Hostname/IP does not match certificate's altnames

Grahf0085 · December 27, 2023, 11:35pm

Hello certbot peoples. I have had a website at www.atavismxi.com for some time. I recently moved the domain name from netlify.com to name.com. Netlify handled the SSL cert when the site was on netlify. Since I transferred the domain from netlify to name.com I have hosted the website on a local server and used certbot to get a cert. Got the cert from certbot no problem. But now my system log shows this error every now and then:

18:33:39 [ERROR] [@astrojs/node] Could not render /merchant/z/payment/?order=1
TypeError: fetch failed
    at Object.fetch (node:internal/deps/undici/undici:11372:11)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async #renderError (file:///home/grahf/atavismxiwebsite/dist/server/entry.mjs:1724:27)
    at async file:///home/grahf/atavismxiwebsite/dist/server/entry.mjs:1981:26 {
  cause: Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames: Host: atavismxi.com. is not in the cert's altnames: DNS:www.atavismxi.com
      at new NodeError (node:internal/errors:406:5)
      at Object.checkServerIdentity (node:tls:337:12)
      at TLSSocket.onConnectSecure (node:_tls_wrap:1669:27)
      at TLSSocket.emit (node:events:514:28)
      at TLSSocket._finishInit (node:_tls_wrap:1070:8)
      at ssl.onhandshakedone (node:_tls_wrap:856:12) {
    reason: "Host: atavismxi.com. is not in the cert's altnames: DNS:www.atavismxi.com",
    host: 'atavismxi.com',
    cert: {
      subject: [Object: null prototype],
      issuer: [Object: null prototype],
      subjectaltname: 'DNS:www.atavismxi.com',
      infoAccess: [Object: null prototype],
      ca: false,
      bits: 256,
      pubkey: <Buffer 04 48 b3 80 7c 2b a8 f5 6b 6b 53 1c c5 a5 d5 21 52 1c 3d 34 c4 43 7d 77 c6 cf 64 cd 48 a6 b8 b1 1e e1 dc 03 5b 48 93 c4 a2 5d 49 6b 51 e2 74 15 56 f8 ... 15 more bytes>,
      asn1Curve: 'prime256v1',
      nistCurve: 'P-256',
      valid_from: 'Dec 23 22:25:33 2023 GMT',
      valid_to: 'Mar 22 22:25:32 2024 GMT',
      fingerprint: '30:2D:32:BC:8A:D8:A4:AE:7E:B8:98:DA:EA:79:45:07:83:A9:D7:85',
      fingerprint256: 'A4:8C:E5:F6:38:51:30:C3:05:81:5C:9A:93:AD:BA:72:5B:D1:FC:75:71:43:2D:03:A6:32:7B:71:2F:FA:AE:E7',
      fingerprint512: 'BD:35:4B:27:16:D4:18:97:45:3F:83:F1:19:B6:59:66:30:2A:15:88:97:D3:EA:DD:19:F7:5D:C8:7A:3B:0D:D8:02:85:29:66:0C:D9:F6:4B:E2:D1:0C:FD:69:51:6E:78:E9:0F:FE:50:58:5C:3E:7C:D0:95:E1:26:09:9D:EB:68',
      ext_key_usage: [Array],
      serialNumber: '03B092E73CF31783A3F2DBF6C2CED8AF0737',
      raw: <Buffer 30 82 04 23 30 82 03 0b a0 03 02 01 02 02 12 03 b0 92 e7 3c f3 17 83 a3 f2 db f6 c2 ce d8 af 07 37 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 32 ... 1013 more bytes>,
      issuerCertificate: [Object]
    },
    code: 'ERR_TLS_CERT_ALTNAME_INVALID'
  }
}

Is there a way to add a altname to the cert?

My domain is: www.atavismxi.com

I ran this command: hmmm... I think it was just sudo certbot --nginx

It produced this output: Not certain but it gave me a certificate

My web server is (include version): nginx 1.22

The operating system my web server runs on is (include version): Debian 12

My hosting provider, if applicable, is: name.com

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 2.1.0

Bruce5051 · December 27, 2023, 11:53pm

Hello @Grahf0085, welcome back to the Let's Encrypt community.

The presently being server certificate https://decoder.link/sslchecker/atavismxi.com/443 only has

Common Name:	www.atavismxi.com
SANs:			DNS:www.atavismxi.com
				Total number of SANs: 1

The certificate does not contain atavismxi.com only www.atavismxi.com

Bruce5051 · December 27, 2023, 11:56pm

A list of previously issued certificates is here crt.sh | atavismxi.com
They contained atavismxi.com and a wildcard *.atavismxi.com.

MikeMcQ · December 28, 2023, 12:30am

Yeah, you need to have both domain names in your cert. Either by using a wildcard or just adjusting your nginx server config and re-running your certbot command.

You should have both names in your server_name like:

server_name atavismxi.com www.atavismxi.com;

Certbot with --nginx would have seen both and asked which names you wanted in your certs. It will still do that once you adjust your nginx config. It will then replace your existing cert.

You may need to fix the server_name in both your server blocks. I am not sure Certbot will do that for you.

Grahf0085 · December 28, 2023, 12:34am

So I feel like I need to add atavismxi.com to the cert somehow to stop the errors. Unless the errors don't matter? Is that possible. Or maybe I need to delete the cert and get a new cert. If I got a new cert....to add the domain atavismxi.com(to stop the error) would I edit my nginx configuration? Right now it looks like this:

server {
  listen 81;
  server_name www.atavismxi.com;

So maybe if I changed it to this:

server {
  listen 81;
  server_name atavismxi.com www.atavismxi.com;

Then I think certbot would get the cert for both domains?

Grahf0085 · December 28, 2023, 12:35am

Hah I just replied to Bruce asking if I should change my server name........ OK cool that makes sense.
Thanks for the confirmation. I was thinking I had to delete the cert first and everything would blow up and I'd be homeless.

rg305 · December 28, 2023, 12:39am

What's up with that "81"?

MikeMcQ · December 28, 2023, 3:50am

Yeah, that changes my comment. The --nginx plugin, by default, looks for a server block for port 80. If one does not exist, it creates a temp default one and removes it after the cert request. This would likely lead to poor results.

We need to know why you chose port 81 for that server block.

I see nginx responding on port 80 so that seems like a typo. But, best if you clarify.

Bruce5051 · December 28, 2023, 3:59am

Side note:

$ nmap -Pn -p80,81,443 atavismxi.com
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-27 19:58 PST
Nmap scan report for atavismxi.com (98.25.54.173)
Host is up (0.11s latency).
rDNS record for 98.25.54.173: 098-025-054-173.res.spectrum.com

PORT    STATE    SERVICE
80/tcp  open     http
81/tcp  filtered hosts2-ns
443/tcp open     https

Nmap done: 1 IP address (1 host up) scanned in 1.92 seconds

Best Practice - Keep Port 80 Open

The HTTP-01 challenge can only be done on port 80. Allowing clients to specify arbitrary ports would make the challenge less secure, and so it is not allowed by the ACME standard.

MikeMcQ · December 28, 2023, 4:13am

No, but they could be mapping port 80 to the nginx port 81 with a router or something. In which case they could use the --http-01-port 81 option. But, I have a feeling their port 81 server block is not being used at all and nginx is handling HTTP requests in its default server block.

We need to have them explain port 81.

Bruce5051 · December 28, 2023, 4:14am

Fair enough @MikeMcQ ; thanks again!

Grahf0085 · December 28, 2023, 5:49pm

I removed the port 81, changed the server_name to include atavismxi.com, and re ran certbot --nginx.

I'm still getting a slightly different error in the logs. My nginx conf looks like this:

server {
  server_name atavismxi.com www.atavismxi.com;
  location / {
    proxy_pass http://localhost:2005;
    include proxy_params;
  }
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/www.atavismxi.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/www.atavismxi.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
server {
    if ($host = atavismxi.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
    if ($host = www.atavismxi.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot
  listen 80;
  server_name atavismxi.com www.atavismxi.com;
    return 404; # managed by Certbot
}

Grahf0085 · December 28, 2023, 5:50pm

The error says: cause: Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames: IP: 98.25.54.173 is not in the cert's list:

rg305 · December 28, 2023, 6:22pm

Please show how the HTTP and HTTPS reaches your server.
[is there a NAT, or port forwarding, device inline a head of it?]

Osiris · December 28, 2023, 6:37pm

Are you trying to connect to the website by IP address by any chance?

MikeMcQ · December 28, 2023, 6:40pm

It doesn't look like you got a fresh cert with both domain names in it. What command did you use exactly when re-running Certbot? And, what answers did you give to any prompts?

This won't fix the error about the IP address not in the cert. It's another issue to resolve though.

What does this show

sudo certbot certificates

Bruce5051 · December 28, 2023, 6:50pm

I do not think so.
FAILS - https://decoder.link/sslchecker/atavismxi.com/443
PASS - https://decoder.link/sslchecker/www.atavismxi.com/443

Same IPv4 Address

$ nmap -Pn -p80,443 atavismxi.com
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-28 10:47 PST
Nmap scan report for atavismxi.com (98.25.54.173)
Host is up (0.11s latency).
rDNS record for 98.25.54.173: 098-025-054-173.res.spectrum.com

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 0.40 seconds

$ nmap -Pn -p80,443 www.atavismxi.com
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-28 10:47 PST
Nmap scan report for www.atavismxi.com (98.25.54.173)
Host is up (0.11s latency).
rDNS record for 98.25.54.173: 098-025-054-173.res.spectrum.com

PORT    STATE SERVICE
80/tcp  open  http
443/tcp open  https

Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds

Same certificate

$ openssl s_client -showcerts -servername atavismxi.com -connect atavismxi.com:443 < /dev/null
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = www.atavismxi.com
verify return:1
---
Certificate chain
 0 s:CN = www.atavismxi.com
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Dec 28 12:21:25 2023 GMT; NotAfter: Mar 27 12:21:24 2024 GMT
-----BEGIN CERTIFICATE-----
MIIEJTCCAw2gAwIBAgISBNgThQZ1H11ex+IVs5TMIY13MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzEyMjgxMjIxMjVaFw0yNDAzMjcxMjIxMjRaMBwxGjAYBgNVBAMT
EXd3dy5hdGF2aXNteGkuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBB2Z
/8xw/g/1wrRtHL2Kt835srtXQ+CSbvF6ixgMYC1nyLFTRRDWtcHcEAfGTPvRqWae
bf4lL6CMUoew9jL3taOCAhQwggIQMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAU
BggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU1JWH
O0srEG6XicQ4A1eufOOaCLEwHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+vnYsU
wsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMuby5sZW5j
ci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8wHAYDVR0R
BBUwE4IRd3d3LmF0YXZpc214aS5jb20wEwYDVR0gBAwwCjAIBgZngQwBAgEwggEF
BgorBgEEAdZ5AgQCBIH2BIHzAPEAdgA7U3d1Pi25gE6LMFsG/kA7Z9hPw/THvQAN
LXJv4frUFwAAAYywlj7/AAAEAwBHMEUCIDuer9GziOlHpPCDUuQghsgX1E0DpbGk
Tf45RcPRsOkmAiEAkGTb1c53v05x6djC666c89ejR2xcbVw4Ltqrg13I2kMAdwAp
0DobtnSqcRzTA1tlV8FPiqeLT+g4lEnspFP5RL0kaAAAAYywlj/IAAAEAwBIMEYC
IQCpuLawRnOcR6UH2QlRHgamjFPK7bvFA6ULPFJzCVa6PwIhAPuouhrwKV3wzxdb
8cuoPEj68e6ISOasJd5ij+RpHOR5MA0GCSqGSIb3DQEBCwUAA4IBAQAkg14C8POb
RQalkiuBT7IybQ05Fid+TMuhu4EAwDv42jd5UqsrMawlLRfxPYIDWx/ZvE9yfl5q
jXeTxy+iEPpMitTNbQ7E/EOGEcE6qTzKenjr1dT0uT1B4u+ciU6SJL/VdENC9FWY
JDjz+YpQChX1zVXJ/TQj/ggqUTIc6s5DzN4uil4e+WYoEmycGrCgjTMAJZpqGibp
m34+jt30l1BX/1B/iw2KVILYk5OPrq5NVFOEY/f05KYjMK66Ybz1SItQ3wHRf/K9
/8cYPzrhi2ng2ugnoMDckcPOEDNfvkPuhxWpdGQ3gLkYGp7+BIg0spobC1cu65D7
UIsiqv5PL6z+
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----
---
Server certificate
subject=CN = www.atavismxi.com
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4136 bytes and written 395 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE

$ openssl s_client -showcerts -servername www.atavismxi.com -connect www.atavismxi.com:443 < /dev/null
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = www.atavismxi.com
verify return:1
---
Certificate chain
 0 s:CN = www.atavismxi.com
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Dec 28 12:21:25 2023 GMT; NotAfter: Mar 27 12:21:24 2024 GMT
-----BEGIN CERTIFICATE-----
MIIEJTCCAw2gAwIBAgISBNgThQZ1H11ex+IVs5TMIY13MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzEyMjgxMjIxMjVaFw0yNDAzMjcxMjIxMjRaMBwxGjAYBgNVBAMT
EXd3dy5hdGF2aXNteGkuY29tMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEBB2Z
/8xw/g/1wrRtHL2Kt835srtXQ+CSbvF6ixgMYC1nyLFTRRDWtcHcEAfGTPvRqWae
bf4lL6CMUoew9jL3taOCAhQwggIQMA4GA1UdDwEB/wQEAwIHgDAdBgNVHSUEFjAU
BggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU1JWH
O0srEG6XicQ4A1eufOOaCLEwHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+vnYsU
wsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMuby5sZW5j
ci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8wHAYDVR0R
BBUwE4IRd3d3LmF0YXZpc214aS5jb20wEwYDVR0gBAwwCjAIBgZngQwBAgEwggEF
BgorBgEEAdZ5AgQCBIH2BIHzAPEAdgA7U3d1Pi25gE6LMFsG/kA7Z9hPw/THvQAN
LXJv4frUFwAAAYywlj7/AAAEAwBHMEUCIDuer9GziOlHpPCDUuQghsgX1E0DpbGk
Tf45RcPRsOkmAiEAkGTb1c53v05x6djC666c89ejR2xcbVw4Ltqrg13I2kMAdwAp
0DobtnSqcRzTA1tlV8FPiqeLT+g4lEnspFP5RL0kaAAAAYywlj/IAAAEAwBIMEYC
IQCpuLawRnOcR6UH2QlRHgamjFPK7bvFA6ULPFJzCVa6PwIhAPuouhrwKV3wzxdb
8cuoPEj68e6ISOasJd5ij+RpHOR5MA0GCSqGSIb3DQEBCwUAA4IBAQAkg14C8POb
RQalkiuBT7IybQ05Fid+TMuhu4EAwDv42jd5UqsrMawlLRfxPYIDWx/ZvE9yfl5q
jXeTxy+iEPpMitTNbQ7E/EOGEcE6qTzKenjr1dT0uT1B4u+ciU6SJL/VdENC9FWY
JDjz+YpQChX1zVXJ/TQj/ggqUTIc6s5DzN4uil4e+WYoEmycGrCgjTMAJZpqGibp
m34+jt30l1BX/1B/iw2KVILYk5OPrq5NVFOEY/f05KYjMK66Ybz1SItQ3wHRf/K9
/8cYPzrhi2ng2ugnoMDckcPOEDNfvkPuhxWpdGQ3gLkYGp7+BIg0spobC1cu65D7
UIsiqv5PL6z+
-----END CERTIFICATE-----
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
/kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
-----BEGIN CERTIFICATE-----
MIIFYDCCBEigAwIBAgIQQAF3ITfU6UK47naqPGQKtzANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTIxMDEyMDE5MTQwM1oXDTI0MDkzMDE4MTQwM1ow
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQCt6CRz9BQ385ueK1coHIe+3LffOJCMbjzmV6B493XC
ov71am72AE8o295ohmxEk7axY/0UEmu/H9LqMZshftEzPLpI9d1537O4/xLxIZpL
wYqGcWlKZmZsj348cL+tKSIG8+TA5oCu4kuPt5l+lAOf00eXfJlII1PoOK5PCm+D
LtFJV4yAdLbaL9A4jXsDcCEbdfIwPPqPrt3aY6vrFk/CjhFLfs8L6P+1dy70sntK
4EwSJQxwjQMpoOFTJOwT2e4ZvxCzSow/iaNhUd6shweU9GNx7C7ib1uYgeGJXDR5
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
b3JnMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly9jcmwuaWRlbnRydXN0LmNvbS9E
U1RST09UQ0FYM0NSTC5jcmwwHQYDVR0OBBYEFHm0WeZ7tuXkAXOACIjIGlj26Ztu
MA0GCSqGSIb3DQEBCwUAA4IBAQAKcwBslm7/DlLQrt2M51oGrS+o44+/yQoDFVDC
5WxCu2+b9LRPwkSICHXM6webFGJueN7sJ7o5XPWioW5WlHAQU7G75K/QosMrAdSW
9MUgNTP52GE24HGNtLi1qoJFlcDyqSMo59ahy2cI2qBDLKobkx/J3vWraV0T9VuG
WCLKTVXkcGdtwlfFRjlBz4pYg1htmf5X6DYO8A4jqv2Il9DjXA6USbW1FzXSLr9O
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----
---
Server certificate
subject=CN = www.atavismxi.com
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4137 bytes and written 399 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE

Matching to this issued certificate https://search.censys.io/certificates/d7d2bd0add2478d60bbd83b45dfcee2986ce1c66bb6f61f37b0fd6f67c1041cc

rg305 · December 28, 2023, 7:15pm

That's true...
But this error message is quite specific:

Bruce5051 · December 28, 2023, 7:25pm

Ok, but LE presently doesn't issue certificates for IP Addresses.

Osiris · December 28, 2023, 7:43pm

Yes, therefore trying the IP address instead of a hostname might causing OP that specific error.

Topic		Replies	Views
Hostname/IP does not match certificate’s altnames Help	13	1278	April 15, 2023
Hostname/IP does not match certificate’s altnames Help	7	13028	September 25, 2022
Certificate hostname does not match site hostname_2 Server	3	1364	December 2, 2017
Cannot generate certificate with Netlify Help	7	468	August 5, 2023
Hostname/IP does not match certificate's altnames Help	6	9673	March 23, 2020

Hostname/IP does not match certificate's altnames

Related topics