NET::ERR_CERT_AUTHORITY_INVALID (CA Certificate and Apache)

Whereas intermittently I got the message in the topic title from all the browsers (i.e. I cannot access the site nor its backend),

a) the Apache Error Log notifies me of the following for a virtual server recently created on which I have installed Wordpress:

AH01906: myvirtualserver.xyz:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
AH01630: client denied by server configuration: /home/myvirtualserver/public_html/server-status

and

b) the others virtual servers’ running smootly

I am here asking please how to fix.

What evidence do you think I should verify?

For the first issue AH01906, please note the SSL Certificate summary:

Cattura1351×389 35.3 KB

For the second one AH01630, I retrieved the configuration file i.e. /etc/apache2/sites-available/myvirtualserver.xyz.conf:

<VirtualHost 162.**.**.**:80 [****:4f8:***:****::1]:80>
    SuexecUserGroup "#1071" "#1030"
    ServerName myvirtualserver.xyz
    ServerAlias www.myvirtualserver.xyz
    ServerAlias mail.myvirtualserver.xyz
    ServerAlias webmail.myvirtualserver.xyz
    ServerAlias admin.myvirtualserver.xyz
    ServerAlias autoconfig.myvirtualserver.xyz
    ServerAlias autodiscover.myvirtualserver.xyz
    DocumentRoot /home/myvirtualserver/public_html
    ErrorLog /var/log/virtualmin/myvirtualserver.xyz_error_log
    CustomLog /var/log/virtualmin/myvirtualserver.xyz_access_log combined
    ScriptAlias /cgi-bin/ /home/myvirtualserver/cgi-bin/
    ScriptAlias /awstats/ /home/myvirtualserver/cgi-bin/
    ScriptAlias /AutoDiscover/AutoDiscover.xml /home/myvirtualserver/cgi-bin/autoconfig.cgi
    ScriptAlias /Autodiscover/Autodiscover.xml /home/myvirtualserver/cgi-bin/autoconfig.cgi
    ScriptAlias /autodiscover/autodiscover.xml /home/myvirtualserver/cgi-bin/autoconfig.cgi
    DirectoryIndex index.php index.php4 index.php5 index.htm index.html
    <Directory /home/myvirtualserver/public_html>
        Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch 
        Require all granted
        AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    </Directory>
    <Directory /home/myvirtualserver/cgi-bin>
        Require all granted
        AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    </Directory>
    ProxyPass /.well-known !
    RewriteEngine on
    RewriteCond %{HTTP_HOST} =webmail.myvirtualserver.xyz
    RewriteRule ^(?!/.well-known)(.*) https://myvirtualserver.xyz:20000/ [R]
    RewriteCond %{HTTP_HOST} =admin.myvirtualserver.xyz
    RewriteRule ^(?!/.well-known)(.*) https://myvirtualserver.xyz:10000/ [R]
    RemoveHandler .php
    RemoveHandler .php8.1
    RemoveHandler .php8.2
    <Files awstats.pl>
        AuthName "myvirtualserver.xyz statistics"
        AuthType Basic
        AuthUserFile /home/myvirtualserver/.awstats-htpasswd
        require valid-user
    </Files>
    Redirect /mail/config-v1.1.xml /cgi-bin/autoconfig.cgi
    Redirect /.well-known/autoconfig/mail/config-v1.1.xml /cgi-bin/autoconfig.cgi
    <FilesMatch \.php$>
        SetHandler proxy:unix:/var/php-fpm/17017872331077695.sock|fcgi://127.0.0.1
    </FilesMatch>
    RewriteCond %{HTTPS} off
    RewriteRule ^/(?!.well-known)(.*)$ https://%{HTTP_HOST}/$1 [R]
</VirtualHost>
<VirtualHost 162.**.**.**:443 [****:4f8:***:****::1]:443>
    SuexecUserGroup "#1071" "#1030"
    ServerName myvirtualserver.xyz
    ServerAlias www.myvirtualserver.xyz
    ServerAlias mail.myvirtualserver.xyz
    ServerAlias webmail.myvirtualserver.xyz
    ServerAlias admin.myvirtualserver.xyz
    ServerAlias autoconfig.myvirtualserver.xyz
    ServerAlias autodiscover.myvirtualserver.xyz
    DocumentRoot /home/myvirtualserver/public_html
    ErrorLog /var/log/virtualmin/myvirtualserver.xyz_error_log
    CustomLog /var/log/virtualmin/myvirtualserver.xyz_access_log combined
    ScriptAlias /cgi-bin/ /home/myvirtualserver/cgi-bin/
    ScriptAlias /awstats/ /home/myvirtualserver/cgi-bin/
    ScriptAlias /AutoDiscover/AutoDiscover.xml /home/myvirtualserver/cgi-bin/autoconfig.cgi
    ScriptAlias /Autodiscover/Autodiscover.xml /home/myvirtualserver/cgi-bin/autoconfig.cgi
    ScriptAlias /autodiscover/autodiscover.xml /home/myvirtualserver/cgi-bin/autoconfig.cgi
    DirectoryIndex index.php index.php4 index.php5 index.htm index.html
    <Directory /home/myvirtualserver/public_html>
        Options -Indexes +IncludesNOEXEC +SymLinksIfOwnerMatch 
        Require all granted
        AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    </Directory>
    <Directory /home/myvirtualserver/cgi-bin>
        Require all granted
        AllowOverride All Options=ExecCGI,Includes,IncludesNOEXEC,Indexes,MultiViews,SymLinksIfOwnerMatch
    </Directory>
    ProxyPass /.well-known !
    RewriteEngine on
    RewriteCond %{HTTP_HOST} =webmail.myvirtualserver.xyz
    RewriteRule ^(?!/.well-known)(.*) https://myvirtualserver.xyz:20000/ [R]
    RewriteCond %{HTTP_HOST} =admin.myvirtualserver.xyz
    RewriteRule ^(?!/.well-known)(.*) https://myvirtualserver.xyz:10000/ [R]
    RemoveHandler .php
    RemoveHandler .php8.1
    RemoveHandler .php8.2
    SSLEngine on
    SSLCertificateFile /etc/ssl/virtualmin/*****************/ssl.cert
    SSLCertificateKeyFile /etc/ssl/virtualmin/*****************/ssl.key
    SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    <Files awstats.pl>
        AuthName "myvirtualserver.xyz statistics"
        AuthType Basic
        AuthUserFile /home/myvirtualserver/.awstats-htpasswd
        require valid-user
    </Files>
    Redirect /mail/config-v1.1.xml /cgi-bin/autoconfig.cgi
    Redirect /.well-known/autoconfig/mail/config-v1.1.xml /cgi-bin/autoconfig.cgi
    SSLCACertificateFile /etc/ssl/virtualmin/*****************/ssl.ca
    <FilesMatch \.php$>
        SetHandler proxy:unix:/var/php-fpm/*****************.sock|fcgi://127.0.0.1
    </FilesMatch>
</VirtualHost>

Do you please have any suggestions on what maintenance to do?

Thank you in advance.

Are you running all of these servers on Virtualmin PRO I want to say there is a limit to the amount of domains or servers you can run using the PRO version.

Did you look into your log files to see any error messages you might have?

Might want to start there and post what you got. I mean as long as its possible it should work without a hitch as far as I know meaning there isn’t any limitations in software you also must be using an FQDN and your date and time must match the certificates scope. All your name servers and glue records etc are setup correctly I presume and you can access your website without HTTPS. It is wordpress I presume. And I also presume that your ports 443 and 80 are open respectively.

Hrmmm… You could try to update your certificate possibly prematurely and see if that works.

Not entirely sure what the problem is might want to look into logs.

That’s not true! There is no limit to the number of domains or virtual servers you can run using the GPL version of Virtualmin.

Errr yeah Pro has 10 domain limits rather and a lot of installer scripts added to make it more of a useful tool. You are correct had it backwards.

I have done it:

Cattura1362×393 20.3 KB

I access neither through HTTP nor HTTPS, as it is a fresh installation I do confirm that those two are the only alert I got. I installed this this Virtual server like the others with the exact same settings.

That was the only alerts

Your saying you checked all of your logs in Webmin → System → SystemLogsViewer ?

Here it is, which one is for me?

image1377×429 51.6 KB

This is from Error and critical messages

Dec 06 06:49:54 my.fqdn.tld  sshd[1163229]: fatal: Timeout before authentication for 143.198.91.98 port 34418
Dec 06 06:48:57 my.fqdn.tld  sshd[1163072]: fatal: Timeout before authentication for 81.174.245.245 port 40880
Dec 06 06:46:48 my.fqdn.tld  sshd[1163022]: fatal: Timeout before authentication for 43.154.239.200 port 47190
Dec 06 06:45:32 my.fqdn.tld  sshd[1163002]: fatal: Timeout before authentication for 159.65.151.241 port 48062
Dec 06 06:45:05 my.fqdn.tld  sshd[1162987]: fatal: Timeout before authentication for 43.153.210.59 port 44158
Dec 06 06:36:14 my.fqdn.tld  sshd[1162356]: fatal: Timeout before authentication for 143.198.91.98 port 35936
Dec 06 06:35:22 my.fqdn.tld  sshd[1162344]: fatal: Timeout before authentication for 81.174.245.245 port 38176
Dec 06 06:33:02 my.fqdn.tld  sshd[1162166]: fatal: Timeout before authentication for 159.65.151.241 port 58550
Dec 06 06:32:41 my.fqdn.tld  sshd[1162340]: error: kex_exchange_identification: Connection closed by remote host
Dec 06 06:32:36 my.fqdn.tld  sshd[1162156]: fatal: Timeout before authentication for 43.154.239.200 port 56392
Dec 06 06:31:48 my.fqdn.tld  sshd[1162119]: fatal: Timeout before authentication for 43.153.210.59 port 59440
Dec 06 06:22:33 my.fqdn.tld  sshd[1161504]: fatal: Timeout before authentication for 143.198.91.98 port 58394
Dec 06 06:21:44 my.fqdn.tld  sshd[1161444]: fatal: Timeout before authentication for 81.174.245.245 port 58832
Dec 06 06:20:45 my.fqdn.tld  sshd[1161438]: fatal: Timeout before authentication for 43.154.239.200 port 46954
Dec 06 06:19:42 my.fqdn.tld  sshd[1161398]: fatal: Timeout before authentication for 43.153.210.59 port 43674
Dec 06 06:19:34 my.fqdn.tld  sshd[1161391]: fatal: Timeout before authentication for 159.65.151.241 port 42970
Dec 06 06:14:57 my.fqdn.tld  sshd[1161153]: fatal: Timeout before authentication for 146.190.63.65 port 60640
Dec 06 06:02:21 my.fqdn.tld  saslauthd[1032]:                 : NULL password received
Dec 06 05:53:58 my.fqdn.tld  sshd[1159948]: fatal: Timeout before authentication for 146.190.63.65 port 43578
Dec 06 05:33:01 my.fqdn.tld  sshd[1158917]: fatal: Timeout before authentication for 146.190.63.65 port 49428
Dec 06 05:30:30 my.fqdn.tld  sshd[1158860]: fatal: Timeout before authentication for 218.56.160.82 port 22184
Dec 06 05:26:49 my.fqdn.tld  sshd[1158654]: fatal: Timeout before authentication for 218.56.160.82 port 48796
Dec 06 05:24:31 my.fqdn.tld  sshd[1158630]: fatal: Timeout before authentication for 218.56.160.82 port 16125
Dec 06 05:20:04 my.fqdn.tld  sshd[1158382]: fatal: Timeout before authentication for 218.56.160.82 port 28905
Dec 06 05:17:44 my.fqdn.tld  sshd[1158198]: fatal: Timeout before authentication for 218.56.160.82 port 35540
Dec 06 05:15:24 my.fqdn.tld  sshd[1158155]: fatal: Timeout before authentication for 218.56.160.82 port 17657
Dec 06 05:12:04 my.fqdn.tld  sshd[1157963]: fatal: Timeout before authentication for 146.190.63.65 port 52258
Dec 06 05:11:04 my.fqdn.tld  sshd[1157922]: fatal: Timeout before authentication for 218.56.160.82 port 15360
Dec 06 05:08:45 my.fqdn.tld  sshd[1157609]: fatal: Timeout before authentication for 218.56.160.82 port 21819
Dec 06 05:06:26 my.fqdn.tld  sshd[1157563]: fatal: Timeout before authentication for 218.56.160.82 port 31472
Dec 06 05:00:31 my.fqdn.tld  sshd[1157320]: fatal: Timeout before authentication for 218.56.160.82 port 45104
Dec 06 04:58:11 my.fqdn.tld  sshd[1157156]: fatal: Timeout before authentication for 218.56.160.82 port 47597
Dec 06 04:57:17 my.fqdn.tld  sshd[1157142]: fatal: Timeout before authentication for 180.101.88.196 port 28515
Dec 06 04:54:38 my.fqdn.tld  sshd[1157084]: fatal: Timeout before authentication for 218.92.0.113 port 63462
Dec 06 04:54:12 my.fqdn.tld  sshd[1157025]: fatal: Timeout before authentication for 218.56.160.82 port 23711
Dec 06 04:53:26 my.fqdn.tld  sshd[1156921]: fatal: Timeout before authentication for 218.92.0.25 port 35681
Dec 06 04:53:09 my.fqdn.tld  sshd[1156915]: fatal: Timeout before authentication for 103.77.173.78 port 41562
Dec 06 04:51:53 my.fqdn.tld  sshd[1156884]: fatal: Timeout before authentication for 218.56.160.82 port 28986
Dec 06 04:51:20 my.fqdn.tld  sshd[1156871]: fatal: Timeout before authentication for 43.139.175.222 port 43562
Dec 06 04:51:20 my.fqdn.tld  sshd[1156869]: fatal: Timeout before authentication for 180.101.88.198 port 12919
Dec 06 04:51:13 my.fqdn.tld  sshd[1156863]: fatal: Timeout before authentication for 146.190.63.65 port 47622
Dec 06 04:49:33 my.fqdn.tld  sshd[1156841]: fatal: Timeout before authentication for 218.56.160.82 port 36542

and this is from /var/log/apache2/error.log

[Wed Dec 06 09:34:57.287457 2023] [core:notice] [pid 1175883:tid 140485987952512] AH00094: Command line: '/usr/sbin/apache2'
[Wed Dec 06 09:34:57.287397 2023] [mpm_event:notice] [pid 1175883:tid 140485987952512] AH00489: Apache/2.4.52 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/3.0.2 configured -- resuming normal operations
[Wed Dec 06 09:34:57.227312 2023] [suexec:notice] [pid 1175880:tid 140485987952512] AH01232: suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec)
[Wed Dec 06 09:34:56.037488 2023] [mpm_event:notice] [pid 1138021:tid 140307160323968] AH00492: caught SIGWINCH, shutting down gracefully
[Wed Dec 06 09:17:38.701089 2023] [core:notice] [pid 1138021:tid 140307160323968] AH00094: Command line: '/usr/sbin/apache2'
[Wed Dec 06 09:17:38.701039 2023] [mpm_event:notice] [pid 1138021:tid 140307160323968] AH00489: Apache/2.4.52 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/3.0.2 configured -- resuming normal operations
[Wed Dec 06 09:17:38.566661 2023] [mpm_event:notice] [pid 1138021:tid 140307160323968] AH00493: SIGUSR1 received.  Doing graceful restart
[Wed Dec 06 00:04:56.239811 2023] [core:notice] [pid 1138021:tid 140307160323968] AH00094: Command line: '/usr/sbin/apache2'
[Wed Dec 06 00:04:56.239724 2023] [mpm_event:notice] [pid 1138021:tid 140307160323968] AH00489: Apache/2.4.52 (Ubuntu) mod_fcgid/2.3.9 OpenSSL/3.0.2 configured -- resuming normal operations

Hope it may help for some diagnosis.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.