Common Name Issue with Only One Domain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: example.com (Apologies could not share actual domain)

I ran this command: Already got lets encrypt certificate

It produced this output:

My web server is (include version): nginx version: nginx/1.19.9

The operating system my web server runs on is (include version): CentOS Linux release 7.9.2009 (Core)

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.11.0

Hi Team,

While checking this domain through any SSL checker then our different domain name like example11.com is shown as common name for only this domain. We have multiple domains having correct common name. How common name can be set same as example.com. Apologies could not share actual domain due to some issues. You support in this regard will be highly appreciated.

Regards,
Muhammad Usman

1 Like

Hi @muhammadusman, and welcome to the LE community forum :slight_smile:

We should have a look at the output of:
nginx -T
and
certbot certificates

3 Likes

Hi,

Thanks for your response. Adding more information, common name that is shown is our alphabetically first domain against mentioned domain and it is also have same IP address in DNS A record. Please share the generic cause of this issue. Thank you.

1 Like

There can only be one common name per cert.
If you are combining multiple sites within one cert you will have this issue.
But it is not a problem.
If you want individualized common names, then you will have to issue one cert per domain.

4 Likes

I agree with rg305 and to help you see what may be happening use a tool like below. That link shows you the cert for letsencrypt.org. It has one Common Name and several Subject Alternative Names (SANs).
SSL Checker
Use your own host name to see what names yours has. Anyone can see any name in the SANs list although browsers often show just the Common Name

3 Likes

wasn't LE somewhat respects common name in CSR given at finalization? (if it's in SAN too)

3 Likes

It might... I don't recall having tested for that.

My fuzzy memory tells me that LE gets the alphabetically first name within the SAN [wildcards sort as last] and uses it for the CN.

[edit] vvv The code says it all vvv

2 Likes

if there is common name in csr already normalize function will keep the common name call that into SAN (then uniquelowercase it) and CA get normalized csr when sign certificate

4 Likes

Thank you for your response. We are already using different certificates for all domains.

My Actual Domain is : schooty.ai

Used below command to get certificate.

certbot --nginx -d schooty.ai

But when i checked from SSL Checker

It shows the Common name as my different domain

Common name: balluchacha.com
SANs: balluchacha.com
Valid from June 21, 2022 to September 19, 2022
Serial Number: 03f67a63a25ac7ff99f2d9332659ff33dcb9
Signature Algorithm: sha256WithRSAEncryption
Issuer: R3

How i can fix it to change to my actual domain name.

1 Like

you are using wrong certificate for that domain. can you post result of nginx -T (big T)?

5 Likes

I would also check the Certificate Signing Request (CSR), and make sure the Common Name (CN) & the Subject Alternative Name (SAN) contain your desired domain name correctly.

1 Like

You have receive certificates for your domain as indicated here: crt.sh | schooty.ai

1 Like

Also it seems both domains map to the IPv4 Address of 203.99.57.94, which in itself, is not a problem.
But may assist you in debugging your issue(s).

$ ping  balluchacha.com
PING balluchacha.com (203.99.57.94) 56(84) bytes of data.
^C
--- balluchacha.com ping statistics ---
12 packets transmitted, 0 received, 100% packet loss, time 11249ms

$ ping schooty.ai
PING schooty.ai (203.99.57.94) 56(84) bytes of data.
^C
--- schooty.ai ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3048ms
1 Like

This is more than a "common name" certificate issue.
It looks like one site is using the wrong certificate.
That can only be fixed within the web server configuration
[issuing/reissuing certificates isn't going to correct such a problem]

3 Likes