Android browsers have ERR_CERT_COMMON_NAME_INVALID

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: bogend.ca

I ran this command: browsing with chrome or galaxy browser

It produced this output: ERR_CERT_COMMON_NAME_INVALID

My web server is (include version): Apache 2.4.6

The operating system my web server runs on is (include version): Centos 7

My hosting provider, if applicable, is: Digital Oceans

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.21.0

1 Like

Apologies for not having the problem listed.

What seems to be the problem, is that I did not create a wildcard certificate that would handle www when I created "bogend.ca" certificate. I have tried to create a specific certificate for www, but it would not install.

I have now deleted the "bogend.ca" certificate and am trying to create a wildcard "*.bogend.ca" certificate

If you just need the apex and www names just have them both on one certificate. No need for wildcard and DNS validation. You did not describe the certbot command you used but you would typically just specify both domains in the command like:

-d "bogend.ca,www.bogend.ca"

Your Apache VirtualHost would need to have them both as a name or alias.

3 Likes

Food for thought:

Wildcard certs don't cover apex names.
Because they can only cover names that end with ".example.com"
[notice the "." in the name. "example.com" lacks that leading "." and won't ever match]

So you would have to request a cert with two names on it:
*.exmple.com
example.com

Also note: Wildcard certs can't be authenticated via HTTP - they require DNS authentication.
DNS authentication requires making TXT record updates to public DNS zone.
Automation DNS updates requires the DNS Service Provider (DSP) to support updates via API.
The ACME client used must also have an API plugin that supports that particular DSP.

4 Likes

Ended up doing a double certificate with bogend.ca and www.bogend.ca
No wildcard certificates now and each subdomain has its own certificate:
www, mail, webmail, black-widow and the apex.

Thanks for the help.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.