Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: jick.net (and several others with the same IP address)
It produced this output: "Certificate name mismatch" plus a lot more details
My web server is (include version): apache2 (2.4.52-1ubuntu4)
The operating system my web server runs on is (include version): System76 Pop!_OS 22.04
My hosting provider, if applicable, is: I own my own server.
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No. "In the Beginning... was the Command Line."
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.21.0
Several years ago I clumsily set up a certificate for all the domains I manage on one IP address. The main domain [jick.net] (which apache2 serves up from /var/www/html) has numerous subdirectories, several of which are symlinked to trees for the other domains. All the symlinked trees work fine with SSL, but jick.net gets bad reports every time, and has consequently been blacklisted! I tried moving the other trees to their own separate directories and symlinking them directly (so that they are no longer explicit subdirectories of jick.net) but that changed nothing. I'm wondering if I should delete the existing certificate and get two new ones: one for jick.net and another for the rest. Is there a way to revise the domain list for an existing cert?
I don't know if that will "fix" the problem (one that I still don't understand) but it can be done.
You can even get individualized certs - one for each domain.
Start by reviewing the FQDNs covered by your existing certs: certbot certificates
Oh, and since you are using Apache, I would double check that it isn't allowing misconfigurations to go unnoticed.
Review the output of: apachectl -t -D DUMP_VHOSTS
Aha. A long time ago I tried using a self-signed cert, as I thought one had to pay $$ for a LE cert. Maybe it's still rattling around in there somewhere. How do I get rid of it? Could this be causing the following mixup?
# apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:443 is a NameVirtualHost
default server jick.net (/etc/apache2/sites-enabled/default-ssl.conf:2)
port 443 namevhost jick.net (/etc/apache2/sites-enabled/default-ssl.conf:2)
port 443 namevhost free-ideas.org (/etc/apache2/sites-enabled/free-ideas.org-le-ssl.conf:2)
alias www.free-ideas.org
...and several others...
*:80 is a NameVirtualHost
default server free-ideas.org (/etc/apache2/sites-enabled/free-ideas.org.conf:1)
port 80 namevhost free-ideas.org (/etc/apache2/sites-enabled/free-ideas.org.conf:1)
alias www.free-ideas.org
...
port 80 namevhost jick.net (/etc/apache2/sites-enabled/jick.net.conf:1)
alias www.jick.net
...and the same others.
(For reasons unknown to me, the combined cert from LE is named for the least important of my domains, rather than for jick.net)
Note: I am not trying to blame LE for any of this; it's my ignorance at fault. Please enlighten me!!
This configuration file probably (but not certainly) contains a SSLCertificateFile pointing to your self signed certificate.
There probably is also a "port 443 namevhost" for jick.net somwehere in between those others pointing to the file /etc/apache2/sites-enabled/jick.net-le-ssl.conf.
# apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:443 is a NameVirtualHost
default server jick.net (/etc/apache2/sites-enabled/default-ssl.conf:2)
port 443 namevhost jick.net (/etc/apache2/sites-enabled/default-ssl.conf:2)
port 443 namevhost free-ideas.org (/etc/apache2/sites-enabled/free-ideas.org-le-ssl.conf:2)
alias www.free-ideas.org
port 443 namevhost jick.ca (/etc/apache2/sites-enabled/jick.ca-le-ssl.conf:2)
alias www.jick.ca
port 443 namevhost jick.net (/etc/apache2/sites-enabled/jick.net-le-ssl.conf:2)
alias www.jick.net
port 443 namevhost musr.net (/etc/apache2/sites-enabled/musr.net-le-ssl.conf:2)
alias www.musr.net
port 443 namevhost opeer.org (/etc/apache2/sites-enabled/opeer.org-le-ssl.conf:2)
alias www.opeer.org
*:80 is a NameVirtualHost
default server free-ideas.org (/etc/apache2/sites-enabled/free-ideas.org.conf:1)
port 80 namevhost free-ideas.org (/etc/apache2/sites-enabled/free-ideas.org.conf:1)
alias www.free-ideas.org
port 80 namevhost jick.ca (/etc/apache2/sites-enabled/jick.ca.conf:1)
alias www.jick.ca
port 80 namevhost jick.net (/etc/apache2/sites-enabled/jick.net.conf:1)
alias www.jick.net
port 80 namevhost musr.net (/etc/apache2/sites-enabled/musr.net.conf:1)
alias www.musr.net
port 80 namevhost opeer.org (/etc/apache2/sites-enabled/opeer.org.conf:1)
alias www.opeer.org
port 80 namevhost free-ideas.org (/etc/apache2/sites-enabled/free-ideas.org.conf:1)
alias www.free-ideas.org
port 443 namevhost free-ideas.org (/etc/apache2/sites-enabled/free-ideas.org-le-ssl.conf:2)
alias www.free-ideas.org
port 80 namevhost jick.ca (/etc/apache2/sites-enabled/jick.ca.conf:1)
alias www.jick.ca
port 443 namevhost jick.ca (/etc/apache2/sites-enabled/jick.ca-le-ssl.conf:2)
alias www.jick.ca
port 80 namevhost jick.net (/etc/apache2/sites-enabled/jick.net.conf:1)
alias www.jick.net
port 443 namevhost jick.net (/etc/apache2/sites-enabled/jick.net-le-ssl.conf:2)
alias www.jick.net
port 80 namevhost musr.net (/etc/apache2/sites-enabled/musr.net.conf:1)
alias www.musr.net
port 443 namevhost musr.net (/etc/apache2/sites-enabled/musr.net-le-ssl.conf:2)
alias www.musr.net
port 80 namevhost opeer.org (/etc/apache2/sites-enabled/opeer.org.conf:1)
alias www.opeer.org
port 443 namevhost opeer.org (/etc/apache2/sites-enabled/opeer.org-le-ssl.conf:2)
alias www.opeer.org
This one is left all alone...
port 443 namevhost jick.net (/etc/apache2/sites-enabled/default-ssl.conf:2)
"...just change the servername to something unique..." In the /etc/apache2/sites-enabled/default-ssl.conf file?
Does "something unique" need to be an actual FQDN? Perhaps I could use something like "test.jick.net"?
Um... Unlike all the other .conf files, /etc/apache2/sites-enabled/default-ssl.conf does not refer to servername anywhere. So how did it get assigned to jick.net??
It does have
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
-- if I comment those out (and NOT delete the old snakeoil files) that may break SSL, but at least it is reversible.
Alas, my understanding is decreasing.
Don't do anything of the sort.
Just add a line with: servername blah
[NOT using a real FQDN]
Yes, it picked up the name from the name assigned within the main http section.
[which is bad practice - the server should NOT be called by a name that it will be servicing]