"Common name" mismatch


#1

So my LE SSL seems to be working, but an issue.

In doing some validations here for my domain karlaporter.com:
https://www.ssllabs.com/ssltest/analyze.html?d=karlaporter.com

But I notice that there are some issues with the “common name mismatch”. Screenshot here: http://i.imgur.com/Mg7fAik.png

Why’s this server pointing to another domain? In my nginx.conf I have separate lines for the PEM files:

#--- DOMAIN 1: amitavachattopadhyay.com

    server {
        listen 443 ssl http2       ;
        listen [::]:443 ssl http2  ;
    
        server_name   amitavachattopadhyay.com www.amitavachattopadhyay ;
        root /home/amitava ;

        ssl_certificate       /etc/letsencrypt/live/amitavachattopadhyay.com/fullchain.pem ;
        ssl_certificate_key   /etc/letsencrypt/live/amitavachattopadhyay.com/privkey.pem ;

        include common.conf;
        include ssl.conf;
    }


#--- DOMAIN 2: karlaporter.com

    server {
        listen 443  ssl  http2 ;
        listen [::]:443 ssl ;
    
        server_name   karlaporter.com;
        root /home/karla;

        ssl_certificate /etc/letsencrypt/live/karlaporter.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/karlaporter.com/privkey.pem;##

        include common.conf;
        include ssl.conf;
    }

But this line is shared by all server blocks:

    ssl_dhparam /etc/ssl/certs/dhparam.pem;

Is this the reason? Do I need to issue this “dhparam” for every domain?


#2

You will see a small annotation on the test site about this certificate being sent only for “no SNI”. SNI is the means by which modern web browsers permit virtual hosting with HTTPS. Without this feature each HTTPS site must have its own IP address.

Most web admins don’t need to care about very old browsers that can’t do SNI. If you know you’re an exception consider a separate IP for each of the sites, or using a new certificate which lists all the site names at once, so that it’s valid for all the sites.

The Diffie Hellman parameters aren’t relevant here. We should probably not all use the same ones around the world because an attacker with truly vast resources (e.g. the US government) could justify spending them to break a DH setting if it’s the same for billions of people. But sharing with fifty or a thousand sites is no problem.


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.