Err_cert_common_name_invalid

itrejomx · February 26, 2020, 8:12pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: vivaloverde.com

I ran this command: sudo certbot --nginx -d vivaloverde.com -d www.vivaloverde.com

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.vivaloverde.com
nginx: [warn] conflicting server name “fundacioncomuna.org” on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name “www.fundacioncomuna.org” on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name “fundacioncomuna.org” on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name “fundacioncomuna.org” on [::]:80, ignored
nginx: [warn] conflicting server name “www.fundacioncomuna.org” on [::]:80, ignored
nginx: [warn] conflicting server name “fundacioncomuna.org” on [::]:80, ignored
nginx: [warn] conflicting server name “fundacioncomuna.org” on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name “fundacioncomuna.org” on [::]:443, ignored
Waiting for verification…
Cleaning up challenges
nginx: [warn] conflicting server name “fundacioncomuna.org” on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name “www.fundacioncomuna.org” on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name “fundacioncomuna.org” on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name “fundacioncomuna.org” on [::]:80, ignored
nginx: [warn] conflicting server name “www.fundacioncomuna.org” on [::]:80, ignored
nginx: [warn] conflicting server name “fundacioncomuna.org” on [::]:80, ignored
nginx: [warn] conflicting server name “fundacioncomuna.org” on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name “fundacioncomuna.org” on [::]:443, ignored
Deploying Certificate to VirtualHost /etc/nginx/conf.d/vivaloverde.com.conf
Deploying Certificate to VirtualHost /etc/nginx/conf.d/vivaloverde.com.conf
nginx: [warn] conflicting server name “fundacioncomuna.org” on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name “www.fundacioncomuna.org” on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name “fundacioncomuna.org” on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name “fundacioncomuna.org” on [::]:80, ignored
nginx: [warn] conflicting server name “www.fundacioncomuna.org” on [::]:80, ignored
nginx: [warn] conflicting server name “fundacioncomuna.org” on [::]:80, ignored
nginx: [warn] conflicting server name “fundacioncomuna.org” on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name “fundacioncomuna.org” on [::]:443, ignored

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/vivaloverde.com.conf
Redirecting all traffic on port 80 to ssl in /etc/nginx/conf.d/vivaloverde.com.conf
nginx: [warn] conflicting server name "fundacioncomuna.org" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "www.fundacioncomuna.org" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "fundacioncomuna.org" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "fundacioncomuna.org" on [::]:80, ignored
nginx: [warn] conflicting server name "www.fundacioncomuna.org" on [::]:80, ignored
nginx: [warn] conflicting server name "fundacioncomuna.org" on [::]:80, ignored
nginx: [warn] conflicting server name "fundacioncomuna.org" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "fundacioncomuna.org" on [::]:443, ignored

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://vivaloverde.com and
https://www.vivaloverde.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=vivaloverde.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.vivaloverde.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/vivaloverde.com/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/vivaloverde.com/privkey.pem
   Your cert will expire on 2020-05-26. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot again
   with the "certonly" option. To non-interactively renew *all* of
   your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

My web server is (include version): nginx 1.12.2

The operating system my web server runs on is (include version): Centos 7

My hosting provider, if applicable, is: digital ocean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.0.0

Osiris · February 26, 2020, 8:52pm

Could you please post every relevant nginx configuration file? I.e., nginx.conf and all specific site configuration files (not just vivaloverde.com.conf, but all please).

itrejomx · February 26, 2020, 8:54pm

this is what vivaloverde.conf looks like:

server {
    server_name vivaloverde.com www.vivaloverde.com;
    index index.php index.html;
    root /var/www/vivaloverde.com/html;


    location / {
        try_files $uri $uri/ /index.php?$args;
    }

    location ~ \.php$ {
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_pass unix:/var/run/php-fpm.sock;
        fastcgi_index index.php;
    }


    listen [::]:443 ssl; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/vivaloverde.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/vivaloverde.com/privkey.pem;  # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot




}
server {
    if ($host = www.vivaloverde.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = vivaloverde.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    server_name vivaloverde.com www.vivaloverde.com;
    listen 80;
    listen [::]:80;
    return 404; # managed by Certbot




}

itrejomx · February 26, 2020, 8:55pm

this is fundacioncomuna.org.conf:

server {
    server_name fundacioncomuna.org www.fundacioncomuna.org;
    listen 80;
    listen [::]:80;
    return 301 https://fundacioncomuna.org$request_uri;
}

server {
    server_name fundacioncomuna.org www.fundacioncomuna.org;
    listen 104.248.183.10:443 ssl http2;
    listen [2604:a880:2:d0::2228:1001]:443 ssl http2;

    index index.php index.html;
    root /var/www/fundacioncomuna.org;

    ssl_certificate /etc/letsencrypt/live/fundacioncomuna.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/fundacioncomuna.org/privkey.pem;

    if ($http_host = 'www.fundacioncomuna.org') {
        return 301 https://fundacioncomuna.org$request_uri;
    }

    location / {
        try_files $uri $uri/ /index.php?$args;
    }

    location ~ \.php$ {
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_pass unix:/var/run/php-fpm.sock;
        fastcgi_index index.php;
    }

}

itrejomx · February 26, 2020, 8:58pm

this is nginx.conf

# For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 2048;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

    server {
        listen       80 default_server;
        listen       [::]:80 default_server;
        server_name  _;
        root         /usr/share/nginx/html;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
            default_type 'text/html';
            return 200 "Initia Alfa";
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    }

# Settings for a TLS enabled server.

#    server {
#        listen       443 ssl http2 default_server;
#        listen       [::]:443 ssl http2 default_server;
#        server_name  _;
#        root         /usr/share/nginx/html;
#
#        ssl_certificate "/etc/pki/nginx/server.crt";
#        ssl_certificate_key "/etc/pki/nginx/private/server.key";
#        ssl_session_cache shared:SSL:1m;
#        ssl_session_timeout  10m;
#        ssl_ciphers HIGH:!aNULL:!MD5;
#        ssl_prefer_server_ciphers on;
#
#        # Load configuration files for the default server block.
#        include /etc/nginx/default.d/*.conf;
#
#        location / {
#        }
#
#        error_page 404 /404.html;
#            location = /40x.html {
#        }
#
#        error_page 500 502 503 504 /50x.html;
#            location = /50x.html {
#        }
#    }



    server {
    server_name fundacioncomuna.org; # managed by Certbot
        root         /var/www/fundacioncomuna.org;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
            default_type 'text/html';
            return 200 "Initia Alfa";
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    

    listen [::]:443 ssl ; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/fundacioncomuna.org/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/fundacioncomuna.org/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


}

    server {
    if ($host = fundacioncomuna.org) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        listen       80 ;
        listen       [::]:80 ;
    server_name fundacioncomuna.org;
    return 404; # managed by Certbot


}



    server {
    server_name www.fundacioncomuna.org fundacioncomuna.org; # managed by Certbot
        root         /var/www/fundacioncomuna.org;

        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;

        location / {
            default_type 'text/html';
            return 200 "Initia Alfa";
        }

        error_page 404 /404.html;
            location = /40x.html {
        }

        error_page 500 502 503 504 /50x.html;
            location = /50x.html {
        }
    

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/fundacioncomuna.org/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/fundacioncomuna.org/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot



}

    server {
    if ($host = www.fundacioncomuna.org) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = fundacioncomuna.org) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        listen       80 ;
        listen       [::]:80 ;
    server_name www.fundacioncomuna.org fundacioncomuna.org;
    return 404; # managed by Certbot




}}

itrejomx · February 26, 2020, 9:00pm

To be honest, I “inherited” this server, and it already had some other domains. I don’t understand why they did so many entries for fundacioncomuna.org. The guy that used to be in charge just said that the extra entries showed up when he renewed the certs.

Osiris · February 26, 2020, 9:39pm

This is the only difference between the HTTP and HTTPS vhosts I can find. The HTTP sites work nicely, but for some reason the HTTPS version gets the wrong vhost (you can see that when you override the cert error).

If you change those lines above with:

listen 443 ssl http2;
listen [::]:443 ssl http2;

and reload nginx, it might be fixed.

itrejomx · February 26, 2020, 10:26pm

thank you very much I’ll give it a try right now.

itrejomx · February 26, 2020, 10:28pm

sadly that line is on the config of the domain that is working correctly.

itrejomx · February 26, 2020, 10:30pm

I tried it, and fundacioncomuna.org’s SSL stopped working.

itrejomx · February 26, 2020, 10:36pm

I used:

listen 104.248.183.10:443 ssl http2;
listen [2604:a880:2:d0::2228:1001]:443 ssl http2;

on vivaloverde.com and the SSL started working.
something is still off, since http is not being redirected, but at least i no longer get the error.

Osiris · February 27, 2020, 6:49am

Does your server have multiple public IP addresses? I don’t really understand why it wouldn’t work without mentioning the IP addresses…

itrejomx · March 4, 2020, 10:23pm

strangely enough, no. only 1 public ip.

system · April 3, 2020, 10:42pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.