Certificates name mismatch

gothic.ie · March 19, 2016, 7:19pm

the store issue is because cludflare do not have that name setup for https apparently
the names in their cert are only
DNS Name=sni157484.cloudflaressl.com
DNS Name=.all-in-one-blog.tk
DNS Name=.americans-auto.tk
DNS Name=.auto-cost.tk
DNS Name=.autocrosscountry.tk
DNS Name=.autospeedservice.tk
DNS Name=.car-cheap.tk
DNS Name=.europeremovals.co.uk
DNS Name=.formation.pub
DNS Name=all-in-one-blog.tk
DNS Name=americans-auto.tk
DNS Name=auto-cost.tk
DNS Name=autocrosscountry.tk
DNS Name=autospeedservice.tk
DNS Name=car-cheap.tk
DNS Name=europeremovals.co.uk
DNS Name=formation.pub

either your dns subzone for store is not properly delegated to cloudflare or there is some other issue
but either way its nowt to do with yer other cert stuff

silverbrit · March 19, 2016, 7:21pm

Switch to a different subdomain rather than store.silverpvp.com or??

What I can do which I’m not sure if it would be a solution is just have that store button link to http://silverpvp.buycraft.net/ which is where store.silverpvp.com points to. Maybe?

silverbrit · March 19, 2016, 7:23pm

This seemed to work fine for now, not as polished as I’d like but at least users can get to the page now.

pfg · March 19, 2016, 7:23pm

Yes, http://silverpvp.buycraft.net/ would work. The tl;dr is that you can’t use anything on silverpvp.com without https due to the HSTS preload (I should note that https://hstspreload.appspot.com/ warns about this ).

gothic.ie · March 19, 2016, 7:26pm

i dont know its your setup

incedentilly images.yourdomain
apparently isnt on the server or ip that www.yourdomain.com is on at all
as it is returning a cert for https://hueblur.com https://www.hueblur.com

which seems suspect, the operator of that server would need to get/add the cert for images.yourdomain to his list
(are these 3rd parties even aware your pointing your names at their servers?)

wgailey · March 26, 2016, 9:28am

Hey,
I was having this same problem a minute ago but just troubleshot it, the problem seems to be you’re including multiple domains on the same certificate (not sure if this is allowed but if so you’re #doingitwrong ) anyways the solution (which may vary as i run debian/apache) if using sudo ./letsencrypt-auto --apache (assuming the menu is the same for nginx) is:

1 delete /etc/letsencrypt/renewal/*
2 run sudo ./letsencrypt-auto --apache
3 when the menu comes up with all the available domains to encrypt only select 1 and hit enter (you’ll see a message about the renewal item you just deleted, this is good)
4 repeat as necessary for all domains individually

Then when you look in /etc/letsencrypt/renewal you will see multiple instead of just one and the server should serve whats appropriate after that.

pfg · March 26, 2016, 2:43pm

Having multiple domains on one certificate is perfectly fine and allows you to serve clients without SNI support. Whether or not it makes sense to have one "big" certificate or multiple small ones depends on many things - for example, how often are new domains added? How many domains and subdomains are you using? etc.

wgailey · March 27, 2016, 1:58am

Hello pfg,
As I said above I don’t know weather its allowed or not but if it is letencrypt is doing it wrong, this is the issue when they are all lumped together in one its only serving one not all of them. That is specifically why my solution works. So in this particular case it does not make sense to have multiple domains in one certificate because all that’s getting served is a certificate for one domain.

pfg · March 27, 2016, 2:25am

Not sure I follow. A certificate can have any number of subjectAltNames (SAN), and there are no special rules that prohibit different domains from appearing on the same certificate. There’s nothing inherently better or worse about setting things up like that, it all depends on the circumstances.

wgailey · March 27, 2016, 2:47am

Let me put it another way. Lumped togather on the same certificate with letsencrypt you can get the aforementioned error, seperatly on multiple certificates you dont.

danb35 · March 27, 2016, 10:59am

If you get a certificate mismatch error because you've put more than one domain name on your Let's Encrypt certificate, the error is in your web server configuration, not with the certificate. It is entirely possible, practical, and appropriate to combine multiple hostnames (including multiple domains) into a single certificate, and to do so without client errors--I'm doing it, as I'm sure are many others.

system · April 27, 2016, 5:21am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.