400 Bad Request Error with certificate for server behind xxx.myfritz.com


#1

Hello,

I have a home server running ubuntu. I forwarded all ports that the server needs and bought a domain with 2 CNAME records, *.xxx.de and xxx.de, both pointing at my myfritz.net adress.
I want to install a certificate with certbot and it always says that it was successfull. But when i try to connect to the site, i get a “400 Bad Request” and when i check on https://globalsign.ssllabs.com i get a certificate mismatch: https://imgur.com/a/amc5oXz.
I once before tried to install a self-signed certificate and i think that for some reason it’s still there but I dont know how to fully remove it.
I hope that somebody can help me.


#2

I have moved your thread to the Help section, where it is more appropriate. In that section, you would have gotten the following questionnair on opening the thread. Please answer all the questions the best you can:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


#3

Sorry for the mistakes, first time on the forum.

My domain is:
greiner.live

I ran this command:
sudo certbot --apache2 -d greiner.live -d www.greiner.live

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for greiner.live
http-01 challenge for www.greiner.live
Waiting for verification…
Cleaning up challenges
Created an SSL vhost at /etc/apache2/sites-available/www.greiner.live-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/www.greiner.live-le-ssl.conf
Enabling available site: /etc/apache2/sites-available/www.greiner.live-le-ssl.conf
Deploying Certificate to VirtualHost /etc/apache2/sites-available/www.greiner.live-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.


1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Redirecting vhost in /etc/apache2/sites-enabled/www.greiner.live.conf to ssl vhost in /etc/apache2/sites-available/www.greiner.live-le-ssl.conf


Congratulations! You have successfully enabled https://greiner.live and
https://www.greiner.live

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=greiner.live
https://www.ssllabs.com/ssltest/analyze.html?d=www.greiner.live


IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/greiner.live-0001/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/greiner.live-0001/privkey.pem
    Your cert will expire on 2019-03-16. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

My web server is (include version):
Server version: Apache/2.4.29 (Ubuntu)
Server built: 2018-10-10T18:59:25

The operating system my web server runs on is (include version):
Ubuntu Server 18.04

My hosting provider, if applicable, is:
no

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no


#4

Is your FritzBox listening on port 443 for its admin interface by any chance?


#5

Hi @andy_myroon

your DNS settings:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
greiner.live C e6xq4gelgk0vl2bc.myfritz.net yes 1 0
A 93.192.168.29 yes
www.greiner.live C e6xq4gelgk0vl2bc.myfritz.net yes 1 0
A 93.192.168.29 yes

The certificate:

e6xq4gelgk0vl2bc.myfritz.net, fritz.box, www.fritz.box, myfritz.box, www.myfritz.box, fritz.nas, www.fritz.nas - 7 entries

Looks like your fritz box answers, not your server.

And your domain works on port 80:

Domainname Http-Status redirect Sec. G
http://greiner.live/
93.192.168.29 200 0.077 H
http://www.greiner.live/
93.192.168.29 200 0.076 H
https://greiner.live/
93.192.168.29 400 5.676 N
Bad Request
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors
https://www.greiner.live/
93.192.168.29 400 5.664 N
Bad Request
Certificate error: RemoteCertificateNameMismatch, RemoteCertificateChainErrors

Only port 443 has the problem of the bad request.


#6

Thank you so much guys, it was my fritbox listening to its admin interface…
I really appreciate your quick help, was stuck with this problem for quite some time now^^

Also @JuergenAuer, what site are you using to check the certificate and domain?


#7

It’s my own online tool:

Created because of the questions in this forum.

There are so much different things to check. It’s terrible to do that always manual.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.