I set a.example.com up last year without any problems. I’m running Ubuntu 16.04, apache2 and I used certbot-auto, eg
certbot-auto certonly --webroot --webroot-path /var/www/vhost.b -d b.example.com -d b.myserver.example.com
While I successfully get a certificate for b, the certificate is matching to myserver.example.com instead of b.example.com so it goes into fullblown chrome alarum-alarum “Your connection is not private” etc and I’m going slowly insane trying to figure out what is going on here.
Comparing the two setups (a and b are handled by apache-run virtual host configurations on myserver) yields NO difference at all. In fact, the openssl x509 output check on the fullchain.pem that I got for a and b respectively from certbot show EXACTLY the domain names I would expect (and myserver.example.com is not at all listed).
Using nslookup, host, etc all show equivalent results between a and b.
The only difference I’ve discovered is when using the browser to examine the certificate: a shows a example.com but b shows myserver.example.com. I’ve even tried different browsers and cleared out all data on one browser to be sure I wasn’t somehow caching an old cert from when setting b up.
What completely stumps me is that the openssl x509 -text -noout -in cert.pem looks good on both a and b:
root# openssl x509 -text -noout -in cert.pem Certificate: Data: Version: 3 (0x2) Serial Number: [...] Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3 Validity Not Before: Jul 16 12:42:16 2018 GMT Not After : Oct 14 12:42:16 2018 GMT Subject: CN=[a|b].example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: [...] Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: [...] X509v3 Authority Key Identifier: keyid:[...] Authority Information Access: OCSP - URI:http://ocsp.int-x3.letsencrypt.org CA Issuers - URI:http://cert.int-x3.letsencrypt.org/ X509v3 Subject Alternative Name: DNS:[a|b].example.com, DNS:[a|b].myserver.example.com X509v3 Certificate Policies: Policy: 18.104.22.168.2.1 Policy: 22.214.171.124.4.1.449126.96.36.199 CPS: http://cps.letsencrypt.org User Notice: Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/ CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1(0) Log ID : [...] Timestamp : Jul 16 13:42:16.605 2018 GMT Extensions: none Signature : ecdsa-with-SHA256 [...] Signed Certificate Timestamp: Version : v1(0) Log ID : [...] Timestamp : Jul 16 13:42:16.791 2018 GMT Extensions: none Signature : ecdsa-with-SHA256 [...] Signature Algorithm: sha256WithRSAEncryption [...]
root@example:/etc/letsencrypt/live/b.example.com# openssl x509 -noout -modulus -in fullchain.pem | openssl md5 (stdin)= f3808a306853c31ee5ca309224207322 root@example:/etc/letsencrypt/live/b.example.com# openssl rsa -noout -modulus -in privkey.pem | openssl md5 (stdin)= f3808a306853c31ee5ca309224207322
Where would you start looking?