Domain Mismatch Problem

Hi

My domain is:

Zockpd.com and zpd.wtf - domains with A Record to my Root-Server.

Root-Server: Debian 9/64Bit from deinserverhost
My web server is (include version): Apache/2.4.25 (Debian)
I can login to a root shell on my machine: yes
The version of my client is: certbot 0.28.0
I’m using a control panel to manage my site: no

https://www.ssllabs.com/ssltest/analyze.html?d=zpd.wtf - Error Message: Certificate name mismatch
https://www.whynopadlock.com/results/f2971e31-17b5-470e-bcd6-979348293f3e - Your SSL certificate does not match your domain name!
Protected Domains:

How can i fix that?

1 Like

What’s the output of certbot certificates?

1 Like

root@ZPD:~# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: zpd.wtf
Domains: zpd.wtf www.zpd.wtf
Expiry Date: 2020-07-10 18:46:21+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/zpd.wtf/fullchain.pem
Private Key Path: /etc/letsencrypt/live/zpd.wtf/privkey.pem
Certificate Name: zockpd.com-0001
Domains: zockpd.com
Expiry Date: 2020-07-04 18:11:52+00:00 (VALID: 83 days)
Certificate Path: /etc/letsencrypt/live/zockpd.com-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/zockpd.com-0001/privkey.pem
Certificate Name: zockpd.com
Domains: zockpd.com webinterface.zockpd.com
Expiry Date: 2020-07-03 19:00:43+00:00 (VALID: 82 days)
Certificate Path: /etc/letsencrypt/live/zockpd.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/zockpd.com/privkey.pem
Certificate Name: webinterface.zockpd.com
Domains: webinterface.zockpd.com
Expiry Date: 2020-05-01 18:13:55+00:00 (VALID: 19 days)
Certificate Path: /etc/letsencrypt/live/webinterface.zockpd.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/webinterface.zockpd.com/privkey.pem


root@ZPD:~#

1 Like

You need to understand how DNS plays it’s part in TLS.
DNS merely changes a “friendly” name to a bunch of zeros and ones (humans like to group them and present them in IPv4 or IPv6 formats for ease of use). But the long and short of it is that it’s just numbers.
So, you type “zpd.wtf” into your browser and expect to see a secure site - and it fails.
Why?
Because the browser expects to see a certificate for the name it’s looking for (“zpd.wtf”).
But it doesn’t see that cert (as shown by the SSL Labs report) , it sees a cert for “zockpd.com”.
Those two names “don’t match”; thus the “mismatch” error and your “problem”.

How do I fix this?
Well, you need to also provide service via that name (“zpd.wtf”).
This means first understanding SNI and how your server software handles it and any related requirements. [a simple web search should provide ample information and examples]

Once you are serving both names via the same system, you can obtain a cert to cover the added name.
[or a separate cert - one per name]

EDIT:
[just saw your post]
So you do have two certs - this is good.
Now you just need to have two virtual hosts.
[or one virtual host that uses both domain names - this may be easier (if they are expected to serve that exact same content)]

2 Likes

Thanks , i think it is fixed! :slight_smile:

1 Like

ok i think it is not fixed…

https://www.ssllabs.com/ssltest/analyze.html?d=zpd.wtf

is that a fail with virtualhosts?

root@ZPD:~# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/zpd.wtf.conf


Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/certbot/renewal.py”, line 64, in _reconst itute
renewal_candidate = storage.RenewableCert(full_path, config)
File “/usr/lib/python3/dist-packages/certbot/storage.py”, line 441, in _init _
“file reference”.format(self.configfile))
certbot.errors.CertStorageError: renewal config file {} is missing a required fi le reference
Renewal configuration file /etc/letsencrypt/renewal/zpd.wtf.conf is broken. Skip ping.


Processing /etc/letsencrypt/renewal/zpd.wtf-0001.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator standalone, Installer None
Running pre-hook command: systemctl stop apache2
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.zpd.wtf
http-01 challenge for zpd.wtf
Waiting for verification…
Cleaning up challenges


new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/zpd.wtf-0001/fullchain.pem



Processing /etc/letsencrypt/renewal/zockpd.com-0001.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for zockpd.com
Waiting for verification…
Cleaning up challenges


new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/zockpd.com-0001/fullchain.pem



Processing /etc/letsencrypt/renewal/zockpd.com.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for webinterface.zockpd.com
http-01 challenge for zockpd.com
Waiting for verification…
Cleaning up challenges


new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/zockpd.com/fullchain.pem



Processing /etc/letsencrypt/renewal/webinterface.zockpd.com.conf


Cert is due for renewal, auto-renewing…
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for webinterface.zockpd.com
Cleaning up challenges
Attempting to renew cert (webinterface.zockpd.com) from /etc/letsencrypt/renewal/webinterface.zockpd.com.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6… Skipping.
The following certs could not be renewed:
/etc/letsencrypt/live/webinterface.zockpd.com/fullchain.pem (failure)


** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

The following certs were successfully renewed:
/etc/letsencrypt/live/zpd.wtf-0001/fullchain.pem (success)
/etc/letsencrypt/live/zockpd.com-0001/fullchain.pem (success)
/etc/letsencrypt/live/zockpd.com/fullchain.pem (success)

The following certs could not be renewed:
/etc/letsencrypt/live/webinterface.zockpd.com/fullchain.pem (failure)

Additionally, the following renewal configurations were invalid:
/etc/letsencrypt/renewal/zpd.wtf.conf (parsefail)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


Running post-hook command: systemctl start apache2
1 renew failure(s), 1 parse failure(s)
root@ZPD:~#

I’m not sure what the issue is? I’m seeing an “A” without any errors or major warnings on SSLLabs.

Please show file:

renew_before_expiry = 30 days

version = 0.28.0
archive_dir = /etc/letsencrypt/archive/webinterface.zockpd.com
cert = /etc/letsencrypt/live/webinterface.zockpd.com/cert.pem
privkey = /etc/letsencrypt/live/webinterface.zockpd.com/privkey.pem
chain = /etc/letsencrypt/live/webinterface.zockpd.com/chain.pem
fullchain = /etc/letsencrypt/live/webinterface.zockpd.com/fullchain.pem

Options used in the renewal process

[renewalparams]
account = c7570dcdf8e61e9556eaabca6bdec803
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = standalone

@Osiris
Scroll down to Certificate #2 here is the error

Compare that line with the other file in that same folder:
/etc/letsencrypt/renewal/

File 2 & 3 are with authenticator = apache , the rest is all with authenticator = standalone

Standalone authentication would require to stop apache first to spin up a temporary web server.
I would try changing the ones that failed to:
authenticator = apache

ok i have do this.

Result:
root@ZPD:~# certbot renew --dry-run
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Processing /etc/letsencrypt/renewal/zpd.wtf.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer None
Running pre-hook command: systemctl stop apache2
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.zpd.wtf
http-01 challenge for zpd.wtf
Waiting for verification…
Cleaning up challenges


new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/zpd.wtf-0001/fullchain.pem



Processing /etc/letsencrypt/renewal/zpd.wtf-0001.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer None
Pre-hook command already run, skipping: systemctl stop apache2
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for www.zpd.wtf
http-01 challenge for zpd.wtf
Waiting for verification…
Cleaning up challenges


new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/zpd.wtf-0001/fullchain.pem



Processing /etc/letsencrypt/renewal/zockpd.com-0001.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for zockpd.com
Waiting for verification…
Cleaning up challenges


new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/zockpd.com-0001/fullchain.pem



Processing /etc/letsencrypt/renewal/zockpd.com.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for webinterface.zockpd.com
http-01 challenge for zockpd.com
Waiting for verification…
Cleaning up challenges


new certificate deployed with reload of apache server; fullchain is
/etc/letsencrypt/live/zockpd.com/fullchain.pem



Processing /etc/letsencrypt/renewal/webinterface.zockpd.com.conf


Cert not due for renewal, but simulating renewal for dry run
Plugins selected: Authenticator apache, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for webinterface.zockpd.com
Waiting for verification…
Cleaning up challenges


new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/webinterface.zockpd.com/fullchain.pem



** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates below have not been saved.)

Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/zpd.wtf-0001/fullchain.pem (success)
/etc/letsencrypt/live/zpd.wtf-0001/fullchain.pem (success)
/etc/letsencrypt/live/zockpd.com-0001/fullchain.pem (success)
/etc/letsencrypt/live/zockpd.com/fullchain.pem (success)
/etc/letsencrypt/live/webinterface.zockpd.com/fullchain.pem (success)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)


Running post-hook command: systemctl start apache2
root@ZPD:~#

I have install Wordpress on the Webspace.

http://zpd.wtf/ = without SSL
and http://zpd.wtf/wp-admin with SSL?

I have no idea who is the fail :frowning:

Hi @Patrick2407

your first url has SSL too. But there is no redirect http -> https.

The second has a redirect.

So check your WordPress how to add a redirect http -> https.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.