Certificate information does not display the information of the master certicate

#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is : Democrasite.com

It produced this output : “benjaminbruneau.fr” as cert owner

My web server is (include version): Debian 8

I can login to a root shell on my machine : yes

certbot-auto

Hello everyone, I have a little problem with my certs. I have a main cert ok with certs attached because they are on my server. But when I display the information of the owner in a browser, it is not my " master-domain " that appears as owner but a sub-cert! how can I fix that? Thank you

#2

Hi @kameleon1er

short answer: It’s not a bug, it’s a feature.

Better answer. Checking your domain there is the following Letsencrypt certificate ( https://check-your-website.server-daten.de/?q=democrasite.com ):

CN=benjaminbruneau.fr
	10.02.2019
	11.05.2019
expires in 45 days	benjaminbruneau.fr, democrasite.com, 
dev.lucifart.com, espace-oppidum.com, 
ianpatrickimages.com, kameleon.fr, 
lucifart.com, surfgonflable.com - 8 entries

That’s a SAN certificate, a Subject Alternate Name - Certificate = the certificate has more then one domain name.

But a certificate can have only one CN (CommonName), the CN is benjaminbruneau.fr.

It’s not really relevant, because it’s only one of these 8 domain names.

If you want to change it, you must

  • create one certificate per domain name
  • create one vHost per domain name, because one vHost can only use one certificate

But there is another error you should fix:

Domainname Http-Status redirect Sec. G
http://democrasite.com/
163.172.131.140 301 https://democrasite.com/ 0.063 A
http://www.democrasite.com/
163.172.131.140 301 https://www.democrasite.com/ 0.054 A
https://www.democrasite.com/
163.172.131.140 301 https://democrasite.com/ 1.670 N
Certificate error: RemoteCertificateNameMismatch
https://democrasite.com/
163.172.131.140 200 0.740 B

Your www version uses the same certificate, but the certificate doesn’t have the www domain name. So your www version isn’t secure. That’s something you should change.

#3

Hello Juergen, thank you for your help … So I had to do something wrong, because I have a vhost per domain configured on the machine. I had to use the CertBot command to “extend” the list of domains and not to create a cert per domain. What do you think?

#4

Each time that you run Certbot, it creates one certificate. However, it might potentially install that same certificate into multiple Apache virtualhost configurations.

So if you use certbot -d example.com -d example.net, you get one certificate that covers both names, but which could then be installed into the two separate virtualhosts for example.com and example.net (assuming that two separate virtualhosts exist in your Apache configuration).

If you want to get separate certificates where the individual names are on individual certificates, you would need to run Certbot once per name:

certbot -d example.com
certbot -d example.net

1 Like
#5

Hi Schoen, guys you rock !! I think it’s ok now ? : https://check-your-website.server-daten.de/?q=democrasite.com

When I look at “check you website” and its scary page, I feel like being naked oO

#6

Both is possible. One certificate with different domains (Cloudflare creates certificates with 30 - 50 domain names - non-www and www) and one certificate per domain (non-www and www, perhaps some subdomains).

First version -> the CN doesn’t match
Second version -> CN = domain name

Now you have a Grade B, that’s very good.