Err_cert_common_name_invalid

Hello, I successfully configured a Digital Ocean droplet with Ubuntu 18.04, Apache, and used puTTY to set up SSL with Lets Encrypt. Domain is www.lafincaberries.com. Qualys SSL report grade is A, but I still get an unsafe site warning above, or something to the effect that the the IP address cannot prove who it is. If the certificate works with the domain, does the IP address have to be included?

Hi,

Congrats on issuing the certificate for your domain!

There is something you’ll need to know for this issue:

  1. Your domain is working (for https connections)
  2. You saw the mismatch error because you are actively redirecting the visitors from the domain to your DO droplet IP address, which is not included in the Let’s Encrypt certificate you issued.
  3. You could (should) include the IP address on a TLS certificate if you want visitors to view your website using IP and https. But very limited number of CAs allow to include an IP inside the certificate (and they are OV / EV certificates, not DV), Let’s Encrypt is not one of those.

The best fix for your website is to change your apache/website settings to use your domain name, instead of the IP address.

Thank you

Thanks! Would it be simpler/faster to delete the droplet and start over, or try to redo Apache and a new certificate? Also when you say “actively redirect” I dont remember doing that, my DNS does have an A record that does that but isnt that routine?

Hi @LaFincaBerries

there is a check of your domain, a few minutes old ( https://check-your-website.server-daten.de/?q=lafincaberries.com ):

There you see the problem:

Domainname Http-Status redirect Sec. G
• http://lafincaberries.com/
68.183.140.226 301 https://lafincaberries.com/ 0.206 A
• http://www.lafincaberries.com/
68.183.140.226 301 https://lafincaberries.com/ 0.206 E
• https://lafincaberries.com/
68.183.140.226 301 https://68.183.140.226/ 0.876 B
• https://www.lafincaberries.com/
68.183.140.226 301 https://68.183.140.226/ 0.880 B
• https://68.183.140.226/ 200 1.097 N
Certificate error: RemoteCertificateNameMismatch

Never redirect to ip addresses. That can’t work.

You don’t need a new certificate, it’s your redirect configuration.

OK its becoming obvious to even a newby like me that one of my certificates had the IP address incorrectly listed as the SAN or domain. My question is what editor do I use to go in and correct the name to the correct entry? Delete certificate and re-issue?

OK redirect configuration - is that in Digital Ocean console, Apache, certbot, Lets Encrypt etc. Lots of moving parts here and I am not afraid to jump in and learn but I need a big sky global orientation first

It’s your Apache.

That has nothing to do with your certificate.

Wrong redirect http -> http - you have a loop (without any certificate).

1 Like

Yes I think this will fix it within the Wordpress app? https://www.digitalocean.com/community/questions/domain-automatically-redirecting-to-droplet-ip-one-click-wordpress-installation
Or must it be within Apache?

Just changed it from within Wordpress Admin; it had the IP address in both site and Wordpress address boxes, too easy to change to the domain name and save. Now to clear cache and re-test

1 Like

It’s fixed! Thanks so much guys! Now onto “Missing HSTS-Header” in Chrome . . .

2 Likes

First fix your Grade I and E - the “Missing HSTS-Header” is B -> A.

Yes that’s right. I will reload the image, but the I error is more puzzling

It seems that you still have a problem with a hard-coded link to https://68.183.140.226/wp-content/uploads/2019/04/cropped-Spring-2019.jpg (at least according to the latest report from @JuergenAuer’s tool).

1 Like

Now there is a new check - the img ip address is fixed.

Yes I reloaded the image.
My E grade is from:

http://www.lafincaberries.com/ 68.183.140.226
301
https://lafincaberries.com/
wrong redirect one version http to other version https - first redirect to https without new dns query
Any method on how to correct that?

Could the Really Simple SSL plug in be the culprit?

Check your redirect rules. Maybe Wordpress, maybe Apache.

This redirect has the IP address; is that a normal practice? If not I will just seek to edit/remove those redirects with the IP address out of the file

But this redirect isn’t used.

See your last check - https://check-your-website.server-daten.de/?q=lafincaberries.com

There is no redirect with an ip address.

PS: The E-Redirect must be in your port 80 - vHost.

RewriteEngine on
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]

So I just paste that into the Digital Ocean Console, replacing SERVER_NAME with my actual droplet name, and what is REQUEST_URI replaced with? Or does it stay as is?