Certificates and subdomains error problems

The certs I'm requesting for thechatpit.org are coming up for ampache.thechatpit.org when used for ircd. I've done sudo cp /etc/letsencrypt/live/thechatpit.org/fullchain.pem /etc/priv/ircd.crt for the ircd certificate, and they're coming up with:

  • Certification info:
  • Subject:
  • CN=ampache.thechatpit.org
    
  • Issuer:
  • C=US
    
  • O=Let's Encrypt
    
  • CN=R3
    

When connecting to the ircd. The ircd is not running on the ampache subdomain, and the certificate is from the root site. I'm stumped.

My domain is: thechatpit.org

I ran this command: sudo certbot renew

It produced this output:
The following certificates are not due for renewal yet:
/etc/letsencrypt/live/ampache.thechatpit.org/fullchain.pem expires on 2022-02-13 (skipped)
/etc/letsencrypt/live/nextcloud.thechatpit.org/fullchain.pem expires on 2022-02-13 (skipped)
/etc/letsencrypt/live/thechatpit.org/fullchain.pem expires on 2022-01-29 (skipped)
No renewals were attempted.

My web server is (include version):
Server version: Apache/2.4.51 (Unix)
Server built: Nov 13 2021 20:10:37

The operating system my web server runs on is (include version):
Archlinux (rolling, current)

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0

You're just looking at the "Common name" where instead you should look at the "Subject Alternative Name" extension further down the certificate info. There you'll see the other hostname.

You can also see the hostnames included in a certificate in certbot by running certbot certificates .

1 Like

k, did a certbot certificatesand the domains were all mangled together. I revoked ampache.thechatpit.org, nextcloud.thechatpit.org, and thechatpit.org and did a certbot certonly with -d domain for each one. The certbot certificates now looks cleaner:

Found the following certs:
Certificate Name: ampache.thechatpit.org
Serial Number: 4b4e44361aac9775e619ca3fc306aa75a50
Key Type: RSA
Domains: ampache.thechatpit.org
Expiry Date: 2022-02-17 20:42:33+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/ampache.thechatpit.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/ampache.thechatpit.org/privkey.pem
Certificate Name: nextcloud.thechatpit.org
Serial Number: 42b6590a30d6ebbf0991287c2faee97a5bf
Key Type: RSA
Domains: nextcloud.thechatpit.org
Expiry Date: 2022-02-17 20:43:35+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/nextcloud.thechatpit.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/nextcloud.thechatpit.org/privkey.pem
Certificate Name: thechatpit.org
Serial Number: 44c6f5cf172827065e8628c7f4dfce743fb
Key Type: RSA
Domains: thechatpit.org
Expiry Date: 2022-02-17 20:39:24+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/thechatpit.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/thechatpit.org/privkey.pem

...with only one domain listed under "Domains" per certificate. However, after moving the certs around to their "correct" places, ircd still says the cert it's using is for ampache, and nextcloud now has this:

This server could not prove that it is nextcloud.thechatpit.org ; its security certificate is from thechatpit.org . This may be caused by a misconfiguration or an attacker intercepting your connection.

...on the error in Chrome. I'll double check that the right certs are going to the right configs, but I'm still stumped.

"moving the certs around" ? ? ?

Have you restarted those services after updating their certs?

You could try beating them at their own game and...
Combine all names onto one single cert - FTW!
[that way you can't go wrong]

Why do so many people feel the need to REVOKE perfectly unharmed certificates !?!?!?!?!
PLEASE DON'T REVOKE any certificate simply because you no longer care to use it.
There is a very simple command for that:
certbot delete --cert-name {name of cert}

2 Likes

While some people indeed prefer this, note that there is nothing wrong with having multiple hostnames in a single certificate, even if you just see one in the "common name" of a certificates subject.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.