Hostname/IP does not match certificate's altnames

Help
21

Very very TRUE! :slight_smile:

1 Like
22

Found the following certs:

  Certificate Name: atavismxi.com
    Serial Number: 4940b2698832ade02d307e1d37695cba89e
    Key Type: ECDSA
    Domains: atavismxi.com
    Expiry Date: 2024-03-27 12:21:03+00:00 (VALID: 88 days)
    Certificate Path: /etc/letsencrypt/live/atavismxi.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/atavismxi.com/privkey.pem
  Certificate Name: cloud.atavismxi.com
    Serial Number: 3437bd4c726304827163f5c46fe595e9f13
    Key Type: ECDSA
    Domains: cloud.atavismxi.com
    Expiry Date: 2024-03-25 14:45:14+00:00 (VALID: 86 days)
    Certificate Path: /etc/letsencrypt/live/cloud.atavismxi.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/cloud.atavismxi.com/privkey.pem
  Certificate Name: www.atavismxi.com
    Serial Number: 4d8138506751f5d5ec7e215b394cc218d77
    Key Type: ECDSA
    Domains: www.atavismxi.com
    Expiry Date: 2024-03-27 12:21:24+00:00 (VALID: 88 days)
    Certificate Path: /etc/letsencrypt/live/www.atavismxi.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.atavismxi.com/privkey.pem
23

I'm only going to www.atavismxi.com

Maybe I have a route somewhere that's trying to reach it by IP. Not sure.......

I'm not even sure what triggers the error to pop up every now and then.

24

Is the later error with the IP address happening when using your app or is it only something you notice in your log? If the latter then it might just be some bot poking your domain's IP address.

2 Likes
25

You have 3 certs each with just one domain name in it. You should still re-issue your cert with both the root and www domains in it. Your cert should include each name in the nginx server block.

That was what was causing the original error in your first post. This should update the cert you are using in nginx to have both names

sudo certbot --nginx --cert-name www.atavismxi.com -d www.atavismxi.com -d atavismxi.com

You will be prompted about adding a name to the cert. So choose to update it when asked.

Once we confirm that is working we will instruct how to delete the un-needed cert. You don't want to be renewing that.

2 Likes
26

OR
You could use those individual certs, with their individual names, in individually separated vhost configs.
Not an ideal solution, but you could then [easily] redirect from one of the two vhosts to the other vhost.

1 Like
27

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.