Firefox does not trust this site because it uses a certificate that is not valid for this domain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: epseelon.com

I ran this command:
certbot certonly --force-renewal --webroot -w /home/epseelon/www/epseelon.com -d epseelon.com -d www.epseelon.com

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/epseelon.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/epseelon.com/privkey.pem
    Your cert will expire on 2021-02-09. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    "certbot renew"

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let's Encrypt: Donate - Let's Encrypt
    Donating to EFF: Support EFF's Work on Let's Encrypt | Electronic Frontier Foundation

My web server is (include version): Apache/2.4.29 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-122-generic x86_64)

My hosting provider, if applicable, is: dedicated server (OVH)

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.31.0

The certificate seems to be generated fine, and here is my virtual host configuration in Apache:

<VirtualHost *:80>
	ServerAdmin webmaster@epseelon.com
	ServerName epseelon.com
	ServerAlias www.epseelon.com
	Redirect permanent / https://epseelon.com/
</VirtualHost>

<VirtualHost *:443>
	ServerAdmin webmaster@epseelon.com
	ServerName epseelon.com

	DocumentRoot /home/epseelon/www/epseelon.com
	<Directory /home/epseelon/www/epseelon.com>
		Options Indexes FollowSymLinks MultiViews
		AllowOverride All
		Require all granted
	</Directory>

	# directives obligatoires pour TLS
  SSLEngine on
	SSLCertificateFile    /etc/letsencrypt/live/epseelon.com/fullchain.pem
	SSLCertificateKeyFile   /etc/letsencrypt/live/epseelon.com/privkey.pem
  SSLProtocol all -SSLv2 -SSLv3
  SSLHonorCipherOrder on
  SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"

	Header always set Strict-Transport-Security "max-age=15768000"

	ErrorLog ${APACHE_LOG_DIR}/epseeloncom.error.log

	# Possible values include: debug, info, notice, warn, error, crit,
	# alert, emerg.
	LogLevel warn

	CustomLog ${APACHE_LOG_DIR}/epseeloncom.access.log combined
	
</VirtualHost>

But Firefox and Chrome tell me that my certificate is for another domain hosted on the same server. Note that I have 3 different websites hosted on this server, including butterfliesandhurricanes.net that is the domain the certificate seems to be pointing to.

1 Like

Hi @sarbogast

certonly doesn't restart your server. That's required to use the new certificate.

So first step: Restart your Apache.

If that doesn't help: What says

apachectl -S
2 Likes

I did restart the server several times.

apachectl -S says this:

VirtualHost configuration:
*:443 is a NameVirtualHost
default server butterfliesandhurricanes.net (/etc/apache2/sites-enabled/butterfliesandhurricanes.net.conf:9)
port 443 namevhost butterfliesandhurricanes.net (/etc/apache2/sites-enabled/butterfliesandhurricanes.net.conf:9)
alias www.butterfliesandhurricanes.net
port 443 namevhost chainskills.com (/etc/apache2/sites-enabled/chainskills.com.conf:9)
port 443 namevhost epseelon.com (/etc/apache2/sites-enabled/epseelon.com.conf:8)
*:80 is a NameVirtualHost
default server ns388372.ip-176-31-253.eu (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost ns388372.ip-176-31-253.eu (/etc/apache2/sites-enabled/000-default.conf:1)
port 80 namevhost butterfliesandhurricanes.net (/etc/apache2/sites-enabled/butterfliesandhurricanes.net.conf:1)
alias www.butterfliesandhurricanes.net
alias butterfliesandhurricanes.org
alias www.butterfliesandhurricanes.org
alias fliesandcanes.com
alias www.fliesandcanes.com
port 80 namevhost bypassgastrique.fr (/etc/apache2/sites-enabled/bypassgastrique.fr.conf:2)
alias www.bypassgastrique.fr
alias bypassgastrique.be
alias www.bypassgastrique.be
alias bypassgastrique.eu
alias www.bypassgastrique.eu
port 80 namevhost chainskills.com (/etc/apache2/sites-enabled/chainskills.com.conf:1)
alias www.chainskills.com
alias chainskills.io
alias www.chainskills.io
alias chainskills.org
alias www.chainskills.org
alias chainskills.net
alias www.chainskills.net
port 80 namevhost epseelon.com (/etc/apache2/sites-enabled/epseelon.com.conf:1)
alias www.epseelon.com
port 80 namevhost sebastien-arbogast.com (/etc/apache2/sites-enabled/sebastien-arbogast.com.conf:2)
alias www.sebastien-arbogast.com
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex watchdog-callback: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: ENABLE_USR_LIB_CGI_BIN
User: name="www-data" id=33
Group: name="www-data" id=33

1 Like

There

you see the problem.

The port 443 vHost doesn't have the www version. Checking your non-www version, there is the correct certificate and a redirect to the www version.

The www version has the default certificate, so another vHost is used.

Add the missing ServerAlias.

3 Likes

Thanks, that worked! Thanks a lot

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.