How to test "certificate name mismatch" problem and fix?

Here is my configuration from whynopadlock

https://www.whynopadlock.com/results/dede5164-accf-49b1-9105-435f17bdbf41

SSL Certificate Info

Certificate Issuer

Let’s Encrypt

Certificate Type

Let’s Encrypt Authority X3

Issued On

2019-09-23

Force HTTPS

Your webserver is not forcing the use of SSL.
You may want to add a redirect to ensure a secure connection is used. More Info

Valid Certificate

Your SSL Certificate is installed correctly.

Domain Matching

Your SSL certificate does not match your domain name!
Protected Domains:

Signature

Your SSL certificate is using a sha256 signature!

Expiration Date

Your SSL certificate is current. Your SSL certificate expires in 89 days. (2019-12-22)

Protocols

You currently have TLSv1 enabled.
This version of TLS is being phased out. This warning won’t break your padlock, however if you run an eCommerce site, PCI requirements state that TLSv1 must be disabled by June 30, 2018.

So, how do I troubleshoot this? I’m running Ubuntu 18.04 on nginx 1.14.2. This setup is for a Wordpress site. The host has it set up under two separate nginx conf files- one for wordpress ssl and one for non-ssl. Here is the SSL conf file:

server {
listen 443 ssl default_server;
server_name _;
#server_name wordpress.example.com;

    ssl_certificate /etc/letsencrypt/live/shapingla.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/shapingla.com/privkey.pem;

Keep in mind, I have not done any web development in a while and hosts always set up these wacky nginx configs, so I’m floundering here, slightly. Any tips, tricks. Any way to figure out what the hell is going on here? I don’t have any sites-available/sites-enabled config files. Just these guys… as far as I know.

I can only assume that the SSL settings are still sticking to a self-signed cert that was set up when the instance was generated.

Help plz.

Hi,

Please fill in the below form in order for us to help you:

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

Thank you

1 Like

My domain is: shapingla.com (part of my comment already)
I ran: no command… The issue isn’t the output of a command. The issue is that my ssl doesn’t work. I posted an analysis of the SSL. Already explained this
I already explained what webserver I was running.
I already explained what my OS is.
My host is Vultr
I can run as root
I’m not using a control panel.
Certbot version 0.23.0

Well. As the web page said, you only requested a single domain certificate, which will only secures shapingla.com, if you want to also secure the www version of your website, please add www.shapingla.com when you tried to request that certificate.

For example: if you are using certbot, you should use certbot -d shapingla.com -d www.shapingla.com instead of certbot -d shapingla.com.

Thank you

1 Like

Cheers.

When I try to access https://shapingla.com, I still get a browser warning that the site is insecure. Will it not secure shapingla.com, either, if all certificates aren’t accounted for?

This is what I ran initially: sudo certbot certonly --manual --preferred-challenges dns

What should I do to remedy the problem? Should I revoke the original cert and then start over?

Your site have a redirection setup which would redirect requests from shapingla.com to www.shapingla.com, which is causing the certificate error.

Also, upon checking the certificate transparency logs, it seems that you already have a certificate with both hostnames set up. Please run certbot certificates and share us your result.

Now the case seems to be like this: You have a certificate with only one host, and a certificate with two hosts. You'll need to first find out where is the second certificate, then modify the Nginx virtual host configuration to use that certificate.

Nope. You already have the certificate issued. Also, revoking a certificate is often unnecessary if the keys aren't leaked to the public.

Thank you

I appreciate your help!

Forgive any daftness, but what does this mean, specifically: " Please run certbot certificates and share us your result." ?

Am I running this? : certbot -d shapingla.com -d www.shapingla.com

What, if anything, do I have to do after I run that?

Please run the command certbot certificates and share us the output...
This command is going to list all certificates in this system and their path to root.

Please don't request a new certificate if the old one is still present.

Thank you

1 Like

Here is the output. It looks like there must be another cert somewhere, because this one only works for shapingla.com
I really wish hosts wouldn’t do this automatically.
Any tips on how to find the others and get rid of them?

The only thing I can think of is that under /etc/nginx/ssl, there are two files : server.crt and server.key.
Should I recursively grep for these in the nginx folder?

Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: shapingla.com
Domains: shapingla.com
Expiry Date: 2019-12-22 17:38:35+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/shapingla.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/shapingla.com/privkey.pem

:edit: I’m assuming if I can find out where these are referenced in config, i can remove them? They don’t conform to the cert structure for Lets Encrypt certs (.crt instead of .pem, for example)… would it be feasible to replace them?

I’ve tried grepping recursively inside of /etc/nginx for:

“server.crt”
“server.key”
“/etc/nginx/ssl”

with : grep -Hrn “search term” path
comes up with nothing

Ok.

So since the old certificate is not found, you need to create a new one.
Also, is there a reason why you want to use manual DNS validation instead of http validation? (Since the domain and server seems to be the same)
manual DNS validation... is really not good for renewal.

UPDATE: After digging around the web, there's a authorize & cleanup hook for Vultr DNS that you possibly might take advantage of GitHub - letsdebug/certbot-vultr-dns-auth-hook: An auth hook for Certbot to allow DNS validation against domains with their DNS hosted with Vultr.

certbot certonly --manual \ --manual-auth-hook "/etc/letsencrypt/vultr-dns.py create" \ --manual-cleanup-hook "/etc/letsencrypt/vultr-dns.py delete" \ -d "shapingla.com" -d "www.shapingla.com" \ --preferred-challenges dns-01

(You might need to reload your Nginx configuration after obtain the certificate and deployed it)

Please do not do anything before getting the new certificate.

Thank you

1 Like

Also, I changed: server_name _; to
server_name shapingla.com www.shapingla.com;

…in both the http and https nginx block for wordpress

That's a good move :slight_smile:
Now you only need to request the new certificate, then please run to certbot certificates and see what's the full certificate path for the new certificate, then find the Nginx virtual host (SSL/Port 443) and replace the previous reference to the new one.

Thank you

1 Like

Thanks for all of your help so far. I git cloned the manual cleanup hook script (vultr-dns.py) to /etc/letsencrypt, and ran the command. I got back:

certbot: error: unrecognized arguments: --manual-auth-hook /etc/letsencrypt/vultr-dns.py create --manual-cleanup-hook /etc/letsencrypt/vultr-dns.py delete -d shapingla.com --preferred-challenges dns-01

Trying to sort out why. Really weird.

Looks like it could be a python/python3 conflict. Standby please.

Hi,

Did you include the double quotes between " /etc/letsencrypt/vultr-dns.py create" and “/etc/letsencrypt/vultr-dns.py delete”?

Thank you

1 Like

I copy-pasted the command, initially. I may have missed them the second time. Just re-ran the command you included it’s throwing the same thing:

jgrim@shapingla:~# certbot certonly --manual \ --manual-auth-hook “/etc/letsencrypt/vultr-dns.py create” \ --manual-cleanup-hook “/etc/letsencrypt/vultr-dns.py delete” \ -d “shapingla.com” -d “www.shapingla.com”\ --preferred-challenges dns-01
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] …

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: --manual-auth-hook /etc/letsencrypt/vultr-dns.py create --manual-cleanup-hook /etc/letsencrypt/vultr-dns.py delete -d shapingla.com dns-01

It seems like it’s stripping the quotes or something…

Sorry, i forget to remove the escape chars
certbot certonly --manual --manual-auth-hook "/etc/letsencrypt/vultr-dns.py create" --manual-cleanup-hook "/etc/letsencrypt/vultr-dns.py delete" -d "shapingla.com" -d "www.shapingla.com" --preferred-challenges dns-01

Please use the above one.

Thank you

1 Like

Will try this shortly and get back to you! Thanks again for everything you’re doing to help.