As noticed while debugging T369008 we have some httpd misconfigured across the entire fleet. As already noted in Apache documentation SSLCertificateChainFile won't work on dual stack setups:
But be careful: Providing the certificate chain works only if you are using a single RSA or DSA based server certificate. If you are using a coupled RSA+DSA certificate pair, this will work only if actually both certificates use the same certificate chain. Else the browsers will be confused in this situation.
a quick git grep shows the following offenders:
- icinga
- karma
- klaxon
- librenms
- mirrors
- orchestrator
- gerrit
SSLCertificateChainFile+ SSLCertificateFile combo should be dropped in favor of a single SSLCertificateFile pointing to the chained flavor of the crt:
SSLCertificateFile /etc/acmecerts/${'cert_name'}/live/ec-prime256v1.chained.crt SSLCertificateFile /etc/acmecerts/${'cert_name'}/live/rsa-2048.chained.crt