Certificate is not for the chosen domain

Hi @JasonLeung,

Using the online tool Let's Debug yields these results https://letsdebug.net/13swiftie.com/1982086

MultipleIPAddressDiscrepancy
WARNING
13swiftie.com has multiple IP addresses in its DNS records. While they appear to be accessible on the network, we have detected that they produce differing results when sent an ACME HTTP validation request. This may indicate that some of the IP addresses may unintentionally point to different servers, which would cause validation to fail.
[Address=104.17.232.29,Address Type=IPv4,Server=cloudflare,HTTP Status=409] vs [Address=35.215.82.148,Address Type=IPv4,Server=nginx,HTTP Status=404]
UnexpectedHttpResponse
WARNING
Sending an ACME HTTP validation request to 13swiftie.com results in unexpected HTTP response 409 Conflict. This indicates that the webserver is misconfigured or misbehaving.
409 Conflict

<!DOCTYPE html>
<!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->
<!--[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->
<!--[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]-->
<head>
<title>DNS resolution error | 13swiftie.com | Cloudflare</title>
<meta charset="UTF-8" />
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta http-equiv="X-UA-Compatible" content="IE=Edge" />
<meta name="robots" content="noindex, nofollow" />
<meta name="viewport" content="width=device-width,initial-scale=1" />
<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/main.css" />


<script>
(function(){if(document.addEventListener&&window.XMLHttpRequest&&JSON&&JSON.stringify){var e=function(a){var c=document.getElementById("error-feedback-survey"),d=document.getElementById("error-feedback-success"),b=new XMLHttpRequest;a={event:"feedback clicked",properties:{errorCode:1001,helpful:a,version:1}};b.open("POST","https://sparrow.cloudflare.com/api/v1/event");b.setRequestHeader("Content-Type","application/json");b.setRequestHeader("Sparrow-Source-Key","c771f0e4b54944bebf4261d44bd79a1e");
b.send(JSON.stringify(a));c.classList.add("feedback-hidden");d.classList.remove("feedback-hidden")};document.addEventListener("DOMContentLoaded",function(){var a=document.getElementById("error-feedback"),c=document.getElementById("feedback-button-yes"),d=document.getElementById("feedback-button-no");"classList"in a&&(a.classList.remove("feedback-hidden"),c.addEventListener("click",function(){e(!0)}),d.addEventListener("click",function(){e(!1)}))})}})();
</script>

<script defer src="https://performance.radar.cloudflare.com/beacon.js"></script>
</head>
<body>
<div id="cf-wrapper">
<div class="cf-alert cf-alert-error cf-cookie-error hidden" id="cookie-alert" data-translate="enable_cookies">Please enable cookies.</div>
<div id="cf-error-details" class="p-0">
<header class="mx-auto pt-10 lg:pt-6 lg:px-8 w-240 lg:w-full mb-15 antialiased">
<h1 class="inline-block md:block mr-2 md:mb-2 font-light text-60 md:text-3xl text-black-dark leading-tight">
<span data-translate="error">Error</span>
<span>1001</span>
</h1>
<span class="inline-block md:block heading-ray-id font-mono text-15 lg:text-sm lg:leading-relaxed">Ray ID: 88a1bef968268d88 &bull;</span>
<span class="inline-block md:block heading-ray-id font-mono text-15 lg:text-sm lg:leading-relaxed">2024-05-27 00:04:09 UTC</span>
<h2 class="text-gray-600 leading-1.3 text-3xl lg:text-2xl font-light">DNS resolution error</h2>
</header>

<section class="w-240 lg:w-full mx-auto mb-8 lg:px-8">
<div id="what-happened-section" class="w-1/2 md:w-full">
<h2 class="text-3xl leading-tight font-normal mb-4 text-black-dark antialiased" data-translate="what_happened">What happened?</h2>
<p>You've requested a page on a website (13swiftie.com) that is on the <a href="https://www.cloudflare.com/5xx-error-landing/" target="_blank">Cloudflare</a> network. Cloudflare is currently unable to resolve your requested domain (13swiftie.com). There are two potential causes of this:</p>
<ul class="ml-10 mt-6 text-15 text-black-dark antialiased leading-normal">
<li class="mb-4"><strong class="font-semibold">Most likely:</strong> if the owner just signed up for Cloudflare it can take a few minutes for the website's information to be distributed to our global network.</li>
<li><strong>Less likely:</strong> something is wrong with this site's configuration. Usually this happens when accounts have been signed up with a partner organization (e.g., a hosting provider) and the provider's DNS fails.</li>
</ul>

</div>


</section>

<div class="feedback-hidden py-8 text-center" id="error-feedback">
<div id="error-feedback-survey" class="footer-line-wrapper">
Was this page helpful?
<button class="border border-solid bg-white cf-button cursor-pointer ml-4 px-4 py-2 rounded" id="feedback-button-yes" type="button">Yes</button>
<button class="border border-solid bg-white cf-button cursor-pointer ml-4 px-4 py-2 rounded" id="feedback-button-no" type="button">No</button>
</div>
<div class="feedback-success feedback-hidden" id="error-feedback-success">
Thank you for your feedback!
</div>
</div>


<div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300">
<p class="text-13">
<span class="cf-footer-item sm:block sm:mb-1">Cloudflare Ray ID: <strong class="font-semibold">88a1bef968268d88</strong></span>
<span class="cf-footer-separator sm:hidden">&bull;</span>
<span id="cf-footer-item-ip" class="cf-footer-item hidden sm:block sm:mb-1">
Your IP:
<button type="button" id="cf-footer-ip-reveal" class="cf-footer-ip-reveal-btn">Click to reveal</button>
<span class="hidden" id="cf-footer-ip">65.21.146.168</span>
<span class="cf-footer-separator sm:hidden">&bull;</span>
</span>
<span class="cf-footer-item sm:block sm:mb-1"><span>Performance &amp; security by</span> <a rel="noopener noreferrer" href="https://www.cloudflare.com/5xx-error-landing" id="brand_link" target="_blank">Cloudflare</a></span>

</p>
<script>(function(){function d(){var b=a.getElementById("cf-footer-item-ip"),c=a.getElementById("cf-footer-ip-reveal");b&&"classList"in b&&(b.classList.remove("hidden"),c.addEventListener("click",function(){c.classList.add("hidden");a.getElementById("cf-footer-ip").classList.remove("hidden")}))}var a=document;document.addEventListener&&a.addEventListener("DOMContentLoaded",d)})();</script>
</div><!-- /.error-footer -->


</div><!-- /#cf-error-details -->
</div><!-- /#cf-wrapper -->

<script>
window._cf_translation = {};


</script>

</body>
</html>


Trace:
@0ms: Making a request to http://13swiftie.com/.well-known/acme-challenge/letsdebug-test (using initial IP 104.17.232.29)
@0ms: Dialing 104.17.232.29
@8ms: Server response: HTTP 409 Conflict

Testing and debugging are best done using the Staging Environment as the Rate Limits are much higher.
As you can see 3 of 5 weekly certificates

Edit:

Note there is no issued certificate that covers both 13swiftie.com and www.13swiftie.com

Here is a list of issued certificates crt.sh | 13swiftie.com, the latest being 2024-05-26.

This is interesting the Content-Length is way different between these 2 requests; the second one is what one from Let's Encrypt would look like.

$ curl -Ii http://13swiftie.com/.well-known/acme-challenge/sometestfile
HTTP/1.1 409 Conflict
Date: Mon, 27 May 2024 00:12:04 GMT
Content-Type: text/plain; charset=UTF-8
Content-Length: 16
Connection: close
X-Frame-Options: SAMEORIGIN
Referrer-Policy: same-origin
Cache-Control: private, max-age=0, no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Expires: Thu, 01 Jan 1970 00:00:01 GMT
Server: cloudflare
CF-RAY: 88a1ca8dd920ef4f-PDX
$ curl -Ii http://13swiftie.com/.well-known/acme-challenge/sometestfile -A "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
HTTP/1.1 404 Not Found
Server: nginx
Date: Mon, 27 May 2024 00:12:06 GMT
Content-Type: text/html
Content-Length: 83800
Connection: keep-alive
Vary: Accept-Encoding
ETag: "655b1984-14758"
Host-Header: 8441280b0c35cbc1147f8ba998a563a7
X-Proxy-Cache-Info: DT:1

This looks like you have some geo blocking Permanent link to this check report
And further geo blocking issues Website Uptime and Availability of 13swiftie.com at 26 May 2024 05:16:27 PM : Site24x7 Tools

For geo blocking:
Please read these:

For general nginx information you might find nginx documentation and https://forum.nginx.org/ helpful.

Edit

Presently the certificate being served is this certificate chain
https://decoder.link/sslchecker/13swiftie.com/443
https://decoder.link/sslchecker/www.13swiftie.com/443

$ openssl s_client -showcerts -servername 13swiftie.com -connect 13swiftie.com:443 < /dev/null
CONNECTED(00000003)
depth=0 C = BG, ST = Bulgaria, L = Sofia, O = SiteGround, OU = Operations Dept., CN = example.com
verify error:num=18:self-signed certificate
verify return:1
depth=0 C = BG, ST = Bulgaria, L = Sofia, O = SiteGround, OU = Operations Dept., CN = example.com
verify return:1
---
Certificate chain
 0 s:C = BG, ST = Bulgaria, L = Sofia, O = SiteGround, OU = Operations Dept., CN = example.com
   i:C = BG, ST = Bulgaria, L = Sofia, O = SiteGround, OU = Operations Dept., CN = example.com
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug 16 14:15:14 2018 GMT; NotAfter: Aug 13 14:15:14 2028 GMT
-----BEGIN CERTIFICATE-----
MIIDqTCCApGgAwIBAgIJAJrQOMC5EeTEMA0GCSqGSIb3DQEBCwUAMHYxCzAJBgNV
BAYTAkJHMREwDwYDVQQIDAhCdWxnYXJpYTEOMAwGA1UEBwwFU29maWExEzARBgNV
BAoMClNpdGVHcm91bmQxGTAXBgNVBAsMEE9wZXJhdGlvbnMgRGVwdC4xFDASBgNV
BAMMC2V4YW1wbGUuY29tMB4XDTE4MDgxNjE0MTUxNFoXDTI4MDgxMzE0MTUxNFow
djELMAkGA1UEBhMCQkcxETAPBgNVBAgMCEJ1bGdhcmlhMQ4wDAYDVQQHDAVTb2Zp
YTETMBEGA1UECgwKU2l0ZUdyb3VuZDEZMBcGA1UECwwQT3BlcmF0aW9ucyBEZXB0
LjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQDMVc+8twALdNG4NCrUX8zltJ9u8Ut61NV5iuG7+l3hDaCKF1mOG0Kg
eHhwk67LJNxAxTiJpTq0qT8sD2v9NpV1wuGWzS00Nv9QJ+E/pWTYjJaKfxattMHg
bpZBS+WXgxPk83Vy/JYTwqTPLXNEK+TicVdxgNH3giDfXqSu8L9TcaPh77vPVofz
/QUR8NYJaTPt4r37baYOpg8ubnwbvjwz1zEKUVZvZ9hBxVOu4wETMVgy1USVXD9U
Q2KWZ9zO7tEiso7ZgxPpMN/NpHYhvTPQJxbcxKh3t5t078WRvbAWIJvFLNuOwaA3
5Oene4e4l6Ija5YQJwDxJfm0NjGekr2DAgMBAAGjOjA4MAsGA1UdDwQEAwIFoDAp
BgNVHREEIjAggg93d3cuZXhhbXBsZS5jb22CDSouZXhhbXBsZS5jb20wDQYJKoZI
hvcNAQELBQADggEBAB+J54ZFxYQPDIZsmvrMLZxJjghpYHtIz+NAAdCVc7l1EV1s
IkAZtcG1MQ6TmWa3Yq7bU+hIRZOwDKEU7U7UgBrUl+GBuGFSoXm/FzUxYvjV7iuI
/yQiW+Exj7gXby410eFwrsKZfQv7UqZRJLK5HflvQELOVAQzj4YSEDljicvvTWt1
ZtJrjZ1PcfyuwRLoFB8Qy3A/DajNIf8cN8+A1e0C1OzLr5Ushhu5JGjT9iowTh31
FrING+HrSDghR4MG3SMo+ORKjTJwh4Lao/oQuhuZgUY17BcMNRfTaWc5itoEsaRQ
lzg3mKmb0GW3axQLUlrODJh2I7RI5Cbj913R43Q=
-----END CERTIFICATE-----
 1 s:C = BG, ST = Bulgaria, L = Sofia, O = VerySecureCA, CN = VerySecureCA ROOT Certificate X1
   i:C = BG, ST = Bulgaria, L = Sofia, O = VerySecureCA, CN = VerySecureCA ROOT Certificate X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug 16 14:15:14 2018 GMT; NotAfter: Aug 13 14:15:14 2028 GMT
-----BEGIN CERTIFICATE-----
MIIDkjCCAnqgAwIBAgIJAOOU8+swVcuNMA0GCSqGSIb3DQEBCwUAMHIxCzAJBgNV
BAYTAkJHMREwDwYDVQQIDAhCdWxnYXJpYTEOMAwGA1UEBwwFU29maWExFTATBgNV
BAoMDFZlcnlTZWN1cmVDQTEpMCcGA1UEAwwgVmVyeVNlY3VyZUNBIFJPT1QgQ2Vy
dGlmaWNhdGUgWDEwHhcNMTgwODE2MTQxNTE0WhcNMjgwODEzMTQxNTE0WjByMQsw
CQYDVQQGEwJCRzERMA8GA1UECAwIQnVsZ2FyaWExDjAMBgNVBAcMBVNvZmlhMRUw
EwYDVQQKDAxWZXJ5U2VjdXJlQ0ExKTAnBgNVBAMMIFZlcnlTZWN1cmVDQSBST09U
IENlcnRpZmljYXRlIFgxMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
n7RW/vES6iD+UsfxNxciX6S+2n5Sb/xKAtsWPkwfQA0slUsPQGfxQXxiGAYH9tMt
eRS2jpy+QQNLTt6T94YJLgq5MMTqwNncSMbMEMvPJiGxPTaoZNmKLzjhXKjPTKmj
DciwF9Y9UxQT0lpJAYSmZY1pjD4xvV96+BJQn3GbhBKcJKm8uYEJBrzBi+eMO1ib
pLo2y8vnuKQEObjrcNhDqUG+MyrQBOxWgbuWTLjghWsR/dAx50gwsUT/yX0q9y6C
/UbB0meTB3GFJ+EUtgkoMsnAB0uBj0GZJa7hrufHVxMsIwB3KpQkb+bMPIPHToKM
n1w48PFIhZAmyk9OAcBqrwIDAQABoyswKTALBgNVHQ8EBAMCBaAwGgYDVR0RBBMw
EYIPd3d3LnRlc3QtY2EuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQAm2MN6oLkqokow
uHGmYX5tHZt6J17qYu1oFo3RUO7Fl5TZz165k0nkeKBxyzKZHv80Vl6xoulEIKfz
UoeLu2wA+O9y0u99ijkz7PrV8EPSoPkoKYuMmI1JshEakAaQSKU1AYm+ULhD9euN
tjKi7Az9FasOHLzF8cSUw26S2U9oYK73DKivltwMDUk+pjWNJhmENpCyHBNi6ZuY
kzYEhpEYMUkRLCR/RwcQ2SyQkSmMX2RhmTmS1iajzAXzmeI8OdHSbzNzCLCSiHXw
X6Fn4+ETheb0UNBaLyp45JyB4ejl71rAhygp2tnCHwhdA9ONNUux2UhTJIS52myn
ZdkJ9MX5
-----END CERTIFICATE-----
---
Server certificate
subject=C = BG, ST = Bulgaria, L = Sofia, O = SiteGround, OU = Operations Dept., CN = example.com
issuer=C = BG, ST = Bulgaria, L = Sofia, O = SiteGround, OU = Operations Dept., CN = example.com
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: ECDH, secp384r1, 384 bits
---
SSL handshake has read 2582 bytes and written 775 bytes
Verification error: self-signed certificate
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 18 (self-signed certificate)
---
DONE
2 Likes