Error code: SSL_ERROR_BAD_CERT_DOMAIN | NET::ERR_CERT_COMMON_NAME_INVALID

I used 'letsencrypt' from the command line to get a certificate. This worked but apparently expired within 3 months. All my domains now have errors connecting...

SEE SCREENSHOTS HERE:

My domain is:

pulsenews.online
dailytrends.digital
dailypulse.online
www.dailypulse.online
www.pulsenews.online

I ran this command:

certbot certificates
certbot renew

It produced this output:

it seemed to renew one of the domains but not all of them, and the renewed still shows errors (pulsenews.online)

gave an error about domains and ANAMES ,, -- i have not changed anythign from the original time running this

I tried forced renew and now it wont run any commands because of 'rate limit'

My web server is (include version):

The operating system my web server runs on is (include version):

lamp-ubuntu 5.4.0-42 generic

My hosting provider, if applicable, is:

digital ocean

I can login to a root shell on my machine (yes or no, or I don't know):

console access, but cannot copy/paste

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is: certbot 0.40.0

I believe I have fixed this, but now experience this

SSL certificate does not match domain name

There are several names on the cert , and all on the same IP.

I need all these domains to be secure, and 'work'. under a single or multiple cert makes no difference to me, I just can't have visitors getting stopped by errors everytime saying 'mismatch'

Hi @brokenbricks

then create one or more certificates.

You have created these certificates, so you know what you have to do.

First - a working port 80 configuration is required.

Check

apachectl -S

to see, if you have one.

Then use the -d option to create the certificates you want.

https://certbot.eff.org/docs/using.html

Your older certificates - you know what you have to do.

I've spent all day on this.

I don't know how this all functioned properly for the last 3 months but now won't.

Latest:

certbot delete

start over clean

then this:

certbot certonly —standalone —preferred-challenges http -d pulsenews.online -d www.pulsenews.online -d dailytrends.digital -d www.dailytrends.digital -d dailypulse.online -d www.dailypulse.online

Now this looks like new cert is created including all domains - should be ok then??

Ufw allow 80
apachectyl -S

using an SSL test like https://www.ssllabs.com/ssltest/analyze.html?d=pulsenews.online

Shows its still messed... going to any domain in browser is mismatch error or worse

Please read the documentation.

doesn't install the certificate. If you use that option, you have to do that.

Certificate creation has worked -> using certonly -> it's your job to install the certificate.

1 Like

is there a specific part of the documentation I should be looking at?

I am beyond confused now, and seemed to have messed up one of the domain names completely...
Not functioning as it was.

The requested URL was not found on this server.
Apache/2.4.41 (Ubuntu) Server at www.dailytrends.digital Port 443

I've never seen this before... all i can think is the apache command did something

When visiting any domain
I either see

NET::ERR_CERT_COMMON_NAME_INVALID

Then inspect the cert and its from this domain

I am now totally lost

When i originally installed these it was an effortless one line command line "lets encrypt"
and worked easily

Hi @brokenbricks,

Certbot has some integration for Apache (and nginx), which you usually access with certbot --apache. If you want Certbot to install your certificate in your Apache configuration, you should be sure not to add certonly (which is actively telling Certbot not to do so).

Running certbot --delete for an actively-used certificate is a problem: it just deletes the associated files but doesn't undo the Apache configuration integration, so Apache still expects to find the now-deleted certificate where the configuration says. That's what you're seeing with the "file: '/etc/letsencrypt/live/dailytrends.digital-0001/fullchain.pem' does not exist or is empty" error message.

One way that you could fix this would be to edit the 000-default-le-ssl.conf file with a text editor and change the reference to /etc/letsencrypt/live/dailytrends.digital-0001/fullchain.pem to /etc/letsencrypt/live/pulsenews.online/fullchain.pem and change the reference to /etc/letsencrypt/live/dailytrends.digital-0001/privkey.pem to /etc/letsencrypt/live/pulsenews.online/privkey.pem.

This is, nonetheless, a temporary solution in the sense that your use of --standalone instead of --apache will probably prevent the certificate from being automatically renewed; you would still have to stop your Apache process and run certbot renew in 60-90 days from now.

1 Like

Please read my older answer.

What says

apachectl -S

PS: If you don't have a working port 80 configuration, Certbot can't install the certificate.

Your www has only the non-www domain name - so there is an expected mismatch.

1 Like

To use Certbot more the way it was intended, consider deleting all of the -le-ssl.conf files in /etc/apache2/sites-enabled (to complete the process that you started with the deletion of your certificates, which unfortunately was probably unnecessary). Then run certbot --apache and select the combination of domain names that you want (in most cases, people try to match this to their Apache virtualhosts, so names that are part of the same virtualhost end up on the same certificate, though this isn't an absolute requirement). This is probably the automated experience that you saw at the beginning.

Then in order to make sure that the renewal happens automatically, without human intervention, you need to make sure that certbot renew is running frequently and automatically from cron — more recent versions of Certbot guarantee this themselves, but older versions expect you to add a cron job yourself.

2 Likes

Run it as root or sudo.

I am running as root

certbot delete

Looks like you have deleted certificates your Apache uses.

So fix that manual.

I recommend reading and executing @schoen s suggestion.

I've made the change in that file.

I assume I need to restart Apache2 now?

I tried

and now I cannot even connect to the domains with a browser

Please run the suggested command in your screenshot to see what's going on. You might also look at the Apache error log(s).

I poower cycled the droplet.

Re logged in as root

root@lamp-ubuntu-g-2vcpu-8gb-nyc1-01:~# systemctl status apache2

apache2.service - The Apache HTTP Server

Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)

Active: failed (Result: exit-code) since Tue 2020-12-01 21:46:50 UTC; 1min 31s ago

Docs: https://httpd.apache.org/docs/2.4/

Process: 657 ExecStart=/usr/sbin/apachectl start (code=exited, status=1/FAILURE)

Dec 01 21:46:50 lamp-ubuntu-g-2vcpu-8gb-nyc1-01 systemd[1]: Starting The Apache HTTP Server...

Dec 01 21:46:50 lamp-ubuntu-g-2vcpu-8gb-nyc1-01 apachectl[673]: AH00526: Syntax error on line 27 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:

Dec 01 21:46:50 lamp-ubuntu-g-2vcpu-8gb-nyc1-01 apachectl[673]: SSLCertificateFile: file '/etc/letsencrypt/live/pulsenews.online-0001/fullchain.pem' does not exist or is empty

Dec 01 21:46:50 lamp-ubuntu-g-2vcpu-8gb-nyc1-01 apachectl[657]: Action 'start' failed.

Dec 01 21:46:50 lamp-ubuntu-g-2vcpu-8gb-nyc1-01 apachectl[657]: The Apache error log may have more information.

Dec 01 21:46:50 lamp-ubuntu-g-2vcpu-8gb-nyc1-01 systemd[1]: apache2.service: Control process exited, code=exited, status=1/FAILURE

Dec 01 21:46:50 lamp-ubuntu-g-2vcpu-8gb-nyc1-01 systemd[1]: apache2.service: Failed with result 'exit-code'.

Dec 01 21:46:50 lamp-ubuntu-g-2vcpu-8gb-nyc1-01 systemd[1]: Failed to start The Apache HTTP Server.

root@lamp-ubuntu-g-2vcpu-8gb-nyc1-01:~#

So my text editing that file broke the server.

I've reverted back to the original lines in text

Apache still won't start, now im worse off than I was 6 hours ago..

Dec 01 21:56:39 lamp-ubuntu-g-2vcpu-8gb-nyc1-01 systemd[1]: Starting The Apache HTTP Server...

Dec 01 21:56:39 lamp-ubuntu-g-2vcpu-8gb-nyc1-01 apachectl[1997]: AH00526: Syntax error on line 27 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:

Dec 01 21:56:39 lamp-ubuntu-g-2vcpu-8gb-nyc1-01 apachectl[1997]: SSLCertificateFile: file '/etc/letsencrypt/live/dailytrends.digital-0001/fullchain.pem' does not exist or is empty

Dec 01 21:56:39 lamp-ubuntu-g-2vcpu-8gb-nyc1-01 apachectl[1988]: Action 'start' failed.

Dec 01 21:56:39 lamp-ubuntu-g-2vcpu-8gb-nyc1-01 apachectl[1988]: The Apache error log may have more information.

Dec 01 21:56:39 lamp-ubuntu-g-2vcpu-8gb-nyc1-01 systemd[1]: apache2.service: Control process exited, code=exited, status=1/FAILURE

Dec 01 21:56:39 lamp-ubuntu-g-2vcpu-8gb-nyc1-01 systemd[1]: apache2.service: Failed with result 'exit-code'.

Dec 01 21:56:39 lamp-ubuntu-g-2vcpu-8gb-nyc1-01 systemd[1]: Failed to start The Apache HTTP Server.

root@lamp-ubuntu-g-2vcpu-8gb-nyc1-01:/etc/letsencrypt/live/pulsenews.online#