All domains point to a single certificate


#1

My domains are: ScreamFreely.org (SF), DreamFreely.org (DF), MnActivist.org (MA)

I ran this command: sudo certbot certonly -d screamfreely.org -d www.screamfreely.org

It produced this output: Congratulations! Yet when I visit SF or DF, I receive the following message:

This server could not prove that it is [SF/DF]; its security certificate is from api.mnactivist.org. This may be caused by a misconfiguration or an attacker intercepting your connection.

When I proceed to the website, past the warning, MA is then displayed, instead of SF or DF

This all went sideways when I updated the system.

Ought I now extend the single certificate to cover all the domains on the Linode ?

My web server is (include version): Nginx 1.12.2

The operating system my web server runs on is (include version): Updated Arch Linux 4.14.17-x86_64-linode99

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

Thank you.


#2

Hi,

If you are using certonly, you will need to install the ssl to its corresponding config by yourself.

Thank you.


#3

I have now tried

certbot -a webroot -i nginx -d screamfreely.org -d www.screamfreely.org

And get the same result.


#4

Using webroot also need to install the certificate by yourself.

Thank you


#5

This is not correct if you add -i nginx, which asks to use the nginx installer. That would install the resulting certificate in the same way that --nginx would have.


#6

However, the certificate on the Screamfreely site is now working fine for me. So I think the -i nginx worked properly here. Are you seeing something different?


#7

I continue to see the previous error:

This server could not prove that it is screamfreely.org; its security certificate is from api.mnactivist.org. This may be caused by a misconfiguration or an attacker intercepting your connection.

I have cleared my browser cache since “All Time” — ?

Thank you all for your help!


#8

Please use ctrl+F5, refresh the site and try again.

Thank you.

P.S. It’s working fine for me too.


#9

Which browser are you using?


#10

Still not working for me ?

I tried using incognito – did the ctl+F5 —


#11

I am using Chromium and Palemoon


#12

I suppose you are trying to reach your domain using IPv6 and that is the reason you get the wrong certificate, you are not configuring your web server properly. Using IPv4 it works fine, your server shows the right cert.

Edit: Just to show you how your nginx is serving different certificates depending on whether you connect using IPv4 and IPv6.

$ echo | openssl s_client -4 -connect screamfreely.org:443 -servername screamfreely.org 2>/dev/null | openssl x509 -noout -text | grep -Ei '(Before:|Issuer:|DNS:)' | sed "s/^[ \t]*//"
Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Not Before: Feb 27 16:26:48 2018 GMT
DNS:screamfreely.org, DNS:www.screamfreely.org


$ echo | openssl s_client -6 -connect screamfreely.org:443 -servername screamfreely.org 2>/dev/null | openssl x509 -noout -text | grep -Ei '(Before:|Issuer:|DNS:)' | sed "s/^[ \t]*//"
Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
Not Before: Feb 13 00:03:30 2018 GMT
DNS:api.mnactivist.org, DNS:mnactivist.org, DNS:www.mnactivist.org

#13

Ahhh, ok — thank you – this has quickly become a rabbit’s hole I was unprepared for —

Thank you for the snippet! I will definitelly continue investigating the solution!!


#14

For dreamfreely.org I am now getting the following error:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for dreamfreely.org
tls-sni-01 challenge for www.dreamfreely.org
2018/02/27 14:27:07 [notice] 15162#15162: signal process started
Waiting for verification…
Cleaning up challenges
2018/02/27 14:27:13 [notice] 15174#15174: signal process started
Failed authorization procedure. dreamfreely.org (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 7c530d72c232e18bdf75855de89a1447.e0c304986cf253cf832694ae2db9733b.acme.invalid from [2600:3c00::f03c:91ff:febb:adc4]:443. Received 2 certificate(s), first certificate had names “api.mnactivist.org, mnactivist.org, www.mnactivist.org”, www.dreamfreely.org (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 1161cee2dbc3202f1de1affa8c95f6fa.fd7d3565be7543697ce4fad0d70922b9.acme.invalid from [2600:3c00::f03c:91ff:febb:adc4]:443. Received 2 certificate(s), first certificate had names “api.mnactivist.org, mnactivist.org, www.mnactivist.org

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: dreamfreely.org
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    7c530d72c232e18bdf75855de89a1447.e0c304986cf253cf832694ae2db9733b.acme.invalid
    from [2600:3c00::f03c:91ff:febb:adc4]:443. Received 2
    certificate(s), first certificate had names “api.mnactivist.org,
    mnactivist.org, www.mnactivist.org

    Domain: www.dreamfreely.org
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    1161cee2dbc3202f1de1affa8c95f6fa.fd7d3565be7543697ce4fad0d70922b9.acme.invalid
    from [2600:3c00::f03c:91ff:febb:adc4]:443. Received 2
    certificate(s), first certificate had names “api.mnactivist.org,
    mnactivist.org, www.mnactivist.org

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

Is this again because the server isn’t listening to ipv6 in that configuration?

I think I have one more chance left before I’m rate limited; and so wish to ask before attemping.

Thank you.


#15

This is most likely correct.

The rate limit for failed validations only lasts for an hour, not a week, so it’s not that bad if you fail it. You can also try with --staging to debug the situation first, which doesn’t count against your production rate limit.


#16

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.