Firefox complaining about cert being for www.test site

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
certbot --nginx -d

It produced this output: Successful certificates in /etc/letsencrypt/live/*

CONTENTS OF /etc/letsencrypt/renewal/

# renew_before_expiry = 30 days
version = 1.27.0
archive_dir = /etc/letsencrypt/archive/
cert = /etc/letsencrypt/live/
privkey = /etc/letsencrypt/live/
chain = /etc/letsencrypt/live/
fullchain = /etc/letsencrypt/live/

# Options used in the renewal process
account = eb08609b996eea16cf85bccb400e6440
authenticator = webroot
server =
key_type = rsa
[[webroot_map]] = /home/mastodon/live/public

My web server is (include version): nginx version: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

certbot 1.27.0

My issue is that the site (a Mastodon installation) works just fine in the Tor Browser, but is not working correctly in Chrome or Firefox.

Firefox complains that the cert is for I don't know why; the config file for nginx includes (this isn't the whole thing, but it includes the relevant parts):

  GNU nano 4.8                                                                                        /etc/nginx/sites-available/mastodon                                                                                                   

server {
    if ($host = {
        return 301 https://$host$request_uri;
    } # managed by Certbot

  listen 80;
  listen [::]:80;
  root /home/mastodon/live/public;
  location /.well-known/acme-challenge/ { allow all; }
  location / { return 301 https://$host$request_uri; }


server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;

  ssl_protocols TLSv1.2 TLSv1.3;
  ssl_ciphers HIGH:!MEDIUM:!LOW:!aNULL:!NULL:!SHA;
  ssl_prefer_server_ciphers on;
  ssl_session_cache shared:SSL:10m;
  ssl_session_tickets off;

  # Uncomment these lines once you acquire a certificate:
    ssl_certificate /etc/letsencrypt/live/; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/; # managed by Certbot

  keepalive_timeout    70;
  sendfile             on;
  client_max_body_size 80m;

  root /home/mastodon/live/public;

I don't see any "www" anywhere, and my original command did not involve

Any ideas what's going on?

Very odd. When I looked earlier I saw the correct cert returned for your test.robert site. But, now I see the www.test.robert cert returned for that. Requests to your www.test.robert were working fine but you now removed the DNS A record for that.

I would guess you have another server block defined that is being used for requests to test.robert. Check the server blocks that precede this one.

Try an nginx -t to ensure the nginx config is ok. Or, use this to view the entire active nginx conf. Post it here if you want us to look at it

sudo nginx -T

You might also find your cert history useful.


Yeah, I've been struggling to fix this -- on a tight deadline! -- and am probably causing more issues for you to diagnose.

output of nging -t

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

I would need to see your entire nginx conf to give any more info than I already have. And, yes, it is difficult to diagnose a moving target


Please notice the uppercase T in Mikes posts. You're using the lowercase t.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.