Certificates assigning randomly to domains

I’ve always had issues with LetsEncrypt moving SSL’s about - whenever I’d generate a new certificate, it’d also apply the new certificate to the site I’d previously set up. So I’d need to go back and re-install the certicate for it to work.

I’ve moved over a domain, and it quickly picked up the certificate for another one of my sites. I believe this is causing the issue as I’ve never had this problem before. I tried removing the cert it was picking up - but it just went and took the next site in the list’s cert.

Why is https not just 404ing? Is there some catch-all that’s messing with me ?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: golfjobslist.co.uk/

I ran this command: sudo /usr/local/bin/certbot-auto --nginx

It produced this output:
Performing the following challenges:
http-01 challenge for golfjobslist.co.uk
Waiting for verification…
Challenge failed for domain golfjobslist.co.uk
http-01 challenge for golfjobslist.co.uk
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:

My web server is (include version): nginx/1.14.1

The operating system my web server runs on is (include version): CentOS 8

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.1.0

my nginx.conf looks like this current
# golfjobslist.co.uk
server {
listen 80;
server_name golfjobslist.co.uk;
return 301 http://www.golfjobslist.co.uk$request_uri;
}

server {
listen       80;
server_name  www.golfjobslist.co.uk;

root /usr/share/nginx/html/golfjobs;

}
1 Like

I’ve got it kinda half working by removing the IPv6 A records to make it default to IPv4. This at least allowed me to generate a valid certificate.

It still seems to have a issue with assigning random certificates to it.

1 Like

Hi @glasgowm148

a certificate isn’t a “random thing”. You have created some certificates - https://check-your-website.server-daten.de/?q=golfjobslist.co.uk - but your configuration looks inconsistent.

Now you have one certificate with both domain names.

So you should have one port 80 vHost and one port 443 vHost with the same certificate.

And you have one certificate only with the www domain name, that’s used by your non-www -> that’s wrong.

Share

nginx -T

One port 80 vHost with both domain names, one port 443 vHost with both domain names is required.

1 Like

https://dpaste.org/Jkbb

I’ve managed to get 3/4 working

❯ curl -I http://www.golfjobslist.co.uk/
HTTP/1.1 301 Moved Permanently
Server: nginx/1.14.1
Date: Mon, 20 Jan 2020 15:49:41 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: https://www.golf-jobs.co.uk/


───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
~                                                                                                                                                                                        76% hdd  15:49:41
❯ curl -I https://www.golfjobslist.co.uk/
HTTP/1.1 301 Moved Permanently
Server: nginx/1.14.1
Date: Mon, 20 Jan 2020 15:49:47 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: https://www.golf-jobs.co.uk/


───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
~                                                                                                                                                                                        76% hdd  15:49:47
❯ curl -I https://golfjobslist.co.uk/
curl: (51) SSL: no alternative certificate subject name matches target host name 'golfjobslist.co.uk'

───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
~                                                                                                                                                                                        76% hdd  15:49:52
❯ curl -I https://www.golfjobslist.co.uk/
HTTP/1.1 301 Moved Permanently
Server: nginx/1.14.1
Date: Mon, 20 Jan 2020 15:49:57 GMT
Content-Type: text/html
Content-Length: 185
Connection: keep-alive
Location: https://www.golf-jobs.co.uk/
server {
    server_name golfjobslist.co.uk www.golfjobslist.co.uk;
    listen 80;
    return 301 https://www.golf-jobs.co.uk$request_uri;
​
    
​
​
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/www.golfjobslist.co.uk/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/www.golfjobslist.co.uk/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
​
​
}

That’s bad, don’t mix port 80 and 443 in one server definition.

Create two vHosts, one port 80, one port 443 -> restart your server.

1 Like

Seems to be the exact same

    server {
    server_name golfjobslist.co.uk www.golfjobslist.co.uk;
    listen 80;
    return 301 https://www.golf-jobs.co.uk$request_uri;
}

server {
    server_name golfjobslist.co.uk www.golfjobslist.co.uk;
    return 301 https://www.golf-jobs.co.uk$request_uri;
    

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/www.golfjobslist.co.uk/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/www.golfjobslist.co.uk/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


}
1 Like

So it isn’t used. Now you have a loop.

Checking your domain there is a Cloudflare certificate.

If you use Cloudflare, you can use their certificate, you don’t need a Letsencrypt certificate.

And then it’s impossible to check your domain from outside.

PS: Sorry, wrong seen - that’s a different destination. So it’s not a loop.

1 Like

There’s no cloudflare on my site - just simply redirecting to a site who has cloudflare - but need the https link also

1 Like

That only configured the virtual host for IPv4.

You also need the equivalent IPv6 setting, “listen [::]:80;”.

(And you also need to ensure your HTTPS virtual hosts are configured appropriately.)

You can also specify a default virtual host for an IP and port using the default_server parameter to the listen directive. Otherwise Nginx will choose one.

https://nginx.org/en/docs/http/ngx_http_core_module.html#listen

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.