Certificate setup by certbot but site still insecure

The error I get in the browser is as follows:

NET::ERR_CERT_COMMON_NAME_INVALID

Back to safetyHide advanced
This server could not prove that it is app.fatraaustralia.com.au ; its security certificate is from www.sinerji.com.au . This may be caused by a misconfiguration or an attacker intercepting your connection.

My domain is:

app.fatraaustralia.com.au. It points to an EC2 instance running ubuntu, which has a docker setup running a nodejs app. Infront of the node.js app is a reverse proxy nginx, additionally there is a certbot container running that renews and creates the certificates for the above mentioned domain.

I ran this command:
So I have a docker compose file that I have followed from an article that I have setup and seems to run all the steps successfully. It has the certbot command that renews and generates the certs, as you can see bellow:

version: ‘3.2’
services:
web:
build:
context: ./
dockerfile: Dockerfile
image: server
container_name: webapp
ports:
- 4000:4000
volumes:
- type: bind
source: ./
target: /app
restart: unless-stopped
networks:
- app-network
environment:
nginx:
image: nginx:mainline-alpine
container_name: nginx
restart: unless-stopped
ports:
- “80:80”
- “443:443”
volumes:
- web-root:/var/www/html
- ./nginx-conf:/etc/nginx/conf.d
- certbot-etc:/etc/letsencrypt
- certbot-var:/var/lib/letsencrypt
- dhparam:/etc/ssl/certs
depends_on:
- web
networks:
- app-network
certbot:
image: certbot/certbot
container_name: certbot
volumes:
- certbot-etc:/etc/letsencrypt
- certbot-var:/var/lib/letsencrypt
- web-root:/var/www/html
depends_on:
- nginx
command: certonly --webroot --webroot-path=/var/www/html --agree-tos --no-eff-email --force-renewal -d app.fatraaustralia.com.au
volumes:
certbot-etc:
certbot-var:
web-root:
driver: local
driver_opts:
type: none
device: /home/ubuntu/ss-gql-server/views
o: bind
dhparam:
driver: local
driver_opts:
type: none
device: /home/ubuntu/server/dhparam/
o: bind

networks:
app-network:
driver: bridge

It produced this output:

certbot | Saving debug log to /var/log/letsencrypt/letsencrypt.log
certbot | Plugins selected: Authenticator webroot, Installer None
certbot | Renewing an existing certificate
certbot | IMPORTANT NOTES:
certbot | - Congratulations! Your certificate and chain have been saved at:
certbot | /etc/letsencrypt/live/app.fatraaustralia.com.au/fullchain.pem
certbot | Your key file has been saved at:
certbot | /etc/letsencrypt/live/app.fatraaustralia.com.au/privkey.pem
certbot | Your cert will expire on 2020-01-29. To obtain a new or tweaked
certbot | version of this certificate in the future, simply run certbot
certbot | again. To non-interactively renew all of your certificates, run
certbot | “certbot renew”
certbot | - If you like Certbot, please consider supporting our work by:
certbot |
certbot | Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
certbot | Donating to EFF: https://eff.org/donate-le
certbot |
certbot exited with code 0

My web server is (include version):

nginx alpine docker image.

The operating system my web server runs on is (include version):

Ubuntu 16.04.6 LTS which is an ec2 instance.

My hosting provider, if applicable, is:

crazy domains has an a record for the sub domain app.fatraaustralia.com.au that is pointing towards elastic ip of the ec2 instance.

I can login to a root shell on my machine (yes or no, or I don’t know):

yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
It is the image certbot/certbot fro docker.

my nginx config is as follows:

server {
listen 80;
listen [::]:80;

    root /var/www/html;
    index index.html index.htm index.nginx-debian.html;

    server_name app.fatraaustralia.com.au;

    location ~ /.well-known/acme-challenge {
            allow all;
            root /var/www/html;
    }

    location / {
            rewrite ^ https://$host$request_uri? permanent;
    }

}

server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name app.fatraaustralia.com.au;

    server_tokens off;

    ssl_certificate /etc/letsencrypt/live/app.fatraaustralia.com.au/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/app.fatraaustralia.com.au/privkey.pem;

    ssl_buffer_size 8k;

    ssl_dhparam /etc/ssl/certs/dhparam-2048.pem;

    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    ssl_prefer_server_ciphers on;

    ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;

    ssl_ecdh_curve secp384r1;
    ssl_session_tickets off;

    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8;

    location / {
            try_files $uri @nodejs;
    }

    location @nodejs {
            proxy_pass_header Set-Cookie;
            proxy_pass http://web:4000;
            add_header X-Frame-Options "SAMEORIGIN" always;
            add_header X-XSS-Protection "1; mode=block" always;
            add_header X-Content-Type-Options "nosniff" always;
            add_header Referrer-Policy "no-referrer-when-downgrade" always;
            add_header Content-Security-Policy "default-src * data: 'unsafe-eval' 'unsafe-inline'" always;
            # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
            # enable strict transport security only if you understand the implications
    }

    root /var/www/html;
    index index.html index.htm index.nginx-debian.html;

}

1 Like

The name resolves to multiple IPs.
Two IPv4 addresses and one IPv6 address.

Name:    app.fatraaustralia.com.au
Addresses:  2404:8280:a222:bbbb:bba1:67:ffff:ffff
          103.226.222.98
          54.66.197.50

It seems, not all reach your (same) server.

https://www.ssllabs.com/ssltest/analyze.html?d=app.fatraaustralia.com.au&hideResults=on

1 Like

Thank you for that.

I have chatted with the hosting provider they had an additional A record pointing towards the 2nd address, which they have removed. It will take time for propogation.

The 3rd ipv6 address they didnt give me an explanation for. Hope this fixes the issue.

1 Like

If you have access to manage your DNS zone, then you can make the necessary changes (anytime).
That said, the name now only resolves to a single IP:

Name:    app.fatraaustralia.com.au
Address:  54.66.197.50

So you should be good to go.

1 Like

Hi @Nosherwan

now you have only one ip address. But you have both versions defined (non-www and www), your certificiate has only the non-www domain name ( https://check-your-website.server-daten.de/?q=app.fatraaustralia.com.au ):

CN=app.fatraaustralia.com.au
	31.10.2019
	29.01.2020
expires in 89 days	app.fatraaustralia.com.au - 1 entry

So your www version isn’t secure.

Two options:

  • remove the www A entry (or, better)
  • create one certificate with both domain names and use that.

But more important: Now you don’t have an ipv6. Perhaps, try to configure your ipv6 correct, then add it to your dns setup. IPv6 -> that’s the future.

1 Like

@JuergenAuer thanks for the suggestions.
The www url is deployed at the domain host. the app.fatraaustralia.com.au cannot be hosted there therefore required a separate certification mechanism. I guess I can create one cert for both domain names, but will have to deploy one copy of the cert where the main domain website is hosted.

1 Like

Really? The ip address is the same:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
app.fatraaustralia.com.au A 54.66.197.50 Sydney/New South Wales/Australia (AU) - Amazon.com, Inc. Hostname: ec2-54-66-197-50.ap-southeast-2.compute.amazonaws.com yes 1 0
AAAA yes
www.app.fatraaustralia.com.au A 54.66.197.50 Sydney/New South Wales/Australia (AU) - Amazon.com, Inc. Hostname: ec2-54-66-197-50.ap-southeast-2.compute.amazonaws.com yes 1 0
AAAA yes

Both domain names have the 54.66.197.50.

And the result is a Grade N, because the www version doesn’t work.

Domainname Http-Status redirect Sec. G
http://app.fatraaustralia.com.au/ 54.66.197.50 301 https://app.fatraaustralia.com.au/ Html is minified: 109,03 % 0.624 A
http://www.app.fatraaustralia.com.au/ 54.66.197.50 301 https://www.app.fatraaustralia.com.au/ Html is minified: 109,03 % 0.640 A
https://app.fatraaustralia.com.au/ 54.66.197.50 Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 0/0 404 Html is minified: 100,00 % 5.187 M
Not Found
https://www.app.fatraaustralia.com.au/ 54.66.197.50 Inline-JavaScript (∑/total): 0/0 Inline-CSS (∑/total): 0/0 404 Html is minified: 100,00 % 5.216 N
Not Found
Certificate error: RemoteCertificateNameMismatch

There are two general options:

  • no dns entry with the www version, then the www version doesn’t exist (or)
  • a dns entry, a correct working vHost with a valid certificate running on that ip address

But having an A-record with the wrong ip or with a not working vHost / invalid certificate is always bad.

Ah got you. I thought you were talking about:

www.fatraaustralia.com.au 66.235.200.3

No worries will do that for www.app.fatraaustralia.com.au

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.