Certbot created certificate with wrong common name

mark-hahn · February 25, 2018, 4:58am

My domain is: hahnca.com
I ran this command: certbot --nginx
It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): mark@hahnca.com
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must
agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: a

-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: n

Which names would you like to activate HTTPS for?
-------------------------------------------------------------------------------
1: hahnca.com
-------------------------------------------------------------------------------
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for hahnca.com
Waiting for verification...
Cleaning up challenges
Deployed Certificate to VirtualHost /etc/nginx/conf.d/server.conf for hahnca.com

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1

-------------------------------------------------------------------------------
Congratulations! You have successfully enabled https://hahnca.com

My web server is (include version): nginx/1.10.3 (Ubuntu)

The operating system my web server runs on is (include version): ubuntu 16.04

My hosting provider, if applicable, is: self-hosted

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

When running the test at https://www.ssllabs.com/ssltest/analyze.html?d=hahnca.com I got this …

Server Key and Certificate #1
Subject	GreenWave Systems 
Fingerprint SHA256: e990e21ab1e2d5fe2cd6166b4ccafa2471b6226a97864d8a5cfef52424a3ffb5
Pin SHA256: ZVnMZQk0/WpSZAQOcZ3lTBAhYN62hlBpQSVLfd8SvBs=
Common names	GreenWave Systems
Alternative names	-   INVALID
Serial Number	00f52861ccf6173951
Valid from	Fri, 02 Oct 2015 05:49:58 UTC
Valid until	Mon, 29 Sep 2025 05:49:58 UTC (expires in 7 years and 7 months)
Key	RSA 2048 bits (e 65537)
Weak key (Debian)	No
Issuer	GreenWave Systems   Self-signed 
Signature algorithm	SHA512withRSA
Extended Validation	No
Certificate Transparency	No
OCSP Must Staple	No
Revocation information	None 
DNS CAA	No (more info)
Trusted	No   NOT TRUSTED (Why?)

I have never heard of GreenWave Systems. This is a clean install. I had nothing referencing SSL in my nginx config. I had no previous certs.

What should I do now? I am afraid to delete this cert as I might end up screwing things up.

Edit: I just realized my router was not set to forward port 443. I have fixed that now but I’m still getting the same test results. Doesn’t certbot access my 443 port as part of the cert creation or testing? I guess not. I’ll try deleting the cert and starting over. Wish me luck …

mnordhoff · February 25, 2018, 5:10am

Deleting it won't help anything.

mark-hahn · February 25, 2018, 5:11am

So how do I replace the bad cert?

mnordhoff · February 25, 2018, 5:14am

That's very definitely not a certificate created by Let's Encrypt.

Greenwave Systems seems to be an IoT software company.

According to its Server header, https://hahnca.com/ is running Lighttpd 1.4.38, and the web page is entitled "Frontier Router".

I guess it's the modem or router's web interface, and it may not be doing any port forwarding at all.

So you need to solve the port forwarding problem -- perhaps by using a different port.

The Let's Encrypt certificate exists and doesn't need to be replaced.

HTTP-01 validation makes an HTTP request on port 80. (Though it will follow a redirect to HTTPS, if the server responds with one.)

Port 80 evidently is forwarded to your Nginx server.

mark-hahn · February 25, 2018, 5:19am

That is what happened before I fixed the port forwarding. Try again. The message "error: hahnca.com is not a valid address." is a dummy message. When you see that it is all working.

Hmmm. Then where could it have come from? Why did certbot link nginx conf to it? My use of certbot was the simplest possible.

What should I do now? Why did you say deleting the cert wouldn't help?

BTW: Thanks for your very rapid help.

mnordhoff · February 25, 2018, 5:35am

I have tried again, and it's still showing the Frontier/GreenWave/Lighttpd page.

Most likely, the port isn't being forwarded to Nginx.

Less likely, Nginx has a second virtual host.

You can run "nginx -T" to display Nginx's entire configuration and make sure there isn't another HTTPS server block.

If the problem is that the port isn't forwarded to Nginx, the port forwarding needs to be adjusted.

If the problem is that Nginx is configured in a way that Certbot wasn't able to reconfigure as it was supposed to, the Nginx configuration needs to be adjusted (and possibly a Certbot bug should be filed).

mark-hahn · February 25, 2018, 5:40am

Update: I think it is working now even though online tests say it isn’t.

From my local chrome browser https://hahnca.com/ is working and being reported as secure. When using the security tab in the inspector I see the proper cert (see end of post).

I’m thinking the greenwave cert was somehow being served from my FIOS router. But a router serving a self-signed cert is beyond comprehension.

I’ve tried three different SSL testers on the web and all are still giving the old greenwave systems cert and the mismatch error. It is as if the SSL testing for all these services is being cached somewhere but I can’t imagine where. I’ve cleared the cache at ssllabs several times.

Can you do me one last favor and try https://hahnca.com again? Thanks in advance.

------ FYI: My working cert as shown by chrome ------

This certificate has been verified for the following usages:
SSL Server Certificate

Issued To
Common Name (CN)	hahnca.com
Organization (O)	<Not Part Of Certificate>
Organizational Unit (OU)	<Not Part Of Certificate>

Issued By
Common Name (CN)	Let's Encrypt Authority X3
Organization (O)	Let's Encrypt
Organizational Unit (OU)	<Not Part Of Certificate>
Validity Period

Issued On	Saturday, February 24, 2018 at 7:12:32 PM
Expires On	Friday, May 25, 2018 at 8:12:32 PM

mark-hahn · February 25, 2018, 5:58am

I understand everything. I will quit bothering everyone now.

Greenwave Systems has software in the Verizon FIOS routers. Apparently their self-signed certificate is used for any https access to the router. When there was no port-forwarding for 443 the https request was seen as an access to the router.

Access to my site and cert is now working from everywhere except for online SSL testing sites. Very weird.

mnordhoff · February 25, 2018, 6:26am

I still get the Frontier/GreenWave/Lighttpd page.

mark-hahn · February 25, 2018, 7:18am

Thanks again. You must have the page cached. It’s working from my cellphone.

mnordhoff · February 25, 2018, 7:20am

No, I don’t have the page cached.

alento · February 25, 2018, 10:30am

I too am getting the incorrect certificate. That was my first and only visit so no caching issue is possible on my end.

mark-hahn · February 25, 2018, 11:33am

Can you two (and anyone else) please verify it is fixed now? Go to https://hahnca.com. The response should be error: hahnca.com is not a valid address.. That’s a dummy message that means it worked.

The online testers all work now and most importantly my server can now provide a web service to amazon for alexis.

There were two things wrong in the FIOS router. Both involved the router intercepting my 443 port traffic and sending the greenwave cert. Adding port 443 port forwarding to my server fixed the problem for many browsers, but not for people on this forum.

In order to completely fix it I had to find a somewhat hidden setting that specifies what port to use for https access when remotely managing the router. It was set to 443 which makes sense. But this use of 443 should have only affected attempts to remotely manage the server. There is a specific URL for that.

Oh well, all is well now. thanks again and thanks in advance for testing again.

jmorahan · February 25, 2018, 1:41pm

I see the expected dummy message now

alento · February 25, 2018, 4:10pm

I also see the expected message and am served the correct certificate.

mark-hahn · February 25, 2018, 9:05pm

Thanks to all (except to greenwave systems and their router sw).

system · March 27, 2018, 9:06pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.