Common Name Issue with Only One Domain

muhammadusman · July 28, 2022, 5:59pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: example.com (Apologies could not share actual domain)

I ran this command: Already got lets encrypt certificate

It produced this output:

My web server is (include version): nginx version: nginx/1.19.9

The operating system my web server runs on is (include version): CentOS Linux release 7.9.2009 (Core)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.11.0

Hi Team,

While checking this domain through any SSL checker then our different domain name like example11.com is shown as common name for only this domain. We have multiple domains having correct common name. How common name can be set same as example.com. Apologies could not share actual domain due to some issues. You support in this regard will be highly appreciated.

Regards,
Muhammad Usman

rg305 · July 28, 2022, 6:30pm

Hi @muhammadusman, and welcome to the LE community forum

We should have a look at the output of:
nginx -T
and
certbot certificates

muhammadusman · July 28, 2022, 6:38pm

Hi,

Thanks for your response. Adding more information, common name that is shown is our alphabetically first domain against mentioned domain and it is also have same IP address in DNS A record. Please share the generic cause of this issue. Thank you.

rg305 · July 28, 2022, 7:11pm

There can only be one common name per cert.
If you are combining multiple sites within one cert you will have this issue.
But it is not a problem.
If you want individualized common names, then you will have to issue one cert per domain.

MikeMcQ · July 28, 2022, 7:39pm

I agree with rg305 and to help you see what may be happening use a tool like below. That link shows you the cert for letsencrypt.org. It has one Common Name and several Subject Alternative Names (SANs).
SSL Checker
Use your own host name to see what names yours has. Anyone can see any name in the SANs list although browsers often show just the Common Name

orangepizza · July 29, 2022, 4:08am

wasn't LE somewhat respects common name in CSR given at finalization? (if it's in SAN too)

rg305 · July 29, 2022, 4:35am

It might... I don't recall having tested for that.

My fuzzy memory tells me ~~that LE gets the alphabetically first name within the SAN [wildcards sort as last] and uses it for the CN.~~

[edit] vvv The code says it all vvv

orangepizza · July 29, 2022, 4:41am

github.com

letsencrypt/boulder/blob/fca728087f85107bafe0f8099da608ccdb00feae/csr/csr.go#L126


      
          	if csr.Subject.CommonName == "" {
          		var forcedCN string
          		// Promote the first SAN that is less than maxCNLength (if any)
          		for _, name := range csr.DNSNames {
          			if len(name) <= maxCNLength {
          				forcedCN = name
          				break
          			}
          		}
          		csr.Subject.CommonName = forcedCN
          	} else if csr.Subject.CommonName != "" {
          		csr.DNSNames = append(csr.DNSNames, csr.Subject.CommonName)
          	}
          	csr.Subject.CommonName = strings.ToLower(csr.Subject.CommonName)
          	csr.DNSNames = core.UniqueLowerNames(csr.DNSNames)
          }

if there is common name in csr already normalize function will keep the common name call that into SAN (then uniquelowercase it) and CA get normalized csr when sign certificate

muhammadusman · July 29, 2022, 6:08am

Thank you for your response. We are already using different certificates for all domains.

My Actual Domain is : schooty.ai

Used below command to get certificate.

certbot --nginx -d schooty.ai

But when i checked from SSL Checker

It shows the Common name as my different domain

Common name: balluchacha.com
SANs: balluchacha.com
Valid from June 21, 2022 to September 19, 2022
Serial Number: 03f67a63a25ac7ff99f2d9332659ff33dcb9
Signature Algorithm: sha256WithRSAEncryption
Issuer: R3

How i can fix it to change to my actual domain name.

orangepizza · July 29, 2022, 9:44am

you are using wrong certificate for that domain. can you post result of nginx -T (big T)?

barf7709 · July 29, 2022, 4:03pm

I would also check the Certificate Signing Request (CSR), and make sure the Common Name (CN) & the Subject Alternative Name (SAN) contain your desired domain name correctly.

Bruce5051 · July 29, 2022, 4:10pm

You have receive certificates for your domain as indicated here: crt.sh | schooty.ai

Bruce5051 · July 29, 2022, 4:17pm

Also it seems both domains map to the IPv4 Address of 203.99.57.94, which in itself, is not a problem.
But may assist you in debugging your issue(s).

$ ping  balluchacha.com
PING balluchacha.com (203.99.57.94) 56(84) bytes of data.
^C
--- balluchacha.com ping statistics ---
12 packets transmitted, 0 received, 100% packet loss, time 11249ms

$ ping schooty.ai
PING schooty.ai (203.99.57.94) 56(84) bytes of data.
^C
--- schooty.ai ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3048ms

rg305 · July 29, 2022, 5:35pm

This is more than a "common name" certificate issue.
It looks like one site is using the wrong certificate.
That can only be fixed within the web server configuration
[issuing/reissuing certificates isn't going to correct such a problem]

system · August 28, 2022, 5:36pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.