I’m trying to test Let’s Encrypt for my University and maybe I’m wrong but I’m receiving a certificate that is not for the domain I’m expecting. I’m using testletsencrypt1.upc.edu for this, that is a CNAME record pointed to lamp-pre.upcnet.es, that has a public IP associated.
The webroot is in /var/www/test1 and I’m using the following command: ./letsencrypt-auto certonly --keep-until-expiring -d testletsencrypt1.upc.edu --webroot -w /var/www/test1
It seems that the auth is fine because it finishes and gives me the “congratulations” message and the route of the full chain, like always, but after setting up everything in Apache and visiting the url https://testletsencrypt1.upc.edu what I got is a ssl_error_bad_cert_domain error and it says that it is only valid for lamp-pre.upcnet.es and www.lamp-pre.upcnet.es, the same if I check the certificate info with: openssl s_client -connect testletsencrypt1.upc.edu:443
I never gave these names to Let’s Encrypt so I guess there is an issue with the CNAME record, but idk. I’m running out of ideas and I need help at this point, I’ll apreciate it.
Please be aware that there is a limit on the number of certificates issued for a domain ( currently 5 per 7 day period ). For testing it is best to use the --staging option which doesn’t have the same limits.
First, true, my bad, the certificate is not the issued by Let’s Encrypt!, then the topic is absolutely different and the title is nonsense, sorry about that.
I configured Apache the way LE does when you get+install with the --apache option, I basically copied the 443 related part from other server changing the domain names and double-checking the routes, those files are soft links to the cert files, as expected:
I have to talk with the team who manage our systems, this is quite big and maybe there is something I don’t know about how is this working so I will ask them and no matter if I solve it or not I will come back here to update the status.
Okay, I’m back.
Sorry for all of this, everything is alright, it is just about our topology, if the balancers don’t have the correct certificate they use the default for that node and then this happens. This is specific of our network so I edited the title.
Now I can continue with my project. Thank you very much.