Certificate not valid for domain name

jeterboy · March 14, 2017, 4:56am

I successfully installed and configured SSL to my other 3 sites using the instructions of DigitalOcean https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-16-04

But today, as I install a new SSL in my new site with LetsEncrypt I can’t get it to work perfectly. Although it is showing https when I visit the site but when I test it via ssllabs it shows “Certificate name mismatch” error.

*** One thing I noticed. When I visit my www sites with LetsEncrypt installed SSL and removed their www it redirects to one domain. Is this normal?

My webserver is nginx and I believe I correctly configured my server blocks.

Your help and suggestions are very much appreciated. Thanks.

smunsch · March 14, 2017, 5:41am

The thing I get for ALL my domains is pointing at the chain for the first domain, alphabetically, on my server. This is odd… All my domains worked just fine until recently… Now they all have this issue. I’ve tried both --webroot and --standalone

sahsanu · March 14, 2017, 7:43am

Hello @jeterboy or @smunsch,

You are getting those issues because in your nginx server block for ssl you are only including www domain instead of both:

Your config:

server_name www.mandolineslicerexpert.com;

and it should include both domains:

server_name mandolineslicerexpert.com www.mandolineslicerexpert.com;

Best regards,
sahsanu

jeterboy · March 14, 2017, 8:36am

Whoa… it works! Thank you so much Sahsanu.

smunsch · March 14, 2017, 2:25pm

Still not my problem…
Using multiple domain names on my server. Applied your fix, everywhere… Here’s a few files from my install.

gist.github.com

https://gist.github.com/blacRose/746e6ad248354fd0e493425705d71f79

cuddli.conf

server {
	server_name cudd.li www.cudd.li;
	listen 80;
	return 301 https://cudd.li$request_uri;
}
server {
	server_name cudd.li www.cudd.li;
	listen  443 ssl http2;
	index index.php index.html index.htm;
	root /home/user/http/cuddli;

This file has been truncated. show original

letsgo.sh

#!/bin/bash
echo "service nginx stop"
service nginx stop
echo "swo.re"
letsencrypt certonly --standalone -d swo.re -d www.swo.re -d mail.swo.re
echo "cudd.li"
letsencrypt certonly --standalone -d cudd.li -d www.cudd.li
echo "shelbymunsch.com"
letsencrypt certonly --standalone -d shelbymunsch.com -d www.shelbymunsch.com
echo "emiliemunsch.com"

This file has been truncated. show original

nginx.conf

user www-data;
worker_processes 1;
pid /var/run/nginx.pid;

events {
	worker_connections 768;
	# multi_accept on;
}

http {

This file has been truncated. show original

There are more than three files. show original

sahsanu · March 14, 2017, 5:03pm

Sorry, but I thought jeterboy & smunsch were the same person. You should not hijack posts ;), you should open a new one with your specific issue.

Nevermind, could you please explain in detail what is your problem?, let me check my crystal ball , your problem is that you are renewing your certificates but you still view that the certs expire today?.

I saw that you have already renewed your certs today but maybe they are not where you expect them to be, please, show the output of ls -la /etc/letsencrypt/live/ because I suppose your new certs are not in for example /etc/letsencrypt/live/cudd.li/ but in /etc/letsencrypt/live/cudd.li-0001/ or similar.

If that is the case you should change the path of the certificates in your nginx conf with the correct ones... or you could try to use the option --expand when using the letsencrypt command.

Remember to reload or restart your nginx if you made changes in its config.

If my crystal ball failed, please, explain your problem in detail

Cheers,
sahsanu

smunsch · March 14, 2017, 7:52pm

Oops. Sorry. I actually started ALL of this by deleting /etc/letsencrypt… The names are correct. Just, even using different certs, ALL domains show that I'm using the chain for cudd.li… Most of the config files (I've configs for… 6 different domains on this server) are in the aforementioned gist.

sahsanu · March 14, 2017, 8:07pm

Ok, I think I understood your "problem", correct me if I'm wrong. You are testing the certificates using openssl s_client command and when you check your domain, for example swo.re, you get the certificate for cudd.li domain and that is because you are using this command:

openssl s_client -connect swo.re:443

but you need to include the domain name you need to check or you will get the default certificate, that in your case is the cert for cudd.li domain.

The right command is:

openssl s_client -connect hostname:443 -servername yourdomain.tld

Example with swo.re

openssl s_client -connect swo.re:443 -servername swo.re

I hope this helps.

Cheers,
sahsanu

smunsch · March 14, 2017, 9:15pm

Oh. I guess I have no issue then… Okay.

system · April 13, 2017, 9:15pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certificate name mismatch Server	4	2223	March 22, 2018
SSL Mismatch on brand new DO Server Server	7	2428	April 29, 2016
Letsencrypt certificate not working? Server	6	3634	February 11, 2017
Server's certificate does not match the url for www	5	4546	February 3, 2016
Multiple certificates vs. 1 Help	8	2405	September 22, 2016

Certificate not valid for domain name

Related topics