Certs stopped working? NET::ERR_CERT_COMMON_NAME_INVALID

My domain is:
bmrx.dev

I ran this command:
sudo certbot --apache

It produced this output:
Normal output, no errors

My web server is (include version):
bmrx.duckdns.org Doh
Apache2

The operating system my web server runs on is (include version):
Debian 10 (Buster)

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
0.31.0

I ran certbot when I first got this domain, certs went through and I didn’t even have to mess around with the VHost file. Outside of an odd issue with google domains where going to https://bmrx.dev did not work but going to https://www.bmrx.dev did. Simply used a redirect in thier control panel for the domain (Synthetic records) to redirect to www.bmrx.dev and everything was working fine and dandy.

Couple weeks ago or so they stopped working with google chrome giving this error: NET::ERR_CERT_COMMON_NAME_INVALID.

https://crt.sh/?q=bmrx.dev according to this google issued some certs to my site, I think this is just something that comes with the .dev domain honestly this is all black magic to me so it’s weird and I’m probably in over my head a bit.

So I tried deleting my certs and just remaking one (sudo certbot delete) and removed the files in /etc/letsencrypt/archive/ and /renewal/, I also however deleted my old .conf file without thinking it over, so I just remade what I thought was correct and ran certbot again

<VirtualHost *:80>
        ServerAdmin someone@something.com
        ServerName bmrx.dev
        ServerAlias www.bmrx.dev
        DocumentRoot /var/www/html
        RewriteEngine on
        RewriteCond %{SERVER_NAME} =bmrx.dev [OR]
        RewriteCond %{SERVER_NAME} =www.bmrx.dev
        RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerAdmin someone@something.com
        ServerName bmrx.dev
        DocumentRoot /var/www/html

        SSLCertificateFile /etc/letsencrypt/live/bmrx.dev-0001/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/bmrx.dev-0001/privkey.pem
        Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

This is it.

So now I’m not really sure what is happening here and any help would be greatly appreciated, thank you.

EDIT/ I should note that I am using a CNAME record to point the domain to my server, (static ip is not an option)

these two are related. you can't have a cname on bmrx.dev but on www.bmrx.dev you can. this is why google listens on bmrx.dev and redirects to www.bmrx.dev (this redirect can be https-> http, bad)

right now there is no webserver listening on your 443 port.

most probably the reason your certificate isn't working is that you have a cert for bmrx.dev while you need a certificate for www.bmrx.dev (and google needs it for bmrx.dev so it can redirect)

so, add

in the second block too. (you can use www.bmrx.dev as servername in both blocks, removing the alias)

and then run certbot -d www.bmrx.dev

This line helped a lot, my ISP moved portforwarding away from their rented out modem and must now be accessed via their website. It messed up a lot of my forwarding rules and wouldn't you know I forgot to open that port so thanks for that!

I took your advice, removed the Alias and changed ServerName to www.bmrx.dev. It seems like the port forwarding rule is taking some time to start working,

<VirtualHost *:80>
        ServerAdmin someone@something.com
        ServerName www.bmrx.dev
        DocumentRoot /var/www/html
        RewriteEngine on
        RewriteCond %{SERVER_NAME} =bmrx.dev [OR]
        RewriteCond %{SERVER_NAME} =www.bmrx.dev
        RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerAdmin someone@something.com
        ServerName www.bmrx.dev
        DocumentRoot /var/www/html

        Include /etc/letsencrypt/options-ssl-apache.conf
        SSLCertificateFile /etc/letsencrypt/live/www.bmrx.dev/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/www.bmrx.dev/privkey.pem
</VirtualHost>
</IfModule>

Not much of a change but there it is. I then ran the suggested command and checking crt.sh | bmrx.dev now shows that it is there.

So hopefully once the port forwarding figures its self out this should be working. If it does start working I will mark your reply as the solution.
Thank you.

I just wanted to update;

<VirtualHost *:80>
    ServerAdmin something@something
    DocumentRoot /var/www/fallback
    ServerName bmrx.duckdns.org
</VirtualHost>

<VirtualHost *:80>
    ServerAdmin something@something
    DocumentRoot /var/www/html
    ServerName www.bmrx.dev
    
    RewriteEngine on
    RewriteCond %{SERVER_NAME} =bmrx.dev [OR]
    RewriteCond %{SERVER_NAME} =www.bmrx.dev
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerAdmin something@something
    DocumentRoot /var/www/html
    ServerName www.bmrx.dev	

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    SSLCertificateFile /etc/letsencrypt/live/bmrx.dev/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/bmrx.dev/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

<VirtualHost *:80>
    ServerAdmin something@something
    DocumentRoot /var/www/ac-modding
    ServerName ac.bmrx.dev
    
    RewriteEngine on
    RewriteCond %{SERVER_NAME} =ac.bmrx.dev [OR]
    RewriteCond %{SERVER_NAME} =ac.bmrx.dev
    RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerAdmin something@something
    DocumentRoot /var/www/ac-modding
    ServerName ac.bmrx.dev	

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    SSLCertificateFile /etc/letsencrypt/live/ac.bmrx.dev/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/ac.bmrx.dev/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

This is my newest virtual hosts file along with a custom sub-domain. I still don’t fully understand what went wrong here, I thought maybe port 443 wasn’t open due to my isp blocking it for whatever reason but this was not the case.

I moved over from an old pc tower to a raspberry pi to help with electricity costs and to free up space. Ran through certbot again and followed the advice laid out here and everything worked out great. My certs work and my domain can finally be used again.

One oddity, when I added the subdomain I used this command:

sudo certbot -d ac.bmrx.dev --expand

However this seems to have created a whole new certificate. But at this point I’m just glad it all works and decided to leave it.

--expand is not entirely intuitive: When you use it, you still need to specify every name you want to include in the certificate.

Its meaning is, "iff the list of names is a superset of an existing certificate, replace it instead of asking what to do interactively".

1 Like

Ah, that makes sense!

Thank you very much.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.