Certs issues for each domain but then domainA thinks it is from domainC


#1

Hello, I’m in a painful loop trying to get my certs issued.

Single web server running nginx:

  1. I have four server blocks settup with basic http
root /var/www/domainA.net/html;
server_name domainA.net www.domainA.net;

root /var/www/domainB.net/html;
server_name domainB.net www.domainB.net;

root /var/www/domainC.com/html;
server_name domainC.com www.domainC.com;

root /var/www/domainD.com/html;
server_name domainD.com www.domainD.com;
  1. DNS setup and I point a browser at all for sites and everything comes up on http
  2. My understanding is that I should only group certs together from a single server block so this is how I issued:
sudo certbot --nginx -d domainA.net -d www.domainA.net
sudo certbot --nginx -d domainB.net -d www.domainB.net

sudo certbot --nginx -d domainC.com -d www.domainC.com
sudo certbot --nginx -d domainD.com -d www.domainD.com

sudo certbot renew --dry-run
  1. Everything comes back positive, the server blocks are updated correctly and I chose to enable redirect to https.
sudo certbot certificates

output:

  Certificate Name: domainA.net
    Domains: domainA.net www.domainA.net
    Expiry Date: 2019-04-13 19:29:05+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/domainA.net/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/domainA.net/privkey.pem
  Certificate Name: domainB.net
    Domains: domainB.net www.domainB.net
    Expiry Date: 2019-04-13 19:39:51+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/domainB.net/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/domainB.net/privkey.pem
  Certificate Name: domainC.com
    Domains: domainC.com www.domainC.com
    Expiry Date: 2019-04-13 19:40:25+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/domainC.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/domainC.com/privkey.pem
  Certificate Name: domainD.com
    Domains: domainD.com www.domainD.com
    Expiry Date: 2019-04-13 19:29:40+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/domainD.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/domainD.com/privkey.pem
  1. Now when I point a browser at domainA I get the “Your connection is not private” This server could not prove that it is domainA.net; its security certificate is from domainC.com. This may be caused by a misconfiguration or an attacker intercepting your connection.

#2

The cause is that there is no HTTPS virtualhost in nginx that matches for domainA.net (or there is and it points to the wrong certificate).

If you’d like to post your full nginx config, that would allow us to identify what might be wrong. Otherwise there’s nothing to go on.

nginx -T

#3

Hi _az,

I just found it, I had a copy and paste type O in my server blocks

    ssl_certificate /etc/letsencrypt/live/domainC.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/domainC.com/privkey.pem; # managed by Certbot 

All four of my server blocks were pointing to the same ssl_certificate and ssl_certificate_key

geez… that was about 5+ hours today…

Thanks for the timely reply!

-e


closed #4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.