't wait for
#   the close notify alert from client. When you need a different shutdown
#   approach you can use one of the following variables:
#   o ssl-unclean-shutdown:
#     This forces an unclean shutdown when the connection is closed, i.e. no
#     SSL close notify alert is sent or allowed to be received.  This violates
#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
#     this when you receive I/O errors because of the standard approach where
#     mod_ssl sends the close notify alert.
#   o ssl-accurate-shutdown:
#     This forces an accurate shutdown when the connection is closed, i.e. a
#     SSL close notify alert is sent and mod_ssl waits for the close notify
#     alert of the client. This is 100% SSL/TLS standard compliant, but in
#     practice often causes hanging connections with brain-dead browsers. Use
#     this only for browsers where you know that their SSL implementation
#     works correctly.
#   Notice: Most problems of broken clients are also related to the HTTP
#   keep-alive facility, so you usually additionally want to disable
#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
#   "force-response-1.0" for this.
BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

#   Per-Server Logging:
#   The home of a custom SSL log file. Use this when you want a
#   compact non-error SSL logfile on a virtual host basis.
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>

this is the entirety of what I deleted - and when I restore it sure enough knightkingdelivery.com is being served by ssl.conf as shown above! nothing in here refers to knightkingdelivery.com and yet there it is!
how can that be? where is it coming from? what is this 'global configuration' its referring to??

 

by your command:
[root@ns1 httpd]# hostname
ns1.knight-kingdelivery.com
[root@ns1 httpd]# hostname -f
ns1.knight-kingdelivery.com
[root@ns1 httpd]#

all correct!

 

On Debian and Ubuntu at least the command hostname should return only the hostname part, in your case "ns1". With -f it returns the FQDN.
So the output is not correct, the command should show different outputs.

 

by your command the entire vhost file:

Code:

<Directory /var/www/knightkingdelivery.com>
                AllowOverride None
                                Require all denied
                </Directory>
<VirtualHost *:80>
                                                                        DocumentRoot /var/www/knightkingdelivery.com/web
                ServerName knightkingdelivery.com
                ServerAlias www.knightkingdelivery.com
                ServerAdmin [email protected]
                ErrorLog /var/log/ispconfig/httpd/knightkingdelivery.com/error.log
                Alias /error/ "/var/www/knightkingdelivery.com/web/error/"
                ErrorDocument 400 /error/400.html
                ErrorDocument 401 /error/401.html
                ErrorDocument 403 /error/403.html
                ErrorDocument 404 /error/404.html
                ErrorDocument 405 /error/405.html
                ErrorDocument 500 /error/500.html
                ErrorDocument 502 /error/502.html
                ErrorDocument 503 /error/503.html

                <Directory /var/www/knightkingdelivery.com/web>
                                # Clear PHP settings of this website
                                <FilesMatch ".+\.ph(p[345]?|t|tml)$">
                                                SetHandler None
                                </FilesMatch>
                                Options +SymlinksIfOwnerMatch
                                AllowOverride All
                                                                Require all granted
                                                </Directory>
                <Directory /var/www/clients/client0/web3/web>
                                # Clear PHP settings of this website
                                <FilesMatch ".+\.ph(p[345]?|t|tml)$">
                                                SetHandler None
                                </FilesMatch>
                                Options +SymlinksIfOwnerMatch
                                AllowOverride All
                                                                Require all granted
                                                </Directory>
                # suexec enabled
                <IfModule mod_suexec.c>
                        SuexecUserGroup web3 client0
                </IfModule>
                # php as fast-cgi enabled
        # For config options see: http://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html
                <IfModule mod_fcgid.c>
                                FcgidIdleTimeout 300
                                FcgidProcessLifeTime 3600
                                # FcgidMaxProcesses 1000
                                FcgidMaxRequestsPerProcess 5000
                                FcgidMinProcessesPerClass 0
                                FcgidMaxProcessesPerClass 10
                                FcgidConnectTimeout 3
                                FcgidIOTimeout 600
                                FcgidBusyTimeout 3600
                                FcgidMaxRequestLen 1073741824
                </IfModule>
                <Directory /var/www/knightkingdelivery.com/web>
                                <FilesMatch "\.php[345]?$">
                                        SetHandler fcgid-script
                                </FilesMatch>
                                FCGIWrapper /var/www/php-fcgi-scripts/web3/.php-fcgi-starter .php
                                FCGIWrapper /var/www/php-fcgi-scripts/web3/.php-fcgi-starter .php3
                                FCGIWrapper /var/www/php-fcgi-scripts/web3/.php-fcgi-starter .php4
                                FCGIWrapper /var/www/php-fcgi-scripts/web3/.php-fcgi-starter .php5
                                Options +ExecCGI
                                AllowOverride All
                                                                Require all granted
                                                </Directory> 
            <Directory /var/www/clients/client0/web3/web>
                                <FilesMatch "\.php[345]?$">
                                        SetHandler fcgid-script
                                </FilesMatch>
                                FCGIWrapper /var/www/php-fcgi-scripts/web3/.php-fcgi-starter .php
                                FCGIWrapper /var/www/php-fcgi-scripts/web3/.php-fcgi-starter .php3
                                FCGIWrapper /var/www/php-fcgi-scripts/web3/.php-fcgi-starter .php4
                                FCGIWrapper /var/www/php-fcgi-scripts/web3/.php-fcgi-starter .php5
                                Options +ExecCGI
                                AllowOverride All
                                                                Require all granted
                                                </Directory>
                RewriteEngine on
                RewriteCond %{REQUEST_URI} ^/\.well-known/acme-challenge/
                RewriteRule ^ - [END]
        RewriteCond %{HTTPS} off
                RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L,NE]
                # add support for apache mpm_itk
                <IfModule mpm_itk_module>
                        AssignUserId web3 client0
                </IfModule>

                <IfModule mod_dav_fs.c>
                # Do not execute PHP files in webdav directory
                        <Directory /var/www/clients/client0/web3/webdav>
                                <ifModule mod_security2.c>
                                        SecRuleRemoveById 960015
                                        SecRuleRemoveById 960032
                                </ifModule>
                                <FilesMatch "\.ph(p3?|tml)$">
                                        SetHandler None
                                </FilesMatch>
                        </Directory>
                        DavLockDB /var/www/clients/client0/web3/tmp/DavLock
                        # DO NOT REMOVE THE COMMENTS!
                        # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
      # WEBDAV BEGIN
                        # WEBDAV END
                </IfModule>
                        # skipping apache_directives, as that will be handled by the ssl vhost
</VirtualHost>

<VirtualHost *:443>
                                                                        DocumentRoot /var/www/knightkingdelivery.com/web
                ServerName knightkingdelivery.com
                ServerAlias www.knightkingdelivery.com
                ServerAdmin [email protected]

                <IfModule mod_http2.c>
                        Protocols h2 http/1.1
                </IfModule>
                <IfModule mod_brotli.c>
                        AddOutputFilterByType BROTLI_COMPRESS text/html text/plain text/xml text/css text/javascript application/x-javascript application/javascript application/xml
application/xml+rss application/atom+xml application/json application/x-font-ttf application/vnd.ms-fontobject image/x-icon
                </IfModule>

                ErrorLog /var/log/ispconfig/httpd/knightkingdelivery.com/error.log

                Alias /error/ "/var/www/knightkingdelivery.com/web/error/"
                ErrorDocument 400 /error/400.html
                ErrorDocument 401 /error/401.html
                ErrorDocument 403 /error/403.html
                ErrorDocument 404 /error/404.html
                ErrorDocument 405 /error/405.html
                ErrorDocument 500 /error/500.html
                ErrorDocument 502 /error/502.html
                ErrorDocument 503 /error/503.html

  <IfModule mod_ssl.c>
                SSLEngine on
                SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
                # SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
                SSLHonorCipherOrder     on
                # <IfModule mod_headers.c>
                # Header always add Strict-Transport-Security "max-age=15768000"
                # </IfModule>
                SSLCertificateFile /var/www/clients/client0/web3/ssl/knightkingdelivery.com-le.crt
                SSLCertificateKeyFile /var/www/clients/client0/web3/ssl/knightkingdelivery.com-le.key
                                  SSLUseStapling on
                  SSLStaplingResponderTimeout 5
                  SSLStaplingReturnResponderErrors off
                      </IfModule>

                <Directory /var/www/knightkingdelivery.com/web>
                                # Clear PHP settings of this website
                                <FilesMatch ".+\.ph(p[345]?|t|tml)$">
                                                SetHandler None
                                </FilesMatch>
                                Options +SymlinksIfOwnerMatch
                                AllowOverride All
                                                                Require all granted
                                                </Directory>
                <Directory /var/www/clients/client0/web3/web>
                                # Clear PHP settings of this website
                                <FilesMatch ".+\.ph(p[345]?|t|tml)$">
                                                SetHandler None
                                </FilesMatch>
                                Options +SymlinksIfOwnerMatch
                                AllowOverride All
                                                                Require all granted
                                                </Directory>

                # suexec enabled
                <IfModule mod_suexec.c>
                        SuexecUserGroup web3 client0
                </IfModule>
                # php as fast-cgi enabled
        # For config options see: http://httpd.apache.org/mod_fcgid/mod/mod_fcgid.html     
     <IfModule mod_fcgid.c>
                                FcgidIdleTimeout 300
                                FcgidProcessLifeTime 3600
                                # FcgidMaxProcesses 1000
                                FcgidMaxRequestsPerProcess 5000
                                FcgidMinProcessesPerClass 0
                                FcgidMaxProcessesPerClass 10
                                FcgidConnectTimeout 3
                                FcgidIOTimeout 600
                                FcgidBusyTimeout 3600
                                FcgidMaxRequestLen 1073741824
                </IfModule>
                <Directory /var/www/knightkingdelivery.com/web>
                                <FilesMatch "\.php[345]?$">
                                        SetHandler fcgid-script
                                </FilesMatch>
                                FCGIWrapper /var/www/php-fcgi-scripts/web3/.php-fcgi-starter .php
                                FCGIWrapper /var/www/php-fcgi-scripts/web3/.php-fcgi-starter .php3
                                FCGIWrapper /var/www/php-fcgi-scripts/web3/.php-fcgi-starter .php4
                                FCGIWrapper /var/www/php-fcgi-scripts/web3/.php-fcgi-starter .php5
                                Options +ExecCGI
                                AllowOverride All
                                                                Require all granted
                                                </Directory>
                <Directory /var/www/clients/client0/web3/web>
                                <FilesMatch "\.php[345]?$">
                                        SetHandler fcgid-script
                                </FilesMatch>
                                FCGIWrapper /var/www/php-fcgi-scripts/web3/.php-fcgi-starter .php
                                FCGIWrapper /var/www/php-fcgi-scripts/web3/.php-fcgi-starter .php3
                                FCGIWrapper /var/www/php-fcgi-scripts/web3/.php-fcgi-starter .php4
                                FCGIWrapper /var/www/php-fcgi-scripts/web3/.php-fcgi-starter .php5
                                Options +ExecCGI
                                AllowOverride All
                                                                Require all granted
                                                </Directory>

                RewriteEngine on
                RewriteCond %{REQUEST_URI} ^/\.well-known/acme-challenge/
                RewriteRule ^ - [END]

                # add support for apache mpm_itk
                <IfModule mpm_itk_module>
                        AssignUserId web3 client0
                </IfModule>

                <IfModule mod_dav_fs.c>
                # Do not execute PHP files in webdav directory
                        <Directory /var/www/clients/client0/web3/webdav>
                                <ifModule mod_security2.c>
                                        SecRuleRemoveById 960015
                                        SecRuleRemoveById 960032
                                </ifModule>
                                <FilesMatch "\.ph(p3?|tml)$">
                                        SetHandler None
                                </FilesMatch>
                        </Directory>
                        DavLockDB /var/www/clients/client0/web3/tmp/DavLock
                        # DO NOT REMOVE THE COMMENTS!
                        # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
      # WEBDAV BEGIN
                        # WEBDAV END
                </IfModule>

</VirtualHost>

<IfModule mod_ssl.c>
        SSLStaplingCache shmcb:/var/run/ocsp(128000)
</IfModule>

I await enlightenment. but if there is a flaw in this vhost file, why is it properly loaded when I deleted the default vhost from ssl.conf??
and if there is no flaw why was it not picked OVER default vhost??
oh and naturally there IS no .err file.

 

by your command Th0m:
[root@ns1 sites-enabled]# ls -la /var/www/clients/client0/web3/ssl
total 12
drwxr-xr-x 2 root root 92 Sep 29 08:29 .
drwxr-xr-x 11 root root 160 Sep 19 17:55 ..
-rw-r--r-- 1 root root 5918 Oct 8 19:35 knightkingdelivery.com-le.crt
-rw------- 1 root root 3243 Oct 8 19:35 knightkingdelivery.com-le.key

 

one screenshot coming up. server name is ns1.knight-kingdelivery.com
and ssl cert on ns1.knight-kingdelivery.com is vaild. from details:
Common Name (CN)
ns1.knight-kingdelivery.com
Organization (O)
<Not Part Of Certificate>
Organizational Unit (OU)
<Not Part Of Certificate>
Issued By
Common Name (CN)
R3
Organization (O)
Let's Encrypt
Organizational Unit (OU)
<Not Part Of Certificate>
Validity Period
Issued On
Saturday, September 23, 2023 at 8:46:15 AM
Expires On
Friday, December 22, 2023 at 7:46:14 AM

 

so..... how are we getting the wrong ssl and matching the default host in ssl.conf??? from what I see that should NOT be happening???

 

no this one never changed the hostname. I registered knight-kingdelivery.com so this would be ns1.knight-kingdelivery.com as it is to this day.
I had asked about changing the hostname as a means of replacing servers - starting one out as ns11 then changing name to ns10 so I dont have to update 100+ registrar nameserver entries! but this one with the default vhost being incorrectly matched never had the hostname changed