Another "certificate name does not match input"

Hello, after following tutorial to issue a wildcard certificate with Certbot, I have set my NGinx reverse proxy to use this wildcard certificate.
When I try to reach one website (the only one by the time), I get a warning, with a red message telling me "certificate name does not match input".
I guess I have made a mistake somewhere but I am really noew to the subject, and don't want to make more mistake.
I have read a previous thread here on a similar issue but I am not confident and not sure I have the same issue.

My domain is: ictge.ch

I ran this command:

sudo certbot certonly
--authenticator certbot-dns-infomaniak:dns-infomaniak
--certbot-dns-infomaniak:dns-infomaniak-credentials SSLconfig/credentials.ini
--server https://acme-v02.api.letsencrypt.org/directory
--agree-tos
--rsa-key-size 4096
-d 'ictge.ch'

everything goes well in creating the certificate. I followed the certbot docs here:
https://eff-certbot.readthedocs.io/en/stable/using.html#dns-plugins
And I actually host the domain with Infomaniak, so I had to follow the certbot-dns-infomaniak plugin's documentation here:

My web server is (include version): NGinx as reverse proxy v. 1.18.0

The operating system my web server runs on is (include version):

uname -a
Linux srvnginx 5.10.0-14-amd64 #1 SMP Debian 5.10.113-1 (2022-04-29) x86_64 GNU/Linux

My hosting provider, if applicable, is: Infomaniak

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot --version
certbot 1.27.0

When I am trying to reach the website (matt.ictge.ch), I get this warning (issued by Kaspersky but I guess it would be issue by anything). Note that everything work if I don't use SSL (but it's not the best practice).
ScreenShot 2022-05-19 at 15.36.58

Result of certbot certificates command (in any case)

Found the following certs:
Certificate Name: ictge.ch
Serial Number: 345ca88a28f6c2139eba44c4e469a7b8b53
Key Type: RSA
Domains: ictge.ch
Expiry Date: 2022-08-16 15:25:11+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/ictge.ch/fullchain.pem
Private Key Path: /etc/letsencrypt/live/ictge.ch/privkey.pem

I don't know which certbot commands or any other tools could help me to understand and correct my issue. So if someone can bring me the light in my darkness, it would be really appreciate :slight_smile:

Thanks

Your cert is only for the domain name ictge.ch. It is not a wildcard so does not match.

You need to add -d '*.ictge.ch' to your certbot command for the wildcard

2 Likes

Thank you for your answer,
do I have to rerun the entire command ? Do I have to delete something before ?

It might work better to delete the wrong cert first. Since you are confident you can issue a new one.

sudo certbot delete --cert-name ictge

Then rerun the command with the second -d for the wildcard

1 Like

Note that you don't necessarily need a wildcard if your site doesn't handle any subdomain. If the only site you're trying to secure is matt.ictge.ch, that's the only name you need. And there's just a few names, like your site hosts ictge.ch and matt.ictge.ch and something-else.ictge.ch, then you can just make a certificate with those three names (use more than one -d argument).

But if you just need any subdomain, then the wildcard will work fine. (And even with just one, it will work, it's just not needed.)

I would probably just (since the cert is already installed) just reissue with the same --cert-name and the new domains. Though I don't know as deleting first would be "wrong", just the server might get confused for a bit while its cert files aren't there.

2 Likes

Ok I have deleted the old certificate and regenrate the new one, replacing ictge.ch by *.ictge.ch.
I have a warning on my credential file:

Unsafe permissions on credentials configuration file: SSLconfig/credentials.ini

The actual rights on this file are -rw-r--r-- root root. What would be the best practice ?

Thanks

Thanks for your notice. I am actually trying to make it work with one server, but the goal is to serve any subdomains as you said, so I thought it was easier to use a wildcard.

1 Like

You know, my eye skipped over the word "wildcard" in your original post. Forget everything I said. :slight_smile:

One thing to be aware of that sometimes trips people up, though, is that the wildcard is only for the subdomains. So if you're also hosting on the non-subdomained ictge.ch, then you want a certificate with both names: ictge.ch and *.ictge.ch.

3 Likes

No, not replacing, adding *.ictge.ch

3 Likes

Maybe -rw------- ? Only you know best though

2 Likes

I re-delete and retype the command:

_ certbot certonly
--authenticator certbot-dns-infomaniak:dns-infomaniak
--certbot-dns-infomaniak:dns-infomaniak-credentials SSLconfig/credentials.ini
--server https://acme-v02.api.letsencrypt.org/directory
--agree-tos
--rsa-key-size 4096
-d '*.ictge.ch' -d 'ictge.ch'

I still get the problem here.
Could you have a try from your browser and tell me if you get the SSL warning too ?

Sorry, I forgot to reload nginx :grimacing:
Everything works fine now, many thanks!

3 Likes

You may want to add a --deploy-hook to reload nginx for you, so that future automatic renewals also include that step.

Congratulations on getting secured!

4 Likes

Yeah, or they could just schedule a reload daily (or every few days even) to pickup the latest cert obtained. A reload is not disruptive, unlike restart.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.