Certbot challenge produces wrong Subject

testit · June 22, 2023, 10:27pm

Hello everyone,

I have a FreeBSD server (IP 4711) on which I host several domains and use Let's encrypt certificates (https) without any problems. Under the FreeBSD server I have a guest FreeBSD server OS (IP 4712) running on a virtual machine and want to run the subdomain test.vogelfotografie.de via the Apache web server in this virtual machine.

Therefore I applied today for a let's encrypt certificate for test.vogelfotografie.de. Allegedly the application procedure was successful.

„certbot certificates“ shows:
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:

Certificate Name: asp-services.de
Serial Number: 469966fefafc772b334e48c6bf37f5cd201
Key Type: ECDSA
Domains: www.asp-services.de asp-services.de mail.asp-services.de
Expiry Date: 2023-09-20 05:49:51+00:00 (VALID: 89 days)
Certificate Path: /usr/local/etc/letsencrypt/live/asp-services.de/fullchain.pem
Private Key Path: /usr/local/etc/letsencrypt/live/asp-services.de/privkey.pem

Certificate Name: test.vogelfotografie.de
Serial Number: 31e43e0f7d4db18b74b9e9b6b0bff83....
Key Type: ECDSA
Domains: test.vogelfotografie.de
Expiry Date: 2023-09-20 08:14:54+00:00 (VALID: 89 days)
Certificate Path: /usr/local/etc/letsencrypt/live/test.vogelfotografie.de/fullchain.pem
Private Key Path: /usr/local/etc/letsencrypt/live/test.vogelfotografie.de/privkey.pem

But, if I use a browser https://test.vogelfotografie.de, it tells me that the connection is insecure:

Firefox shows:

Websites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for. The certificate is only valid for the following names: asp-services.de, mail.asp-services.de, www.asp-services.de

Error code: SSL_ERROR_BAD_CERT_DOMAIN

Then I click on more information, I get the following information.

It is not clear to me why the domains asp-services.de, mail.asp-services.de and www.asp-services.de appear there instead of test.vogelfotografie.de, which I serve on the same virtual machine and have also provided with a let's encrypt certificate.

Mouse-click on certificate:

Subjectname: asp-services.de
Issuer name: Let´s encrypt
Validy: Not Before Thu, 22 Jun 2023 05:49:52 GMT / Not After Wed, 20 Sep 2023 05:49:51 GMT
Subject Altname: DNS Name asp-services.de, DNS Name mail.asp-services.de, www.asp-services.de

Is it possible that domains and subdomains are not allowed to run over different IP addresses if you want to use let't encrypt certificates?

Does anyone have an idea why, despite explicitly including the generated certificates for test.vogelfotografie.de, the connection is always insecure?

Kind regards
letsencrypttestit

My domain is: test.vogelfotografie.de
My web server is (include version): Apache 2.4

The operating system my web server runs on is (include version): FreeBSD 13.1
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know): y
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.6.0

_az · June 22, 2023, 10:48pm

It entirely comes down to your Apache configuration, how you have split up your domains between each <VirtualHost>.

One VirtualHost can only map to one certificate, using the SSLCertificate directive.

If test.vogelfotografie.de is a separate VirtualHost to the other domains, then it should have its own certificate.

If test.vogelfotografie.de is in the same VirtualHost as the other domains, then you need to have one certificate that covers every domain, including this one.

At present, it looks like you have two separate certificates, but no separate VirtualHost for test.vogelfotografie.de.

rg305 · June 23, 2023, 2:04am

Unrelated to your point, but worth a mention:

Of a particular "type", yes.

But I do this without fail:

 SSLCertificateFile      conf/ecc.public.key
 SSLCertificateKeyFile   conf/ecc.private.key
 SSLCertificateFile      conf/rsa.public.key
 SSLCertificateKeyFile   conf/rsa.private.key

Osiris · June 23, 2023, 5:37am

How did you do that exacly?

What was the exact output?

It seems you have chosen to delete some of the questions of the questionnaire, especially the command ran and its output. Please don't do that.

testit · June 23, 2023, 9:06am

Many thanks to all the authors of the previous posts and tips! It will not have been due to a duplicate section, as the result of apachectl -S below shows.

I finally copied the ssl.conf of asp-services.de and adapted it to the other domain, renewed the certificate with certbot and since then everything works as usual!

apachectl -S
VirtualHost configuration:
Server:80 test.vogelfotografie.de (/usr/local/etc/apache24/sites-available/test.vogelfotografie.de.ssl.conf:1)
Server:443 test.vogelfotografie.de (/usr/local/etc/apache24/sites-available/test.vogelfotografie.de.ssl.conf:12)
Server4:80 www.asp-services.de (/usr/local/etc/apache24/sites-available/asp-services.de.ssl.conf:1)
Server4:443 www.asp-services.de (/usr/local/etc/apache24/sites-available/asp-services.de.ssl.conf:12)
ServerRoot: "/usr/local"
Main DocumentRoot: "/usr/local/www/apache24/data"
Main ErrorLog: "/var/log/httpd-error.log"
Mutex ssl-stapling-refresh: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
PidFile: "/var/run/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www" id=80
Group: name="www" id=80

Kind regards
letsencrypttestit

system · July 23, 2023, 9:06am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.