Letsencrypt certbot wrong common name/subject alt names

amlnch · January 7, 2021, 3:22am

I ran this command:certbot-auto --apache

It produced this output:
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/exwebsite.com.conf)

What would you like to do?

1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (may be subject to CA rate limits)

Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate for exwebsite.com and www.exwebsite.com
Created an SSL vhost at /etc/httpd/sites-available/exwebsite.com-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/sites-available/exwebsite.com-le-ssl.conf
Enabling site /etc/httpd/sites-available/exwebsite.com-le-ssl.conf by adding Include to root configuration
Deploying Certificate to VirtualHost /etc/httpd/sites-available/exwebsite.com-le-ssl.conf
Redirecting vhost in /etc/httpd/sites-enabled/exwebsite.com.conf to ssl vhost in /etc/httpd/sites-available/exwebsite.com-le-ssl.conf

Your existing certificate has been successfully renewed, and the new certificate
has been installed.

The new certificate covers the following domains: https://exwebsite.com and
https://www.exwebsite.com

IMPORTANT NOTES:

Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/exwebsite.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/exwebsite.com/privkey.pem
Your cert will expire on 2021-04-07. To obtain a new or tweaked
version of this certificate in the future, simply run certbot-auto
again with the "certonly" option. To non-interactively renew all
of your certificates, run "certbot-auto renew"

My web server is (include version): Apache/2.4.37

The operating system my web server runs on is (include version): CentOS 8

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.10.1

The non www URL does not work. Browser give error "SEC_ERROR_UNKNOWN_ISSUER"

When I view the certificate in the browser, the Common Name & Subject Alt Name is "xxxx.members.linode.com"

hostnamectl returns "exwebsite.com"

Apache domain vhost config:
<VirtualHost *:80>
ServerName exwebsite.com
ServerAlias www.exwebsite.com
..............

Everything was working for at least a few weeks. Now it seems the certificate being served by Apache changed. I did change the configured host name of the system(/etc/hostname) to match the domain a few weeks ago. But everything was working after the change. I've tried running with flags "certonly" and "-d" to set domain names, but the best I can get now is running only the "--apache" flag. When I do this, www.exwebsite.com URL works, but not exwebsite.com.

sahsanu · January 7, 2021, 3:46am

Hello @amlnch,

Could you please show the apache conf for your <VirtualHost *:443>?

Cheers,
sahsanu

amlnch · January 7, 2021, 3:51am

<IfModule mod_ssl.c>
<VirtualHost *:443>
    ServerName exwebsite.com
	ServerAlias www.exwebsite.com
    DocumentRoot /REDACTED
    ErrorLog /REDACTED
    CustomLog /REDACTED
    Header Set Pragma "no-cache"
    Header Set Expires "Thu, 1 Jan 1970 00:00:00 GMT"
    Header Set Cache-Control "max-age=0, no-store, no-cache, must-revalidate"
    Header Unset ETag
    FileETag None
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/exwebsite.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/exwebsite.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/exwebsite.com/fullchain.pem
</VirtualHost>
</IfModule>

I added "SSLCertificateChainFile"

sahsanu · January 7, 2021, 4:09am

Remove it from the conf file, your Apache version doesn't need that directive.

Once you remove the SSLCertificateChainFile that conf file will be fine so seems there is another conf file where you are using ServerName or ServerAlias with launchnotifyr.com, maybe the default one.

Could you please check it?

apachectl -S

or

grep -Eri '(servername|serveralias)' /etc/apache2/*

amlnch · January 7, 2021, 4:49am

Removed SSLCertificateChainFile

apachectl -S returns nothing. I think I have to run httpd -S for my platform.

Please try not to quote any sensitive data as I will delete it later.

httpd -S output:

VirtualHost configuration:
*:80                   exwebsite.com (/etc/httpd/sites-enabled/exwebsite.com.conf:1)
*:443                  is a NameVirtualHost
         default server exwebsite.com (/etc/httpd/conf.d/ssl.conf:40)
         port 443 namevhost exwebsite.com (/etc/httpd/conf.d/ssl.conf:40)
         port 443 namevhost exwebsite.com (/etc/httpd/sites-enabled/exwebsite.com.conf:18)
                 alias www.exwebsite.com

sahsanu · January 7, 2021, 5:01am

You have defined a ServerName directive with your domain in /etc/httpd/conf.d/ssl.conf and that is the reason it isn't reaching the VirtualHost you have defined in /etc/httpd/sites-enabled/launchnotifyr.com.conf, so you should change the ServerName in /etc/httpd/conf.d/ssl.conf or configure it correctly to use your cert, etc.

amlnch · January 7, 2021, 3:34pm

I have not edited that file. It seems like a default config file. Does certbot edit this file at any point?

line 40: <VirtualHost _default_:443>

ssl.conf lines 0 - 55

#
# When we also provide SSL we have to listen to the 
# standard HTTPS port in addition.
#
Listen 443 https

##
##  SSL Global Context
##
##  All SSL configuration in this context applies both to
##  the main server and all SSL-enabled virtual hosts.
##

#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is a internal
#   terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog

#   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First the mechanism 
#   to use and second the expiring timeout (in seconds).
SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
SSLSessionCacheTimeout  300

#
# Use "SSLCryptoDevice" to enable any supported hardware
# accelerators. Use "openssl engine -v" to list supported
# engine names.  NOTE: If you enable an accelerator and the
# server does not start, consult the error logs and ensure
# your accelerator is functioning properly. 
#
SSLCryptoDevice builtin
#SSLCryptoDevice ubsec

##
## SSL Virtual Host Context
##

<VirtualHost _default_:443>

# General setup for the virtual host, inherited from global configuration
#DocumentRoot "/var/www/html"
#ServerName www.example.com:443

# Use separate log files for the SSL virtual host; note that LogLevel
# is not inherited from httpd.conf.
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

sahsanu · January 7, 2021, 4:00pm

As the hostname of your server is launchnotifyr.com, Apache uses it as the default server name, just edit file etc/httpd/conf.d/ssl.conf and replace

#ServerName www.example.com:443

to

ServerName localhost:443

Restart Apache and try again.

Cheers,
sahsanu

amlnch · January 7, 2021, 4:08pm

Thank you very much! That got it going again. Do you have any idea how this happened?

sahsanu · January 7, 2021, 4:18pm

You are welcome. I'm glad your site is working fine

Seems the hostname of your server is launchnotifyr.com so apache knows that is the server name, then in ssl.conf there is a default virtual host and doesn't have a ServerName directive defined so Apache uses the default one and it is launchnotifyr.com then doesn't matter whether you have another conf file launchnotifyr.com.conf with it configured because the ssl.conf file is loaded before yours so it has precedence.

amlnch · January 7, 2021, 4:28pm

Ok, makes sense. When I changed the hostname a few weeks ago, the change must not have fully propagated through the system. Thereby hiding this "feature". Thank you again for the prompt help!

system · February 6, 2021, 4:28pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.