"Certificate name mismatch" from ssllabs.com/ssltest

JHBrewer · June 7, 2022, 3:48pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: jick.net (and several others with the same IP address)

I ran this command: SSL Server Test (Powered by Qualys SSL Labs)

It produced this output: "Certificate name mismatch" plus a lot more details

My web server is (include version): apache2 (2.4.52-1ubuntu4)

The operating system my web server runs on is (include version): System76 Pop!_OS 22.04

My hosting provider, if applicable, is: I own my own server.

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No. "In the Beginning... was the Command Line."

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.21.0

Several years ago I clumsily set up a certificate for all the domains I manage on one IP address. The main domain [jick.net] (which apache2 serves up from /var/www/html) has numerous subdirectories, several of which are symlinked to trees for the other domains. All the symlinked trees work fine with SSL, but jick.net gets bad reports every time, and has consequently been blacklisted! I tried moving the other trees to their own separate directories and symlinking them directly (so that they are no longer explicit subdirectories of jick.net) but that changed nothing. I'm wondering if I should delete the existing certificate and get two new ones: one for jick.net and another for the rest. Is there a way to revise the domain list for an existing cert?

rg305 · June 7, 2022, 4:15pm

By whom, and for what reason?
I see RFC-cluelessness and spam complaints:
MultiRBL.valli.org - Results of the query 24.69.84.136

I don't know if that will "fix" the problem (one that I still don't understand) but it can be done.
You can even get individualized certs - one for each domain.
Start by reviewing the FQDNs covered by your existing certs:
certbot certificates

Oh, and since you are using Apache, I would double check that it isn't allowing misconfigurations to go unnoticed.
Review the output of:
apachectl -t -D DUMP_VHOSTS

Osiris · June 7, 2022, 4:17pm

Which certificate? Currently jick.net is serving a self-signed certificate and not a LE cert.

That said, I don't think any blacklisting issue is related to Let's Encrypts certificates to be honest..

JHBrewer · June 7, 2022, 5:43pm

Aha. A long time ago I tried using a self-signed cert, as I thought one had to pay $$ for a LE cert. Maybe it's still rattling around in there somewhere. How do I get rid of it? Could this be causing the following mixup?

# apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server jick.net (/etc/apache2/sites-enabled/default-ssl.conf:2)
         port 443 namevhost jick.net (/etc/apache2/sites-enabled/default-ssl.conf:2)
         port 443 namevhost free-ideas.org (/etc/apache2/sites-enabled/free-ideas.org-le-ssl.conf:2)
                 alias www.free-ideas.org
...and several others...
*:80                   is a NameVirtualHost
         default server free-ideas.org (/etc/apache2/sites-enabled/free-ideas.org.conf:1)
         port 80 namevhost free-ideas.org (/etc/apache2/sites-enabled/free-ideas.org.conf:1)
                 alias www.free-ideas.org
...
         port 80 namevhost jick.net (/etc/apache2/sites-enabled/jick.net.conf:1)
                 alias www.jick.net
...and the same others.

(For reasons unknown to me, the combined cert from LE is named for the least important of my domains, rather than for jick.net)

Note: I am not trying to blame LE for any of this; it's my ignorance at fault. Please enlighten me!!

Osiris · June 7, 2022, 5:47pm

This configuration file probably (but not certainly) contains a SSLCertificateFile pointing to your self signed certificate.

There probably is also a "port 443 namevhost" for jick.net somwehere in between those others pointing to the file /etc/apache2/sites-enabled/jick.net-le-ssl.conf.

rg305 · June 7, 2022, 5:56pm

Single FQDN and "default" file name:

Two FQDNs and "jick" file name:

Please show the complete output, you are only hiding the problem:
apachectl -t -D DUMP_VHOSTS

JHBrewer · June 7, 2022, 5:59pm

Okay.

# apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:443                  is a NameVirtualHost
         default server jick.net (/etc/apache2/sites-enabled/default-ssl.conf:2)
         port 443 namevhost jick.net (/etc/apache2/sites-enabled/default-ssl.conf:2)
         port 443 namevhost free-ideas.org (/etc/apache2/sites-enabled/free-ideas.org-le-ssl.conf:2)
                 alias www.free-ideas.org
         port 443 namevhost jick.ca (/etc/apache2/sites-enabled/jick.ca-le-ssl.conf:2)
                 alias www.jick.ca
         port 443 namevhost jick.net (/etc/apache2/sites-enabled/jick.net-le-ssl.conf:2)
                 alias www.jick.net
         port 443 namevhost musr.net (/etc/apache2/sites-enabled/musr.net-le-ssl.conf:2)
                 alias www.musr.net
         port 443 namevhost opeer.org (/etc/apache2/sites-enabled/opeer.org-le-ssl.conf:2)
                 alias www.opeer.org
*:80                   is a NameVirtualHost
         default server free-ideas.org (/etc/apache2/sites-enabled/free-ideas.org.conf:1)
         port 80 namevhost free-ideas.org (/etc/apache2/sites-enabled/free-ideas.org.conf:1)
                 alias www.free-ideas.org
         port 80 namevhost jick.ca (/etc/apache2/sites-enabled/jick.ca.conf:1)
                 alias www.jick.ca
         port 80 namevhost jick.net (/etc/apache2/sites-enabled/jick.net.conf:1)
                 alias www.jick.net
         port 80 namevhost musr.net (/etc/apache2/sites-enabled/musr.net.conf:1)
                 alias www.musr.net
         port 80 namevhost opeer.org (/etc/apache2/sites-enabled/opeer.org.conf:1)
                 alias www.opeer.org

rg305 · June 7, 2022, 6:02pm

These are all nicely paired:

port 80 namevhost free-ideas.org (/etc/apache2/sites-enabled/free-ideas.org.conf:1)
alias www.free-ideas.org
port 443 namevhost free-ideas.org (/etc/apache2/sites-enabled/free-ideas.org-le-ssl.conf:2)
alias www.free-ideas.org

port 80 namevhost jick.ca (/etc/apache2/sites-enabled/jick.ca.conf:1)
alias www.jick.ca
port 443 namevhost jick.ca (/etc/apache2/sites-enabled/jick.ca-le-ssl.conf:2)
alias www.jick.ca

port 80 namevhost jick.net (/etc/apache2/sites-enabled/jick.net.conf:1)
alias www.jick.net
port 443 namevhost jick.net (/etc/apache2/sites-enabled/jick.net-le-ssl.conf:2)
alias www.jick.net

port 80 namevhost musr.net (/etc/apache2/sites-enabled/musr.net.conf:1)
alias www.musr.net
port 443 namevhost musr.net (/etc/apache2/sites-enabled/musr.net-le-ssl.conf:2)
alias www.musr.net

port 80 namevhost opeer.org (/etc/apache2/sites-enabled/opeer.org.conf:1)
alias www.opeer.org
port 443 namevhost opeer.org (/etc/apache2/sites-enabled/opeer.org-le-ssl.conf:2)
alias www.opeer.org

This one is left all alone...

port 443 namevhost jick.net (/etc/apache2/sites-enabled/default-ssl.conf:2)

[and is a redundant name:port overlap/conflict]

rg305 · June 7, 2022, 6:04pm

Careful though!
I would NOT just delete that file.
I'd just change the servername to something unique and restart Apache.

JHBrewer · June 7, 2022, 6:05pm

I found /etc/ssl/certs/ssl-cert-snakeoil.pem from a year ago. Should I just delete it?

rg305 · June 7, 2022, 6:05pm

No, that won't fix things - and might make it worse.

^^ read my last post ^^

JHBrewer · June 7, 2022, 6:11pm

"...just change the servername to something unique..." In the /etc/apache2/sites-enabled/default-ssl.conf file?
Does "something unique" need to be an actual FQDN? Perhaps I could use something like "test.jick.net"?

rg305 · June 7, 2022, 6:14pm

It can be anything:
servername useless

JHBrewer · June 7, 2022, 6:35pm

Um... Unlike all the other .conf files, /etc/apache2/sites-enabled/default-ssl.conf does not refer to servername anywhere. So how did it get assigned to jick.net??
It does have
SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
-- if I comment those out (and NOT delete the old snakeoil files) that may break SSL, but at least it is reversible.
Alas, my understanding is decreasing.

Osiris · June 7, 2022, 6:41pm

Probably used some default setting, perhaps the hostname of the server.

Just add a ServerName with a fake hostname such as localhost or something to the file.

rg305 · June 7, 2022, 7:00pm

Don't do anything of the sort.
Just add a line with:
servername blah
[NOT using a real FQDN]

Yes, it picked up the name from the name assigned within the main http section.
[which is bad practice - the server should NOT be called by a name that it will be servicing]

JHBrewer · June 7, 2022, 7:35pm

That seems to have worked! THANK YOU!! -- Jess

system · July 7, 2022, 7:36pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.