Err_cert_common_name_invalid

Encrypt1919 · March 17, 2020, 12:58pm

I ran this command: docker-compose up but this error appears when I’m trying to send an email:

My default.conf file:

location ^~ /server {
    proxy_pass    http://server/sendMail;
    include       partials/common.conf;
  }

    upstream server {
        server   server:9000;
    }

My web server is (include version): Nginx

The operating system my web server runs on is (include version): CentOS/Rhel7

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 1.0.0

9peppe · March 17, 2020, 1:08pm

context: Error cannot load certificate "/etc/letsencrypt/live/domainname/fullchain.pem"

there is no valid certificate on https://gotobot.co/, only on https://www.gotobot.co/

(extend your certificate): docker-compose exec certbot then select all, extend, let certbot work.

Encrypt1919 · March 17, 2020, 1:22pm

Do you mean this?

sudo certbot --expand -d gotobot.co

9peppe · March 17, 2020, 1:26pm

This depends on how you defined command and entrypoint in your docker-compose.yml.

docker-compose exec certbot certbot should be safe. (yes, twice: first service name, second command name)

Encrypt1919 · March 17, 2020, 1:27pm

Is this OK? Should I go with 1 or 2?

9peppe · March 17, 2020, 1:30pm

I need to see your nginx config to say this with a semblance of certainty, but go for webroot.

(you’d known if you used standalone)

Encrypt1919 · March 17, 2020, 1:39pm

Now I need to do this:

Input the webroot for gotobot.co

I googled and found this:

/var/www/html or --webroot-path /usr/share/nginx/html are two common webroot paths.

But I probably think I should locate everything where my docker compose volumes suggest:

volumes:

./nginx/certbot/conf:/etc/letsencrypt
./nginx/certbot/www:/var/www/certbot

So most probably this is my path:

/nginx/certbot/www

Do you agree?

9peppe · March 17, 2020, 1:53pm

this is your most probable webroot.

but, does nginx know about it?

Encrypt1919 · March 17, 2020, 1:56pm

That is why I sent you the volumes from docker-compose nginx, here is the whole thing:

  nginx:
restart: always
hostname: reverse
image: nginx
#depends_on:
  #- vue
networks:
  rasa-network:
  proxy:
command: '/bin/sh -c ''while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g "daemon off;"'''
ports:
  - "80:80"
  - "443:443"
volumes:
  - ./nginx/conf/conf.d:/etc/nginx/conf.d
  - ./nginx/conf/partials:/etc/nginx/partials
  - ./nginx/certbot/conf:/etc/letsencrypt
  - ./nginx/certbot/www:/var/www/certbot
  - ./nginx/conf/nginx.conf:/etc/nginx/nginx.conf

  certbot:
image: certbot/certbot
entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
volumes:
  - ./nginx/certbot/conf:/etc/letsencrypt
  - ./nginx/certbot/www:/var/www/certbot

9peppe · March 17, 2020, 1:59pm

is this snippet somewhere in your nginx config or did you comment it out?

Encrypt1919 · March 17, 2020, 2:00pm

That is commented out I think, this is my defaut.conf:

upstream rasa {
    #server  184.72.-187.19:5005;
#I had to this for port 5005 but not for landing because there default port is 80
    server   rasa:5005;
}
upstream landing {
    #server  184.72.187.19:8080;
    #server 127.0.0.1:8080;
    server   landing;
}

upstream server {
    #server  184.72.187.19:8080;
    #server 127.0.0.1:8080;
    server   server:9000;
}

server {
    listen       443 ssl;
    server_name  gotobot.co www.gotobot.co;
   # server_name  api.mavericklabs.ie;
    # server_name  localhost;

    # only allow access for Maverick while testing
    # @TODO remove for production
    #allow  127.0.0.1;
    #allow  83.71.213.166;
    #deny   all;

    #resolver 1.1.1.1 8.8.8.8 9.9.9.10;
    resolver 127.0.0.11 valid=30s;

    include       partials/common.conf;
    include       partials/ssl.conf;

#    location /.well-known/acme-challenge/ {
#        root /var/www/certbot;
#    }

   # location / {
   #     proxy_pass    http://api/webhooks/rest/webhook;
   #     include       partials/common_location.conf;
   #     include       partials/cors.conf;
   # }
    location = /hotel { rewrite ^ /hotel/ redirect; }
    location /hotel {
        #proxy_pass    http://rasa;
        rewrite /hotel/(.*) /$1 break;
        proxy_pass    http://rasa/webhooks/rest/webhook;
        include       partials/common.conf;
        #include       partials/ssl.conf;
        #proxy_set_header Accept '*/token';
  }
    location ^~ / {
        proxy_pass    http://landing;
        include       partials/common.conf;
        #include       partials/ssl.conf;
  }

    location ^~ /server {
        proxy_pass    http://server/sendMail;
        include       partials/common.conf;
        #include       partials/ssl.conf;
  }

}

map $remote_addr $proxy_forwarded_elem {
    # IPv4 addresses can be sent as-is
    ~^[0-9.]+$          "for=$remote_addr";

    # IPv6 addresses need to be bracketed and quoted
    ~^[0-9A-Fa-f:.]+$   "for=\"[$remote_addr]\"";

    # Unix domain socket names cannot be represented in RFC 7239 syntax
    default             "for=unknown";
}

map $http_forwarded $proxy_add_forwarded {
    # If the incoming Forwarded header is syntactically valid, append to it
"~^(,[ \\t]*)*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*([ \\t]*,([ \\t]*([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?(;([!#$%&'*+.^_`|~0-9A-Za-z-]+=([!#$%&'*+.^_`|~0-9A-Za-z-]+|\"([\\t \\x21\\x23-\\x5B\\x5D-\\x7E\\x80-\\xFF]|\\\\[\\t \\x21-\\x7E\\x80-\\xFF])*\"))?)*)?)*$" "$http_forwarded, $proxy_forwarded_elem";

# Otherwise, replace it
default "$proxy_forwarded_elem";

}

9peppe · March 17, 2020, 2:01pm

ok, uncomment that and reload nginx.

Encrypt1919 · March 17, 2020, 2:09pm

So I should uncomment this in my default.conf:

#    location /.well-known/acme-challenge/ {
#        root /var/www/certbot;
#    }

and then put var/www/certbot as my webroot?

9peppe · March 17, 2020, 2:13pm

coincidentally, yes.

it’s the same location in two different containers.

Encrypt1919 · March 17, 2020, 2:16pm

Don’t you think i should put nginx/certbot/www because that mounts into var/www/certbot?

./nginx/certbot/www:/var/www/certbot

9peppe · March 17, 2020, 2:18pm

you should put the internal directory according to the certbot container

Encrypt1919 · March 17, 2020, 2:20pm

but it does exist in filezilla:

9peppe · March 17, 2020, 2:22pm

You are using stuff from TWO DIFFERENT filesystems. Certbot is looking inside its container, not on the host.

Encrypt1919 · March 17, 2020, 2:29pm

Ok but I tried this which is inside container first and it can't find it:

/var/www/certbot

9peppe · March 17, 2020, 2:33pm

so this command doesn't work?

docker-compose exec certbot certbot certonly --webroot -w /var/www/certbot

Topic		Replies	Views
Error cannot load certificate "/etc/letsencrypt/live/domainname/fullchain.pem" Help	128	32381	April 15, 2020
Certificate setup by certbot but site still insecure Help	8	3897	December 1, 2019
Browser error : net::err_cert_common_name_invalid Help	29	4108	July 23, 2022
Failed to renew certificate, there may be problems with existing configuration (Docker, nginx, certbot) Help	12	3105	March 1, 2022
Certbot renew error -- Invalid response from Help	7	10895	December 3, 2018

Err_cert_common_name_invalid

Related Topics