Getting expired cert, wrong common name

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

jenkins.yourmessagedelivered.com

I ran this command:

#!/bin/bash

https://www.lab-time.it/2018/09/20/running-haproxy-and-lets-encrypt-on-docker/

certhosts=( jenkins.yourmessagedelivered.com www.imamjamilactionnetwork.org )
docker volume create letsencrypt-etc
docker volume create letsencrypt-var

for certhost in “{certhosts[@]}" do echo "Creating or renewing ssl certificate for {certhost}”
docker run -i
–rm
–name certcont
–publish 8888:8888
–volume “letsencrypt-etc:/etc/letsencrypt”
–volume “letsencrypt-var:/var/lib/letsencrypt”
certbot/certbot:latest
certonly --standalone -d certhost \ --non-interactive \ --preferred-challenges http \ --agree-tos \ --email hesco@yourmessagedelivered.com \ --http-01-port=8888 cat /var/lib/docker/volumes/letsencrypt-etc/_data/live/{certhost}/fullchain.pem /var/lib/docker/volumes/letsencrypt-etc/_data/live/{certhost}/privkey.pem > /data/etc/haproxy/certs/{certhost}.pem
done

# restart haproxy
docker exec -i ida8.yourmessagedelivered.com service haproxy stop
docker exec -i ida8.yourmessagedelivered.com service haproxy start

It produced this output:

root@dessalines021:~# /data/etc/haproxy/certs/bin/letsencryptrenewal.sh
letsencrypt-etc
letsencrypt-var
Creating or renewing ssl certificate for jenkins.yourmessagedelivered.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/jenkins.yourmessagedelivered.com-0001/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/jenkins.yourmessagedelivered.com-0001/privkey.pem
    Your cert will expire on 2020-12-15. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew all of your certificates, run
    “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

cat: /var/lib/docker/volumes/letsencrypt-etc/_data/live/jenkins.yourmessagedelivered.com/fullchain.pem: No such file or directory
cat: /var/lib/docker/volumes/letsencrypt-etc/_data/live/jenkins.yourmessagedelivered.com/privkey.pem: No such file or directory

. . .

  • Stopping haproxy haproxy
    …done.
  • Starting haproxy haproxy
    [WARNING] 259/033417 (38232) : parsing [/etc/haproxy/haproxy.cfg:210] : a ‘redirect’ rule placed after a ‘use_backend’ rule will still be processed before.
    [WARNING] 259/033417 (38232) : parsing [/etc/haproxy/haproxy.cfg:211] : a ‘redirect’ rule placed after a ‘use_backend’ rule will still be processed before.
    [WARNING] 259/033417 (38232) : config : ‘stats’ statement ignored for frontend ‘git_proxy’ as it requires HTTP mode.
    [WARNING] 259/033417 (38232) : config : ‘stats’ statement ignored for backend ‘gitlab_git_cluster’ as it requires HTTP mode.
    [WARNING] 259/033417 (38233) : parsing [/etc/haproxy/haproxy.cfg:210] : a ‘redirect’ rule placed after a ‘use_backend’ rule will still be processed before.
    [WARNING] 259/033417 (38233) : parsing [/etc/haproxy/haproxy.cfg:211] : a ‘redirect’ rule placed after a ‘use_backend’ rule will still be processed before.
    [WARNING] 259/033417 (38233) : config : ‘stats’ statement ignored for frontend ‘git_proxy’ as it requires HTTP mode.
    [WARNING] 259/033417 (38233) : config : ‘stats’ statement ignored for backend ‘gitlab_git_cluster’ as it requires HTTP mode.
    …done.

In the browser I see:

“Websites prove their identity via certificates, which are valid for a set time period. The certificate for jenkins.yourmessagedelivered.com expired on 12/29/2019.”

examining the certificate I am getting an incorrest Common Name: crm.www.wp.tns.gagreenparty.org

My web server is (include version):

Server version: Apache/2.4.29 (Ubuntu)
Server built: 2020-08-12T21:33:25

The operating system my web server runs on is (include version):

$ facter -p os
{
architecture => “amd64”,
distro => {
codename => “bionic”,
description => “Ubuntu 18.04.4 LTS”,
id => “Ubuntu”,
release => {
full => “18.04”,
major => “18.04”
}
},
family => “Debian”,
hardware => “x86_64”,
name => “Ubuntu”,
release => {
full => “18.04”,
major => “18.04”
},
selinux => {
enabled => false
}
}

My hosting provider, if applicable, is:

self-hosted at local data center.

I can login to a root shell on my machine (yes or no, or I don’t know):

yes, on both the docker server and the docker container

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

no.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

docker image –
certbot/certbot:latest

2

This message indicates that the certificate has been saved to jenkins.yourmessagedelivered.com-0001instead of jenkins.yourmessagedelivered.com, which means it probably wasn't loaded successfully into your web server. (The two cat error below that can confirm my thought)

In some sense, you might want to check the output of sudo certbot certificates in your docker certbot image, and see why it's generating a new certificate instead of processing renewal.

P.S. The docker command might work better if you use sudo certbot renew when you are renewing certificates.

3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.