Help in fixing this commonname mismatch


#1

Hello All,
(I ask forgiveness ahead of time using generic names but the site is an adult workers discussion site)

used certbot on my centos 6.5 Apache server. Script asks which 2 names

Which names would you like to activate HTTPS for?

1: blah.com
2: www.blah.com

I enter blank so it will do both. check my site with SSL Labs analyze and it gives error message says common name mismatch. It lists name of server as mail.blah.com. The server was given this name by original sysadmin who used it to create postfix mail system. If I do a hostname -f it returns

[root@mail postfix]# hostname -f
mail.blah.com

I then did a certbot rollback to go back to original non-https configuration. What can i do to resolve this?

other file info while letsencrypt ssl was installed:

/etc/httpd/conf/ssl.conf

certificate can be generated using the genkey(1) command.

SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

/etc/httpd/conf.d/httpd-le-ssl.conf

ServerName blah.com
ServerAlias 111.222.333.444 blah.com www.blah.com
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/blah.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/blah.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/blah.com/chain.pem


#2

What’s the output of the following command?

apachectl -S

#3

[root@mail user]# apachectl -S
VirtualHost configuration:
wildcard NameVirtualHosts and default servers:
*:443 is a NameVirtualHost
default server blah.com (/etc/httpd/conf.d/ssl.conf:74)
port 443 namevhost blah.com (/etc/httpd/conf.d/ssl.conf:74)
port 443 namevhost blah.com (/etc/httpd/conf/httpd-le-ssl.conf:2)
alias 111.222.333.444
alias blah.com
alias www.blah.com
*:80 is a NameVirtualHost
default server blah.com (/etc/httpd/conf/httpd.conf:1013)
port 80 namevhost blah.com (/etc/httpd/conf/httpd.conf:1013)
alias 111.222.333.444
alias blah.com
alias www.blah.com
Syntax OK


#4

Okay so it looks like the VirtualHost in /etc/httpd/conf.d/ssl.conf would be taking precedence over the (presumably correct) one in /etc/httpd/conf/httpd-le-ssl.conf - if I’m reading that right, it would mean that https://www.blah.com should work correctly (even if only to redirect to https://blah.com) but https://blah.com would be using the wrong VirtualHost and therefore the wrong certificate.

I believe you should be able to fix it by removing or commenting out the rogue VirtualHost in /etc/httpd/conf.d/ssl.conf on or around line 74 (back it up first obviously) and running certbot again. It should ask if you just want to reinstall the existing certificate, say yes.


#5

Thank you for your assistance. Line 74 in ssl.conf is

<VirtualHost _default_:443 >

I will make a backup, then comment that out and run certbot again and let you know the results.


#6

Just in case it wasn’t clear, you should comment out everything from there down to the following </VirtualHost>, not just that one line :slight_smile:


#7

Thanks for that clarification. There were quite a few lines for that Virtual host definition. I removed them all and reran certbot. This time success! The site is showing SECURE on every web page.

Greatly appreciated!


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.