Getting a certificate for a wrong domain

I request a cert for domain3.com but browsers report that the cert is for domain2.com.
I host multiple domains from an Apache server with many virtual hosts.
The default domain is mycompany.com, and my clients are domain1.com, domain2.com etc. (fake names).
So all of them work fine except domain3.com that receives a cert for domain2.com.
I verified all scripts involved in the generation and deployment but could not find any differences in them other than literal domain names. I do not know when it started, but the owner contends that it worked until the last renewal late last year.

The last I have touched the vhost file was during the server migration about 1 year ago. Everything was verified and found to be working by myself and all domain owners. It's worked fine for about 1 year, and now this 1 vhost out almost a dozen has the mixed up cert. In the mean time no one touched the vhosts or the scheduled task or their scripts.

Try for each domain name the command below, substituting the domain name for example.com (2 instances).

openssl s_client -showcerts -servername example.com -connect example.com:443 < /dev/null

This will show you the certificate being served for each domain name.

Also from online tools

  1. SSL Checker
  2. SSL Checker - Check SSL Certificate
  3. SSL Server Test (Powered by Qualys SSL Labs)
  4. https://www.hardenize.com/

Double check the DNS records are point properly; and routers sending things to the proper servers.

2 Likes

What's the purpose of this test? I know which certs are being served.
domain3.crt and domain3.key are served from domain3, but their contents show domain2.com. What is your test going to clarify?

All of them point to the same IP address, and Apache handles domains by way of vhosts, like I wrote in the OP. So DNS is not the suspect here.

1 Like

Apache uses the cert you tell it to.

The VirtualHost for domain2 is being chosen by Apache instead of domain3. Or, the SSL Certificate lines for domain3 refer to the wrong cert name.

Use this command to evaluate the VirtualHosts

sudo apachectl -t -D DUMP_VHOSTS

If you can't share the actual names it will be difficult for us to be specific

3 Likes

Of course it does. It is granted. The file domain3.crt and domain3.key contain wrong information in them. They are copied from C:\Certbot\Live\domain3.com\ So, where do I begin to look for the problem?

What specifically should I look for in its output? I cannot find anything that could point at problems. Everything looks correct.

That's impossible :slight_smile:

Did you reload Apache after setting up the new certs (or restart)?

Walking through possibilities without knowing any details is extremely time consuming. And, more time than I have today.

You should start with the apachectl command I showed, Make sure all is as intended.

And, why would you copy the files anyway. Just use the /live/ ones.

3 Likes

It restarts automatically at every renewal.

Such is our process. Must do due to policy.

Duplicate / missing domain names. Review each config file for domains in question and make sure the SSL Certificate file names are correct.

3 Likes

Depends how you renew. You never said

3 Likes

Had done.

In my case it is like I wrote: restarts automatically during every renewal. I set it up that way.

I'm out of time. We're mostly volunteers here. Certs are just files. Nothing magical.

An experienced set of eyes could help you but without details it's just impractical. At least for me. Maybe someone else will be able to help. Good luck.

3 Likes

Yet from here you said

and

a restart is stopping and restarting.

2 Likes

Yet Migration from Windows to Linux September, 2022.

2 Likes

Thanks for investigating me! But you are confusing things that "are" with things that "would be". Since I did not get answers that I was hoping for, the migration never happened. :slight_smile:

The two most important pieces to your solution are:

Listing the certificates managed by your ACME client.
[don't know which you used]
If certbot, show:
certbot certificates
If other, check their documentation.

The final piece is the script that copies those certificate files around.

With all those pieces, the puzzle will become clear.

3 Likes