HTTP works and redirects to HTTPS, but not HTTPS

My domain is:
www.haveibeenexploited.com, haveibeenexploited.com
I ran this command:
Entered https://haveibeenexploited.com
It produced this output:

NET::ERR_CERT_COMMON_NAME_INVALID

This server could not prove that it is haveibeenexploited.com ; its security certificate is from *.haveibeenexploited.com . This may be caused by a misconfiguration or an attacker intercepting your connection.

My web server is (include version):
It is a react App
The operating system my web server runs on is (include version):
Ubuntu 18.04 LTS
My hosting provider, if applicable, is:
godaddy
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.27.0

Other things
So everything works pretty great with certbot and I got excellent help 1-2 days ago here (for free of all things, crazy). I made a DNS wildcard cert and it worked great. But I realized I didn’t cover the other alternate domain http://haveibeenexploited.com (or at least I think it didn’t; and I probably didn’t need the wildcard). So I got a cert for haveibeenexploited.com with the --webroot option.

What is weird is that http://haveibeenexploited.com works in the browser and redirects to https as my app’s been directed to do, but when I type https://haveibeenexploited.com in the browser, I get the error message about the cert. Any ideas why?

https://www.ssllabs.com/ssltest/analyze.html?d=haveibeenexploited.com
shows the name mismatch/security problem:
image

It works when you add the WWW:
https://www.ssllabs.com/ssltest/analyze.html?d=www.haveibeenexploited.com

You do need to replace that cert with both names (if you expect to use the root domain).
or maybe you already have a “better” cert…
Please show the output of:
certbot certificates

1 Like

Thanks rg for the quick reply.

Yes, it is a minor issue that it doesn’t work in this one case without the www.

Replace the *.haveibeenexploited.com cert with both names?

I did the DNS cert on a separate machine…so here is that output of certbot certificates there:

Found the following certs:
Certificate Name: haveibeenexploited.com
Domains: *.haveibeenexploited.com
Expiry Date: 2020-05-31 15:31:52+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/haveibeenexploited.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/haveibeenexploited.com/privkey.pem


And here is the output on the other machine:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Attempting to parse the version 1.2.0 renewal configuration file found at /etc/letsencrypt/renewal/haveibeenexploited.com-0001.conf with version 0.27.0 of Certbot. This might not work.
Renewal configuration file /etc/letsencrypt/renewal/haveibeenexploited.com.conf produced an unexpected error: renewal config file {} is missing a required file reference. Skipping.


Found the following certs:
Certificate Name: haveibeenexploited.com-0002
Domains: haveibeenexploited.com
Expiry Date: 2020-06-02 03:57:00+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/haveibeenexploited.com-0002/fullchain.pem
Private Key Path: /etc/letsencrypt/live/haveibeenexploited.com-0002/privkey.pem
Certificate Name: haveibeenexploited.com-0001
Domains: *.haveibeenexploited.com
Expiry Date: 2020-05-31 17:01:14+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/haveibeenexploited.com-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/haveibeenexploited.com-0001/privkey.pem

The following renewal configurations were invalid:
/etc/letsencrypt/renewal/haveibeenexploited.com.conf

I may have moved the DNS cert to the second machine to “make up” for my making the DNS cert on the first machine.

*.haveibeenexploited.com
AND
haveibeenexploited.com
[they look alike but are not one and the same - like your children my have your last name but they are NOT you]

So neither cert (on either machine) can cover both names, at the moment.
You need to rerun the cert process and include both names:
-d '*.haveibeenexploited.com' -d haveibeenexploited.com
switch to the new cert
then delete the unused ones.

1 Like

Okay, thanks for the extra clarifications (I need it).

So I

  1. ran
    sudo certbot certonly --webroot -w /web/server/path -d www.haveibeenexploited.com -d haveibeenexploited.com and got the new certs.

  2. Deleted the DNS certificate I had on my first machine (with sudo certbot delete --cert-name haveibeenexploited.com and then also removed the .txt record I had for the DNS challenge on godaddy.

But the cert still shows as *.haveibeenexploited.com and I still have the same issue.

Also, I realized my code was redirecting the buggy http://haveibeenexploited.com to https://www.haveibeenexploited.com, so after changing that back now neither http or https version works of haveibeenexploited.com.

Hi @Danc2050

you have to install the certificate if you use certonly. Minimal a restart of your webserver is required.

1 Like

STEP #1:

[your site is till using the old cert]

STEP #2:

For #1, you can use certbot certificates to show you the complete path and name of the new cert.

1 Like

Oh man…if it was any more simpler it would be breathing.

Thank you both so much, it works great now!

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.