Mismatch error with domains


#1

Hello there! I’m having and issue with the certificate from my domains, somehow it works only sometimes and some it doesn’t, I’m running 3 different domains and each one have their own VirtualHost file (80 and 443).

My domain is: intranet.lsgob.us (other domains are lsgob.us and roozgames.com)

I ran this command: certbot --apache

It produced this output: root@vps202138:/etc/apache2# ls
apache2.conf  conf-available  conf-enabled  envvars  magic  mods-available  mods-enabled  
ports.conf  sites-available  sites-enabled
root@vps202138:/etc/apache2# cd sites-available/
root@vps202138:/etc/apache2/sites-available# ls
000-default.conf        intranet.lsgob.us-le-ssl.conf  lsgob.us-le-ssl.conf  roozgames.com-le-ssl.conf
intranet.lsgob.us.conf  lsgob.us.conf                  roozgames.com.conf     
yagpdb.roozgames.com.conf
root@vps202138:/etc/apache2/sites-available# nano intranet.lsgob.us-le-ssl.conf
root@vps202138:/etc/apache2/sites-available# nano lsgob.us.conf
root@vps202138:/etc/apache2/sites-available# certbot -.apache
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: -.apache
root@vps202138:/etc/apache2/sites-available# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: lsgob.us
2: intranet.lsgob.us
3: roozgames.com
4: yagpdb.roozgames.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 2
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you         
requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/intranet.lsgob.us.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/intranet.lsgob.us-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Enhancement redirect was already set.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Congratulations! You have successfully enabled https://intranet.lsgob.us

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=intranet.lsgob.us
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/intranet.lsgob.us/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/intranet.lsgob.us/privkey.pem
Your cert will expire on 2018-12-19. To obtain a new or tweaked
version of this certificate in the future, simply run certbot again
with the "certonly" option. To non-interactively renew *all* of
your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
Donating to EFF:                    https://eff.org/donate-le

root@vps202138:/etc/apache2/sites-available#

My web server is (include version): Apache2

The operating system my web server runs on is (include version): Ubuntu 16.04 Xenial

My hosting provider, if applicable, is: OVH

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

I have restarted my apache2 service and I’m getting the certificate mismatch error (It says that theres one for lsgob.us) and its also redirecting me to that folder, as you can see in this image files are from lsgob domain and not intranet.lsgob.us http://prntscr.com/kwo0ii http://prntscr.com/kwo1o2


#3

Hi,

Do you happen to resolve that issue?

Since it’s working correctly now.

Thank you


#4

I didn’t I did sudo service apache2 restart and stopped working, and then I did service apache2 reload and works a but other pages like lsgob.us doesn’t


#5

Hi @arkerooz

the certificate is ok (old, created 20. Juli 2018, but correct).

[Edit]: Ok, the site is “temporarily unavailable”, so the content may be created from your hoster. Then you can’t fix these warnings. But what does not work?


But there are a lot of mixed content warnings, you should fix them.

Use Chrome or FireFox, then CTRL + Shift + I, that opens the console.

There you see a lot of blocked files (css and other).

http://www.ipage.com/xslt/elements/generic_csscomponent.css
http://www.ipage.com/generalAppC/scriptcat/87ae207201c55b84c5270851159260e1.1

Change all these links from http to https.


#6

It works but sometimes the certificate just dissapear I mean when I join it doesn’t show me the SSL certificate, instead show me a chrome error of the mismatch. I’m not really sure why it doesn’t work sometimes. Any idea?


#7

I see a page with a " This site is temporarily unavailable" - warning. A lot of content is blocked, so the design is missing.

But this page creates your hoster, so it is irrelevant.

Did you deactivate your page?

It may be

  • only a cache problem
  • your site loads different content, sometimes mixed content -> warnings

The certificate is correct - a wildcard - certificate:

DNS-Name: *.lsgob.us
DNS-Name: lsgob.us

#8

I don’t see that. I do see lsgob.us on intranet.lsgob.us (I don’t know why), I haven’t deactivated it and It can’t be a cache problem because it worked yesterday. Any idea=?


#9

Now I see a correct page under

https://lsgob.us/ - with a Letsencrypt - certificate created 8. September 2018.

And two links. But there with wrong certificates.

https://www.pd.lsgob.us/

https://www.intranet.lsgob.us/

both only with lsgob.us as certificate. So you have two options:

Create a certificate with the -d option and 3 or 5 names

lsgob.us pd.lsgob.us www.pd.lsgob.us intranet.lsgob.us www.intranet.lsgob.us

Or remove the www in these links and create (again) a wildcard certificate

lsgob.us *.lsgob.us

and use that.


#10

Which option would you recommend and how do I do it? Btw. Thanks for answering


#11

Hi

Could you please run sudo certbot certificates and share us the result?

As the current case, you’ll need to configure tls for each of the http virtual hosts.

You could either ask certbot to install for you, or install it by yourself…

Also, you are sharing us the sites-available folder…
We really want to know is the sites-enabled folder… What does it contain?

Thank you


#12

This is what I got running that command.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Renewal configuration file /etc/letsencrypt/renewal/www.intranet.lsgob.us.conf produced an unexpected error: expected /etc/letsencrypt/live/www.intranet.lsgob.us/cert.pem to be a symlink. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: www.lsgob.us
    Domains: www.lsgob.us
    Expiry Date: 2018-12-06 18:32:24+00:00 (VALID: 75 days)
    Certificate Path: /etc/letsencrypt/live/www.lsgob.us/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.lsgob.us/privkey.pem
  Certificate Name: lsgob.us
    Domains: lsgob.us
    Expiry Date: 2018-12-07 00:46:00+00:00 (VALID: 76 days)
    Certificate Path: /etc/letsencrypt/live/lsgob.us/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/lsgob.us/privkey.pem
  Certificate Name: intranet.lsgob.us
    Domains: intranet.lsgob.us
    Expiry Date: 2018-12-19 02:19:04+00:00 (VALID: 88 days)
    Certificate Path: /etc/letsencrypt/live/intranet.lsgob.us/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/intranet.lsgob.us/privkey.pem
  Certificate Name: roozgames.com
    Domains: roozgames.com
    Expiry Date: 2018-12-07 02:01:28+00:00 (VALID: 76 days)
    Certificate Path: /etc/letsencrypt/live/roozgames.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/roozgames.com/privkey.pem

The following renewal configuration files were invalid:
  /etc/letsencrypt/renewal/www.intranet.lsgob.us.conf

Thius is what I have on sites-enabled http://prntscr.com/kx6vq7 -

:80 file

<VirtualHost *:80>
        ServerName intranet.lsgob.us

        ServerAdmin ayuda@roozgames.com
        DocumentRoot /var/www/intranet
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =intranet.lsgob.us
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

:443 file

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerName intranet.lsgob.us

        ServerAdmin ayuda@roozgames.com
        DocumentRoot /var/www/intranet
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/intranet.lsgob.us/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/intranet.lsgob.us/privkey.pem
</VirtualHost>
</IfModule>

#13

Hi,

Just wondering… Why IfModule mod_ssl.c and IfModule are wraping the virtual host 443 config for the intranet domain?

Could you try to remove it and restart Apache?

Thank you


#14

Do you mean removing it and leaving it like this?

<VirtualHost *:443>
        ServerName intranet.lsgob.us

        ServerAdmin ayuda@roozgames.com
        DocumentRoot /var/www/intranet
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/intranet.lsgob.us/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/intranet.lsgob.us/privkey.pem
</VirtualHost>

#15

Yes…

If I’m correct, mod_ssl.c should not wrap an virtual host file… (Which might be the reason the virtual host is not working?)

(Please back up the file before try this)

Thank you


#16

Nope, not working. This is how my files looks now.

<VirtualHost *:80>
        ServerName intranet.lsgob.us

        ServerAdmin ayuda@roozgames.com
        DocumentRoot /var/www/intranet
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =intranet.lsgob.us
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

<VirtualHost *:443>
        ServerName intranet.lsgob.us

        ServerAdmin ayuda@roozgames.com
        DocumentRoot /var/www/intranet
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/intranet.lsgob.us/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/intranet.lsgob.us/privkey.pem
</VirtualHost>

<VirtualHost *:80>
        ServerName lsgob.us

        ServerAdmin ayuda@roozgames.com
        DocumentRoot /var/www/lsgob
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
RewriteEngine on
RewriteCond %{SERVER_NAME} =lsgob.us
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

<VirtualHost lsgob.us:443>
        ServerName lsgob.us

        ServerAdmin ayuda@roozgames.com
        DocumentRoot /var/www/lsgob
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/lsgob.us/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/lsgob.us/privkey.pem
</VirtualHost>

#17

You can use only one wildcard certificate. Sometimes, this is ok. But then www.pd.lsgob.us would not work.

So if you want to use all www - domains, you should create three certificates with two names (www + non-www). Or one certificate with six domain names.

My own service uses a wildcard certificate, every customer has a subdomain, so I don’t need certificates per customer. But www.subdomain.mydomain.de doesnt work. Some customers are hidden, I don’t want to create certificates found via Certificate Transparency.

For your service, this isn’t a problem. So if people add www, they should see the correct domain.


#18

So basically I have to create two virtualhost files for each domain? (one with www. and one without) and then create a certificate for each virtualhost file?


#19

You can create one vHost with two server names. You can also create one vHost with the 6 domain names.

But: One vHost -> one certificate. Or: 6 vHosts -> using the same certificate. But one vHost cannot use two certificates.

The first question is about your website: Do you use one content management system or three? Are the files static so you need three different webroots?


#20

Yes, they are static so I’m using 3 differents folders. pd.lsgob.us have his own folder, intranet his own and lsgob.us his own too


#21

BUMP POST. Any idea? somebody?