When I visit the site with Chrome the returned error is NET::ERR_CERT_COMMON_NAME_INVALID. Using Firefox, the cert common name is correct.
My domain is: cmmsandbox.eli.org
I ran this command:
It produced this output:
My web server is (include version): Apache/2.4.41 (Ubuntu)
The operating system my web server runs on is (include version): Ubuntu 20.04.4 LTS
My hosting provider, if applicable, is: Linode
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.32.1
rg305
December 8, 2022, 7:41pm
2
Hi @steveplatz , and welcome to the LE community forum
SSL Labs shows a cert name mismatch:SSL Server Test: cmmsandbox.eli.org (Powered by Qualys SSL Labs)
We are talking about Apache...apachectl -t -D DUMP_VHOSTS
3 Likes
Using this online tool SSL Server Test (Powered by Qualys SSL Labs) the results SSL Server Test: cmmsandbox.eli.org (Powered by Qualys SSL Labs) show that 2 different Certificates are being served.
Certificate #1: RSA 2048 bits (SHA256withRSA) Alternative names cmmsandbox.eli.org cmmsandbox.elr.info
Certificate #2: RSA 2048 bits (SHA256withRSA) Alternative names eli.org www.eli.org **MISMATCH**
1 Like
steveplatz:
What could cause that?
Apart from server config, you might just need to restart Apache. Sometimes some Apache tasks get stuck and will serve a prior cert. I think this is likely your problem as I get different certs for the same repeated request (not related to chrome | firefox).
Note the different Common Name (CN) on identical requests made seconds apart:
echo | openssl s_client -connect cmmsandbox.eli.org:443 | head
Certificate chain
0 s:CN = eli.org
i:C = US, O = Let's Encrypt, CN = R3
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Nov 23 12:44:07 2022 GMT; NotAfter: Feb 21 12:44:06 2023 GMT
=================================
echo | openssl s_client -connect cmmsandbox.eli.org:443 | head
Certificate chain
0 s:CN = cmmsandbox.eli.org
i:C = US, O = Let's Encrypt, CN = R3
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Dec 7 21:47:34 2022 GMT; NotAfter: Mar 7 21:47:33 2023 GMT
3 Likes
Nice work @MikeMcQ , now that I tried that I see it as well from my location.
2 Likes
I added the certs with certbot - wouldn't certbot restart apache after finishing the config changes?
The --apache plug-in would do a reload which only affects viable workers. It is possible an Apache worker has been stuck for a long time and only seeing implications of that now. Stuff happens.
If you did not use the plug-in (did webroot or something) then you are responsible for reload.
3 Likes
OK, after restart I'm seeing the previous issue clear-up. Thanks, super easy!
3 Likes
MikeMcQ
December 9, 2022, 6:19pm
11
Good. Looks good to me too. I tried like 10 openssl requests and all were correct
3 Likes
system
January 8, 2023, 6:20pm
12
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
