Common name in certificate is incorrect

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
www.sengkanggrand.com.sg
I ran this command:
sudo certbot --apache
It produced this output:
After going through the steps it stated successful creation of certificate

My web server is (include version):
Apache 2.4
The operating system my web server runs on is (include version):
Ubuntu 18.04
My hosting provider, if applicable, is:
N/A
I can login to a root shell on my machine (yes or no, or I don’t know):
Yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):certbot 0.23.0

More info - the output of openssl s_client -showcerts -connect www.sengkanggrand.com:443 reports an incorrect CN of aba.com.sg

I had previously created a working certificate but chose to delete an old certificate no longer relevant using ```
certbot delete --cert-name old.defunctdomain.com

This is when the problems started. Chrome now reports

This site can’t provide a secure connection

www.sengkanggrand.com.sg sent an invalid response.

ERR_SSL_PROTOCOL_ERROR

1 Like

Hi @nsimms

there are some errors. Checking your domain there is only a certificate with one domain name - https://check-your-website.server-daten.de/?q=sengkanggrand.com.sg#ct-logs

Issuer not before not after Domain names LE-Duplicate next LE
Let's Encrypt Authority X3 2019-10-22 2020-01-20 www.sengkanggrand.com.sg - 1 entries duplicate nr. 1

Both domain names (non-www and www) have a DNS entry, so you should create one certificate with both domain names.

Second - and more critical: Your port 443 sends http content, Grade Q:

Domainname Http-Status redirect Sec. G
http://sengkanggrand.com.sg/ 150.109.16.148 301 Sengkang Grand Residences Html is minified: 100,00 % 0.683 D
http://www.sengkanggrand.com.sg/ 150.109.16.148 GZip used - 6528 / 35374 - 81,55 % 200 Html is minified: 136,31 % 0.693 H
Sengkang Grand Residences GZip used - 6528 / 35374 - 81,55 % 200 Html is minified: 136,31 % 0.747 H
https://sengkanggrand.com.sg/ 150.109.16.148 -4 1.340 W
SendFailure - The underlying connection was closed: An unexpected error occurred on a send.
https://www.sengkanggrand.com.sg/ 150.109.16.148 -4 1.360 W
SendFailure - The underlying connection was closed: An unexpected error occurred on a send.
http://sengkanggrand.com.sg:443/ 150.109.16.148 301 Sengkang Grand Residences Html is minified: 100,00 % 0.690 Q
Visible Content: Moved Permanently The document has moved here . Apache/2.4.29 (Ubuntu) Server at sengkanggrand.com.sg Port 443
http://www.sengkanggrand.com.sg:443/ 150.109.16.148 GZip used - 6528 / 35374 - 81,55 % 200 Html is minified: 136,31 % 0.694 Q

https + 443 doesn't work (SendFailure), but http + 443 sends a correct http answer.

So first step: Share your vHost configuration.

apachectl -S
1 Like

Did you run the command as root / sudo?

If apachectl -S doesn't work, that's critical.

Perhaps disable your port 443 vHost.

Working port 80 vHost -> create the correct certificate -> let Certbot create a vHost.

The first step is missing.

1 Like

That's good:

One port 80 vHost with both domain names.

So try one time

sudo certbot -d sengkanggrand.com.sg -d www.sengkanggrand.com.sg --apache
1 Like

Forgive me but i already regenerated the cert with both domain names (www and non-www) after you suggested that in your first reply.

Did you notice my comment about the output of
openssl s_client -showcerts -connect www.sengkanggrand.com:443

It shows Subject=/CN=aba.com.sg

Is this significant?

Other certs i've created have the expected domain here. I would of expected www.sengkanggrand.com.sg

1 Like

There is a new check of your domain, 20 minutes old - https://check-your-website.server-daten.de/?q=sengkanggrand.com.sg

There is no new certificate visible. And again a Grade Q.

That's another domain name, com, not com.sg.

Check that domain to see, if the certificate has a correct SAN-list.

1 Like

Oh my so sorry. My bad. That info is irrelevant then but running against the correct domain yields the following output

Does this provide any clue?

ubuntu@VM-0-15-ubuntu:/etc/apache2/sites-available$ openssl s_client -showcerts -connect www.sengkanggrand.com.sg:443
CONNECTED(00000003)
140700083844160:error:1408F10B:SSL routines:ssl3_get_record:wrong version number:…/ssl/record/ssl3_record.c:332:

no peer certificate available

No client certificate CA names sent

SSL handshake has read 5 bytes and written 293 bytes
Verification: OK

New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Resumption PSK:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1571824920
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0

1 Like

It looks as if https is not serving port 443.
Can you show the vhost config file?
/etc/apache2/sites-enabled/sengkang-grand-le-ssl.conf

also:
grep -Ri SSLCertificateFile /etc/apache2/

I see no:
SSLEngine On
[may be included elsewhere - but won’t hurt to state it here]

Also, there is a rewrite to http://…
[that should probably https://…]

can you also show output of:
grep -Ri SSLCertificateFile /etc/apache2/

1 Like

As already written: Your configuration is buggy, Grade Q, http over port 443.

So:

  • create the correct certificate
  • let Certbot do the job to create a correct vHost.
1 Like

By the way, apart from other more important problems (you need to set up the port 443 vhost to use HTTPS instead of HTTP), this method won't show the right certificate with virtual hosting because it doesn't send any SNI field in the HTTPS connection. For that, you need to add the OpenSSL option -servername www.sengkanggand.com.sg; that more closely follows the behavior that a web browser would use in connecting to your site.

In your current situation, this wouldn't initially give a different result, but if you have to debug other things in the future related to certificate mismatches, it might give more relevant debugging information.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.