Certificate and bncert-tool problems

Keywords: WordPress - AWS - Technical issue - Secure Connections (SSL/HTTPS)

bnsupport ID: b863926c-276d-3c58-0eff-4c3ee0110074

bndiagnostic output:

? Apache: Found possible issues
? Connectivity: Found possible issues
? Resources: Found possible issues
? Php: Found possible issues
https://docs.bitnami.com/general/apps/wordpress/troubleshooting/debug-errors-apache/
https://docs.bitnami.com/bch/apps/moodle/troubleshooting/deny-connections-bots-apache/
https://docs.bitnami.com/general/faq/administration/use-firewall/
https://docs.bitnami.com/general/apps/wordpress/configuration/configure-phpfpm-processes/

bndiagnostic failure reason: The suggested guides are not related with my issue

Description:
Having strange issues with the certificate/https of this server. This happens in multiple ways which seem unrelated, but probably are related.

On the practical side the issue manifests in the galleries by a Wordpress plugin not being displayed properly. It seems sometimes the CSS file is not loaded. A refresh of the page ‘solves’ the issues (the galleries display properly), but ~30 minutes later the issue happens again. Firefox does not give an error. Microsoft Edge gives “ERR_CERT_COMMON_NAME_INVALID” for the specific CSS file. Related topic in the plugin’s support forum is https://wordpress.org/support/topic/foogallery-css-sometimes-not-loaded/

Another issue relates to /opt/bitnami/bncert-tool. First time running it worked well. When I was adding a subdomain, it complained that the domain does not resolve to the ip of the server, while that absolutely was and is the case. Tried a lot of things including removing the AAAA (IPV6 records) for the domain. In the end after a reboot of the server bncert-tool worked. Today when I wanted to redo the certificates to see if that helped, the ip error came up again: "Warning: The domain ‘x.com’ resolves to a different IP address than the one detected for this machine, which is ‘1.2.3.4’. Please fix its DNS entries or remove it.

So something is wrong but it is a hell to get it debugged.

Hello @Saturnus,

I can see your instance is running out of memory

-----------------------------------
Display amount of free and used memory in the system
-----------------------------------
Running: free -m
In: /opt/bitnami

Output:

              total        used        free      shared  buff/cache   available
Mem:            482         340           7          43         133          85
Swap:           634         372         262

Note that WordPress recommends at least 700M of memory.

Could you try to increase your machine type in order to improve the performance?. This guide explains the process:
https://docs.bitnami.com/aws/faq/administration/change-server-type/

Let me share with you our troubleshooting documentation:
https://docs.bitnami.com/aws/how-to/troubleshoot-wordpress-issues/
https://docs.bitnami.com/aws/faq/troubleshooting/troubleshoot-server-performance/

We also have a guide to optimize Wordpress:
https://docs.bitnami.com/aws/apps/wordpress/troubleshooting/optimize-bitnami-wordpress/

I hope it helps

Hello @davidg

Thanks. I can upgrade the server in some hours. Also I will try the Wordpress plugin for checking mixed content.

But both would not explain the bncert-tool error right?

@davidg
Can you tell me how to find what this “different IP” is according to the tool?

Hello @Saturnus,

Your current IP is 18.XXX.XX.212. Did you check that the domain is pointing to this IP? For that, you could use this tool:

https://www.whatsmydns.net

Also, this may be related to the IPv6 entries your domain has. Could you please take a look at this thread?

Regards

@davidg

All DNS records are configured correctly in Route 53.

I did the following. Remove all AAAA records. Follow the changes for the domain on https://dnschecker.org/ (looks the same as your link btw). Most importantly, on the AWS instance, follow the command hostname domain.com where domain.com is the domain in question. This command kept showing IPV4 and IPV6 entries for about an hour. After an hour, the IPV6 reference was gone. After this point bncert-tool worked. In other words, bncert-tool only works when there are no AAAA records for the domain. I hope you can fix this shortcoming if it is related to bncert-tool, or otherwise forward this issue to the author of the component bncert-tools uses, or let me know where I can report this.

Bncert-tool said: Warning: A certificate for the list of domains you entered already exists. It will be used instead of generating a new one. The actions following were successfully applied but nothing changed practically. I do not think there is something wrong with the certificate.

The Wordpress plugin author says it has not to do with them (https://wordpress.org/support/topic/foogallery-css-sometimes-not-loaded/page/2/#post-14657054). Then it has to be something in Wordpress. In WP site health I always had the The authorization header is missing. error with none of the solutions online helping to resolve it. Not sure if related. Do you know?

A new hosting instance was set-up (in other words, started from zero) and the non-loading gallery/CSS problems are gone now. Difference with the former situation is that the site was opened/configured from the domainname (on HTTPS) instead of on the ip address which got the domain name attached later.

For bncert-tool I found that the above is not enough, you also have to detach the IPV6 interface in AWS, and reattach it, to force DNS to be updated so that the host command does not return the IPV6 DNS record for the domain anymore. Only then bncert-tool will not error out.

Hello @Saturnus,

Sorry for the delay here, and thanks a lot for sharing your solution. I’m sure it will help others.

We will revisit it in order to improve our tool and documentation.

Regards