How do I correct an incorrect Common Name


#1

On my VPS (running Debian Jessie) I have three sites being served by Nginx: xxx.com, yyy.info and testing.yyy.info. I had LE make two certificates, one for xxx.com and another to be shared by yyy.info and its subdomain. In xxx.com’s site config it references its certificate but when I go look at the certificate through my web browser it says the Common Name is yyy.info instead of xxx.com

How do I fix this?

I’m using Certbot 0.8.0-1~bpo8+2 and Nginx 1.6.2-5+deb8u2

This isn’t a critical issue as I can browse the sites just fine, I’d like to keep them separate as much as possible.

Thanks


#2

If there really are two certificates, then somehow the nginx configuration is wrongly pointing to the .info certificate for the xxx.com site, and if you can’t figure out why you might try uploading the configuration, or excerpts from it, for people here to examine.

It’s also possible I guess that you actually didn’t end up asking for two different certificates after all, since you say you can “browse the sites just fine” which suggests the certificate being used is actually valid for any site you’re visiting. Your web browser should have a way to examine the certificate more closely and in there view “Subject Alternative (or Alternate) Names” (SANs) which are all the names the certificate is valid for, the CN is essentially obsolete at this point though it’s the first thing the browser displays up front.


#3

Thanks for the reply. I’ll triple check the Nginx configs. Under “Certificate Subject Alt Name” for the certificate for xxx.com it lists yyy.info, xxx.com and testing.yyy.info in that order.


#4

Right so, this is one certificate that’s valid for all three names. You might want to check exactly which certificates you actually do have, is it just this one, or is there also one for just the .info names, or one for just the .com name


#5

The certificate for yyy.info and testing.yyy.info correctly list only those domains for their shared certificate. I guess I should just make a new cert for xxx.com?


#6

If you want to, yes. Note that if you signed up with your email address, Let’s Encrypt will warn you when the cert you don’t want (with all three names) expires, even if you’re happily renewing the other certificates with two and one name respectively. The warnings are harmless, if you know you intended for that combination of names in a certificate to expire you don’t need to do anything, but I thought I’d mention it before it happens.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.