Firefox complaining about cert being for www.test site

robertwgehl · May 11, 2022, 2:19pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: test.robertwgehl.org

I ran this command:
certbot --nginx -d test.robertwgehl.org

It produced this output: Successful certificates in /etc/letsencrypt/live/test.robertwgehl.org/*

CONTENTS OF /etc/letsencrypt/renewal/test.robertwgehl.org.conf

# renew_before_expiry = 30 days
version = 1.27.0
archive_dir = /etc/letsencrypt/archive/test.robertwgehl.org
cert = /etc/letsencrypt/live/test.robertwgehl.org/cert.pem
privkey = /etc/letsencrypt/live/test.robertwgehl.org/privkey.pem
chain = /etc/letsencrypt/live/test.robertwgehl.org/chain.pem
fullchain = /etc/letsencrypt/live/test.robertwgehl.org/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = eb08609b996eea16cf85bccb400e6440
authenticator = webroot
server = https://acme-v02.api.letsencrypt.org/directory
key_type = rsa
[[webroot_map]]
test.robertwgehl.org = /home/mastodon/live/public

My web server is (include version): nginx version: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 1.27.0

My issue is that the site (a Mastodon installation) works just fine in the Tor Browser, but is not working correctly in Chrome or Firefox.

Firefox complains that the cert is for www.test.robertwgehl.org. I don't know why; the config file for nginx includes (this isn't the whole thing, but it includes the relevant parts):

  GNU nano 4.8                                                                                        /etc/nginx/sites-available/mastodon                                                                                                   

server {
    if ($host = test.robertwgehl.org) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


  listen 80;
  listen [::]:80;
  server_name test.robertwgehl.org;
  root /home/mastodon/live/public;
  location /.well-known/acme-challenge/ { allow all; }
  location / { return 301 https://$host$request_uri; }


}

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  server_name test.robertwgehl.org;

  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:10m;
  ssl_session_tickets off;

  # Uncomment these lines once you acquire a certificate:
    ssl_certificate /etc/letsencrypt/live/test.robertwgehl.org/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/test.robertwgehl.org/privkey.pem; # managed by Certbot

  keepalive_timeout    70;
  sendfile             on;
  client_max_body_size 80m;

  root /home/mastodon/live/public;

I don't see any "www" anywhere, and my original command did not involve www.test.robertwgehl.org.

Any ideas what's going on?

MikeMcQ · May 11, 2022, 3:11pm

Very odd. When I looked earlier I saw the correct cert returned for your test.robert site. But, now I see the www.test.robert cert returned for that. Requests to your www.test.robert were working fine but you now removed the DNS A record for that.

I would guess you have another server block defined that is being used for requests to test.robert. Check the server blocks that precede this one.

Try an nginx -t to ensure the nginx config is ok. Or, use this to view the entire active nginx conf. Post it here if you want us to look at it

sudo nginx -T

You might also find your cert history useful.

robertwgehl · May 11, 2022, 3:13pm

Yeah, I've been struggling to fix this -- on a tight deadline! -- and am probably causing more issues for you to diagnose.

output of nging -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

MikeMcQ · May 11, 2022, 3:15pm

I would need to see your entire nginx conf to give any more info than I already have. And, yes, it is difficult to diagnose a moving target

Osiris · May 11, 2022, 3:33pm

Please notice the uppercase T in Mikes posts. You're using the lowercase t.

system · June 10, 2022, 3:33pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Firefox does not trust this site because it uses a certificate that is not valid for this domain Help	5	1048	December 11, 2020
Cleaning up challenges Some challenges have failed. Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details Help	9	2119	October 21, 2022
Can't access my website via https Help	85	10060	June 6, 2018
Take the certifikate Help	4	413	August 27, 2023
Logfile /var/log/letsencrypt/letsencrypt.log Help	2	1692	December 16, 2021

Firefox complaining about cert being for www.test site

Related topics