Different results for otherwise identical A, B cnames on server

So I have a server, myserver.example.com. I have two cname’d domains mapping to it, a.example.com/a.myserver.example.com and b.example.com/b.myserver.example.com.

I set a.example.com up last year without any problems. I’m running Ubuntu 16.04, apache2 and I used certbot-auto, eg
certbot-auto certonly --webroot --webroot-path /var/www/vhost.b -d b.example.com -d b.myserver.example.com

While I successfully get a certificate for b, the certificate is matching to myserver.example.com instead of b.example.com so it goes into fullblown chrome alarum-alarum “Your connection is not private” etc and I’m going slowly insane trying to figure out what is going on here.

Comparing the two setups (a and b are handled by apache-run virtual host configurations on myserver) yields NO difference at all. In fact, the openssl x509 output check on the fullchain.pem that I got for a and b respectively from certbot show EXACTLY the domain names I would expect (and myserver.example.com is not at all listed).

Using nslookup, host, etc all show equivalent results between a and b.

The only difference I’ve discovered is when using the browser to examine the certificate: a shows a example.com but b shows myserver.example.com. I’ve even tried different browsers and cleared out all data on one browser to be sure I wasn’t somehow caching an old cert from when setting b up.

What completely stumps me is that the openssl x509 -text -noout -in cert.pem looks good on both a and b:

root# openssl x509 -text -noout -in cert.pem 
        Version: 3 (0x2)
        Serial Number:
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
            Not Before: Jul 16 12:42:16 2018 GMT
            Not After : Oct 14 12:42:16 2018 GMT
        Subject: CN=[a|b].example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
            X509v3 Subject Key Identifier: 
            X509v3 Authority Key Identifier: 

            Authority Information Access: 
                OCSP - URI:http://ocsp.int-x3.letsencrypt.org
                CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

            X509v3 Subject Alternative Name: 
                DNS:[a|b].example.com, DNS:[a|b].myserver.example.com
            X509v3 Certificate Policies: 
                  CPS: http://cps.letsencrypt.org
                  User Notice:
                    Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/

            CT Precertificate SCTs: 
                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : [...]
                    Timestamp : Jul 16 13:42:16.605 2018 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
[...]                Signed Certificate Timestamp:
                    Version   : v1(0)
                    Log ID    : [...]
                    Timestamp : Jul 16 13:42:16.791 2018 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
[...]    Signature Algorithm: sha256WithRSAEncryption

And also:

root@example:/etc/letsencrypt/live/b.example.com# openssl x509 -noout -modulus -in fullchain.pem | openssl md5
(stdin)= f3808a306853c31ee5ca309224207322

root@example:/etc/letsencrypt/live/b.example.com# openssl rsa -noout -modulus -in privkey.pem | openssl md5
(stdin)= f3808a306853c31ee5ca309224207322

Where would you start looking?

I'd start with the Apache configuration... it sounds like maybe the VirtualHost on port 443 for b.example.com is misconfigured.

Try running apachectl -S and see if the output matches your expectations - it may help point you in the right direction. If that doesn't help, post the output and the relevant configuration file(s) here.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.