0

When I run my domain through the SSL Test by Qualys, its main issue is an apparent second SSL certificate that is installed for this domain. However, I've looked through every config I could think of and cannot seem to make a guess why this second certificate is sent.

I'm using nginx (just updated to 1.16.1) on Debian 10 buster, all my certificates are provided by Let's Encrypt through certbot.

The domain in question is med.mydomain.de, which reports both a certificate for this domain (which is marked as trusted), as well as a second certificate which is issued to the domain app.mydomain.de (which is marked as untrusted).

When I check the domain app.mydomain.de itself through the SSL tester, it only shows one SSL certificate.

This is the output of certbot certificates:

Found the following certs:
  Certificate Name: app.mydomain.de
    Domains: app.mydomain.de
    Expiry Date: 2020-04-11 12:15:31+00:00 (VALID: 77 days)
    Certificate Path: /etc/letsencrypt/live/app.mydomain.de/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/app.mydomain.de/privkey.pem
  Certificate Name: backend.mydomain.de
    Domains: backend.mydomain.de
    Expiry Date: 2020-04-23 13:22:39+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/backend.mydomain.de/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/backend.mydomain.de/privkey.pem
  Certificate Name: med.mydomain.de
    Domains: med.mydomain.de
    Expiry Date: 2020-04-11 10:45:46+00:00 (VALID: 77 days)
    Certificate Path: /etc/letsencrypt/live/med.mydomain.de/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/med.mydomain.de/privkey.pem
  Certificate Name: rest.mydomain.de
    Domains: rest.mydomain.de
    Expiry Date: 2020-04-11 12:15:51+00:00 (VALID: 77 days)
    Certificate Path: /etc/letsencrypt/live/rest.mydomain.de/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/rest.mydomain.de/privkey.pem
  Certificate Name: webhook.mydomain.de
    Domains: webhook.mydomain.de
    Expiry Date: 2020-04-11 12:15:59+00:00 (VALID: 77 days)
    Certificate Path: /etc/letsencrypt/live/webhook.mydomain.de/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/webhook.mydomain.de/privkey.pem

This is the global nginx.conf:

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
    worker_connections 768;
    # multi_accept on;
}

http {

    ##
    # Basic Settings
    ##

    sendfile on;
    tcp_nopush on;
    tcp_nodelay on;
    keepalive_timeout 65;
    types_hash_max_size 2048;
    server_tokens off;

    # server_names_hash_bucket_size 64;
    # server_name_in_redirect off;

    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    ##
    # SSL Settings
    ##

    ssl_protocols TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
    ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA512:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:ECDH+AESGCM:ECDH+AES256:DH+AESGCM:DH+AES256:RSA+AESGCM:!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
    ssl_prefer_server_ciphers on;

    ##
    # Logging Settings
    ##

    access_log /var/log/nginx/access.log;
    error_log /var/log/nginx/error.log;

    ##
    # Gzip Settings
    ##

    gzip on;

    # gzip_vary on;
    # gzip_proxied any;
    # gzip_comp_level 6;
    # gzip_buffers 16 8k;
    # gzip_http_version 1.1;
    # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

    ##
    # Virtual Host Configs
    ##

    include /etc/nginx/conf.d/*.conf;
    include /etc/nginx/sites-enabled/*;

    add_header X-Frame-Options "sameorigin";
}

And this is the nginx config of the server in question:

server {

    root /usr/share/nginx/sites/w_backend/public;
    index index.php index.html;

    server_name med.mydomain.de backend.mydomain.de;

    location / {
        try_files $uri $uri.html $uri/ @extensionless-php;
    }

    location ~ \.php$ {
        try_files $uri =404;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass unix:/var/run/php/php7.3-fpm-w_backend.sock;
        fastcgi_index index.php;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_param FULL_DIRECTORY /usr/share/nginx/sites/;
                fastcgi_param GLOBAL_CONF_PATH /srv/conf/;
        include fastcgi_params;
    }

    location @extensionless-php {
        rewrite ^(.*)$ $1.php last;
    }

    listen 443 ssl;
    listen [::]:443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/med.mydomain.de/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/med.mydomain.de/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}
server {
    if ($host = backend.mydomain.de) {
        return 301 https://med.mydomain.de$request_uri;
    } # managed by Certbot
    if ($host = med.mydomain.de) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

    listen 80;
    listen [::]:80;

    server_name med.mydomain.de backend.mydomain.de;
    return 404; # managed by Certbot


}

Could anyone give me a hint on where I could look elsewhere? Any certbot options I could check?

Maximilian Krause
  • 121
  • 1
  • 5

1 Answers1

1

Could it be the case that Qualys is testing with much older browsers that don't support SNI, in which case the browser doesn't know which certificate is correct and is presented with the 2nd, untrusted, certificate? This would also explain why when you check it in your own browser you'll only see the correct certificate because your browser does support SNI.

Mekswoll
  • 111
  • 2