Certificate name mismatch

Hello,

I’ve been using letsencrypt certificate with synology box for a while without any issues, DNS provided by duckdns.

I decided to build an additional box - an Ubuntu LAMP server. I added an additional domain with duckdns.

At this point both boxes are behind the same router, port forwarding resolves traffic between the two boxes.

Encryption was done with DNS challenge and appeared good. However https logging into the Ubuntu Apache server never worked.

My research led to this:
https://www.ssllabs.com/ssltest/analyze.html?d=romicvawebtrees.duckdns.org shows name mismatch…

Please help.
Thank you in advance.
Roman


My domain is: romicva.duckdns.org & romicvawebtrees.duckdns.org

I ran this command: ./certbot-auto certonly --manual --preferred-challenges dns-01 --email romicva@gmail.com -d romicvawebtrees.duckdns.org

It produced this output: Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/romic etc

My web server is (include version): Server version: Apache/2.4.29 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: self

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no / terminal

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.31.0

Hi @romicva,

What does your port forwarding setup look like? Are you accessing these two hosts on different ports?

Presumably they can’t share a single external port, unless you have proxy software that understands TLS and can do forwarding based on the TLS SNI field. That wouldn’t be the case with most port-forwarding configurations.

Correct, I’m using different ports. I access new box by using a dedicated port that my router sends to the correct internal IP. There’s no proxy.
Thank you for getting in touch with me so quickly.

Hi @romicva

checked both domains in my browser, there are redirects to port 5001.

https://romicva.duckdns.org:5001/
https://romicvawebtrees.duckdns.org:5001/

with the same result page. The first url has the correct certificate, the second url requires to create an exception.

But checking your domain via https://check-your-website.server-daten.de/?q=romicvawebtrees.duckdns.org

Domainname Http-Status redirect Sec. G
http://romicvawebtrees.duckdns.org/
108.51.118.201 302 http://romicvawebtrees.duckdns.org:5000/ 0.243 D
http://www.romicvawebtrees.duckdns.org/
108.51.118.201 302 http://www.romicvawebtrees.duckdns.org:5000/ 0.240 D
http://romicvawebtrees.duckdns.org:5000/ 302 https://romicvawebtrees.duckdns.org:5001/ 0.277 A
http://www.romicvawebtrees.duckdns.org:5000/ 302 https://www.romicvawebtrees.duckdns.org:5001/ 0.277 A
https://romicvawebtrees.duckdns.org/
108.51.118.201 302 https://romicvawebtrees.duckdns.org:5001/ 1.377 N
Certificate error: RemoteCertificateNameMismatch
https://www.romicvawebtrees.duckdns.org/
108.51.118.201 302 https://www.romicvawebtrees.duckdns.org:5001/ 1.127 N
Certificate error: RemoteCertificateNameMismatch
https://romicvawebtrees.duckdns.org:5001/ 200 1.067 N
Certificate error: RemoteCertificateNameMismatch

All https connections are wrong, all use the same certificate

CN=romicva.duckdns.org
	01.07.2019
	29.09.2019
expires in 75 days	romicva.duckdns.org - 1 entry

But the solution should be simple: Create one certificate with both domain names:

./certbot-auto certonly --manual --preferred-challenges dns-01 -d romicvawebtrees.duckdns.org -d romicva.duckdns.org

Every 443 vHost and the 5001 vHost should use this certificate with both domain names.

1 Like

Thank you!

It should take a WHILE to digest.

I do have a question though - creation of 1 certificate for both domains… - will this action require me to make changes to the synology? - I’d rather not, if possible.

the port for romicvawebtrees.duckdns.org that I use is 44396

Anyway I REALLY appreciate all the help!
Thank you!

Basically, unless your reverse proxy understands TLS well enough to forward connections selectively based on SNI (which it doesn’t), you’ll need to use separate ports for HTTP and HTTPS for each back-end machine. So you need an additional HTTPS port for romicvawebtrees in addition to the HTTP port 44396, and that port then needs to be forwarded to port 443 of the romicvawebtrees server.

With your current proxy setup, there’s no valid way to share a single public HTTPS port for both services.

To access ubuntu from the outside:
for HTTP I’ll have to address it as
http://romicvawebtrees.duckdns.org:80XX and at the router redirect it to internal_IP:80
for HTTPS I’ll have to address it as
http://romicvawebtrees.duckdns.org:443XX and at the router redirect it to internal_IP:443
Is that correct?
Do I still have to run ./certbot-auto certonly --manual --preferred-challenges dns-01 -d romicvawebtrees.duckdns.org -d romicva.duckdns.org and will it impact existing certificate on synology?
Thank you!

If you want to use @JuergenAuer's solution of creating a single certificate with both domain names, that certificate would probably have to be installed on the reverse proxy instead of on the back-end servers. Assuming that your reverse proxy can understand HTTPS and use certificates at all, this would probably work but is different from the solution I was proposing.

For my suggestion,

Yes, and those external port numbers would have to be different from those used by the other server.

In this scenario you would no longer have to create a combined certificate, as long as your process for creating the individual certificates for both back-end devices continues to work.

Since I don’t have any proxy solution at all I will redo my router and rebuild the ubuntu box.

The only remaining question is - how do I undo all of the external mess I’ve created.

1 Do I need to uninstall letsencryptit from ubuntu before rebuild?
2 How do I remove all of the redirects presented by https://check-your-website.server-daten.de/?q=romicvawebtrees.duckdns.org
3 How do I clear up existing certificate mismatch?

Thank you, thank you, and thank you!

I don’t see any reason that you have to rebuild the box—it’s relatively straightforward to update certificate and HTTPS configurations on Ubuntu.

Can you remind me how you are authenticating to Let’s Encrypt for your existing certificate issuance process on both devices? (How do you prove to Let’s Encrypt that you control each name for each back-end device?)

On Ubuntu I ran this command:
./certbot-auto certonly --manual --preferred-challenges dns-01 --email romicva@gmail.com -d romicvawebtrees.duckdns.org

It produced this output: Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live

On synology I used interface that allowed 3rd party certificates. Before that I had to configure romicva.duckdns.org as my external name.

The reason I want rebuild Ubuntu is that I was messing with http to https redirect so much that I may have broken it beyond repair… I didn’t realize that I had cert mismatch for a while. I though that my http to https redirect wasn’t working, while in reality it was the certificate issue.

I’m also very confused about existence of redirects from romicvawebtrees.duckdns.org to romicvawebtrees.duckdns.org:5000 I never configured those.

At this point I feel helpless and don’t know how to clean up the mess I made, nor do I know how to fix it or rebuild it.

I know it’s long - I’m sorry about it.

Thank you!

I don't see a mess. You use the same application with different domain names. So you nedd one certificate with all domain names.

I don't use DSM. But the redirect to 5001 is a standard, not a problem.

Create one certificate with all domain names and use that. With dns-01 validation and --manual, it's simple.

Hello JuergenAuer
Do I need to remove existing certificate (if yes - how?) before I attempt to create a certificate with all of the domains?
Thank you

No. Never remove or revoke active certificates, if the private key isn't stolen.

Create a new certificate and replace the current.

If the certificate is expired, you can delete it.

Thank you.
How do I modify this command:

to apply certificate to apache?
Thank you

Please check

https://certbot.eff.org/docs/using.html

-i apache

may work, if Certbot understands your configuration.

I ran into this problem before since I have to use dns challenge and (as I just learned) -apache wants hhtp-01 challenge.

Is there a way to dns challenge, apache configuration and two domains in one command?

Thank you,
Roman

I executed this:
./certbot-auto certonly --manual --preferred-challenges dns-01 -d romicvawebtrees.duckdns.org -d romicva.duckdns.org

got a token TXT that I ran through duckdns and got OK

However it error-ed out like this:
Press Enter to Continue
Waiting for verification…
Challenge failed for domain romicva.duckdns.org
dns-01 challenge for romicva.duckdns.org
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: romicva.duckdns.org
    Type: unauthorized
    Detail: Incorrect TXT record “” found at
    _acme-challenge.romicva.duckdns.org

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A/AAAA record(s) for that domain
    contain(s) the right IP address.

If you are able to create the correct TXT entry with romicvawebtrees.duckdns.org, then do the same with your second domain.

Ok, I just ran this:
./certbot-auto certonly --manual --preferred-challenges dns-01 -d romicvawebtrees.duckdns.org
And it succeeded. It didn’t even ask to run it by duckdns.
Am I all done? At this point my apache web server is in ruins - how do I check?
Thank you