Certs Issued to Wrong Domain

#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: coreyholzer.com

I ran this command: sudo certbot certonly --standalone --agree-tos -m theboss@coreyholzer.com -d coreyholzer.com -d www.coreyholzer.com -d mail.coreyholzer.com

It produced this output: It produced a cert issued to virtualserver.me (the domain for my VPS server) and this causes browsers to think its an invalid certificate. I also tried generating the cert using apache 2.4 and nginx 1.14.

My web server is (include version): I tried with both Apache and nginx

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: AWS Lightsail

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no I use the command line

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.28.0

#2

That’s not quite what is happening.

It definitely produced the correct certificate (4 times, in fact) but Apache is choosing not to use that certificate.

You need to take a look at your Apache configuration and see how each of your <VirtualHost *:443> are configured, and with what certificate.

One place to start:

grep -Ri SSLCertificateFile /etc/apache2

If you used certonly in your Certbot command, then Certbot wouldn’t automatically install the certificate for you. You’d have to manually configure Apache to use it.

To do it automatically, you’d use certbot --apache instead of certbot certonly --standalone.

1 Like
#3

my nginx server config for the virtual domain coreyholzer.com is as follows:

server {
listen 443 ssl;
server_name coreyholzer.com www.coreyholzer.com *.coreyholzer.com;

ssl                     on;
ssl_certificate         /etc/letsencrypt/live/coreyholzer.com/fullchain.pem;
ssl_certificate_key     /etc/letsencrypt/live/coreyholzer.com/privkey.pem;
ssl_protocols           SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache       shared:SSL:20m;
ssl_session_timeout     4h;
ssl_handshake_timeout   30s;


}

My Apache configuration is as follows:

<VirtualHost *:443>


SSLEngine off
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile
/etc/letsencrypt/live/coreyholzer.com/fullchain.pem
/etc/letsencrypt/live/coreyholzer.com/fullchain.pem
SSLCertificateKeyFile
/etc/letsencrypt/live/coreyholzer.com/privkey.pem
SSLCipherSuite HIGH:!MEDIUM:!aNULL:!MD5:!RC4
SSLProtocol -All +TLSv1.2

The live certs are symbolically linked as follows:

cert.pem -> …/…/archive/coreyholzer.com/cert2.pem
chain.pem -> …/…/archive/coreyholzer.com/chain2.pem
fullchain.pem -> …/…/archive/coreyholzer.com/fullchain2.pem
privkey.pem -> …/…/archive/coreyholzer.com/privkey2.pem

Trying to regenerate the certs now tells me I generated them too many times.

When I look at the cert details it says the server is virtualserver.me.

I am working through your other suggestions now. I will reply with more details once I have them.

#4

Hi @allthingscyber,

What does certbot certificates say? I agree with @_az’s impression that the server that you see when you visit the site in a browser is not the same certificate that Certbot has saved on the disk (and that your web server configurations are apparently pointed to).

What is virtualserver.me? Is that also your domain? Can we assume that you’re the only person using this VPS and that it’s not in some kind of container or behind some kind of reverse proxy or CDN?

#5

For what it’s worth, it does resolve to the same IP address: 3.90.91.211

#6

Hi @allthingscyber

your apache isn’t used, there are only nginx - answers.

Domainname Http-Status redirect Sec. G
http://coreyholzer.com/
3.90.91.211 301 https://virtualserver.me/ 0.206 E
http://www.coreyholzer.com/
3.90.91.211 301 https://virtualserver.me/ 0.206 E
https://coreyholzer.com/
3.90.91.211 200 2.293 N
Certificate error: RemoteCertificateNameMismatch
https://virtualserver.me/ 200 2.126 B
https://www.coreyholzer.com/
3.90.91.211 200 2.064 N
Certificate error: RemoteCertificateNameMismatch
http://coreyholzer.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
3.90.91.211 301 https://virtualserver.me/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.210 E
Visible Content: 301 Moved Permanently nginx/1.14.0 (Ubuntu)
http://www.coreyholzer.com/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
3.90.91.211 301 https://virtualserver.me/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 0.207 E
Visible Content: 301 Moved Permanently nginx/1.14.0 (Ubuntu)
https://virtualserver.me/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de 404 1.967 A
Not Found
Visible Content: 404 Not Found nginx/1.14.0 (Ubuntu)

And you have redirects to virtualserver.me.

Looks like your coreyholzer.com - vHost isn’t used, instead the vHost of virtualserver.me is used. Are there redirects defined?

Is your nginx site enabled?

#7

So NGINX is listening on port 443.
Who is listening on port 80?

#8

The same nginx, but with a redirect to the other domain.

#9

I have several domains on my VPS. VirtualServer.me is the primary. AllThingsCyber.tech and CoreyHolzer.com are currently the two additional domains. I will be moving others over to the VPS as well but those sites are currently live at another hosting provider. I do not want to more them until I get this problem resolved.

To answer @rg305’s question. NGINX is the only server running right now and it’s handing both ports. I have both servers installed on the box so I can do some performance analysis before choosing one for production.

CH.com should not be redirecting to VS.me. I did not set it up that way. I will take a look at my DNS records and double check my web server configurations.

#10

It’s not your DNS setting. These are http redirects, so this is your vHost-definition. And - perhaps - the wrong vHost answers - with the wrong certificate.

#11

@JuergenAuer I did not think it was my DNS but I also did not want to overlook something simple.

The odd thing is, it is an error in both server configurations.

#12

OK, problem solved for nginx and it was a ubtk error. I had a bad symbolic link in my sites-enabled directory. There are multiple issues with apache at the moment but since they are not certificate related I will look for help in the proper community.

My thanks to all of you for your help.

1 Like
closed #13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.