My domain is: www.surfingdirt.com
I ran this command:
certbot certonly --agree-tos --email something@gmail.com --webroot -w /var/lib/letsencrypt/ --cert-name surfingdirt -d api.surfingdirt.com -d beta-api.surfingdirt.com […] -d surfingdirt.com -d www.surfingdirt.com
I also ran this (and similar commands for other domains):
sudo certbot certonly --agree-tos --email something@gmail.com --webroot -w /var/lib/letsencrypt/ --cert-name drawmeakicker -d www.drawmeakicker.com -d drawmeakicker.com
My web server is: nginx/1.15.5 on Ubuntu 18.04
The version of my client is: certbot 0.27.0
My problem is the following:
- some of my users are reporting their browser refusing to connect (on Android: ERR_CONNECTION_RESET for example, but similar things happen on iOS)
- I ran Hardenize and it reported a problem: the domain name does not match the subject in the certificate (see https://www.hardenize.com/report/surfingdirt.com/1585242809#www_certs). It “sees” that the certificate’s subject is drawmeakicker.com (which I also own and manage)
-
Indeed, on my mac, the following openssl (1.0.2k) command reports a “link” to drawmeakicker: openssl s_client -connect www.surfingdirt.com:443 -prexit
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
verify return:1
depth=0 CN = www.drawmeakicker.com
verify return:1Certificate chain
Server certificate
0 s:/CN=www.drawmeakicker.com
i:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
1 s:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
…
-----END CERTIFICATE-----
subject=/CN=www.drawmeakicker.com
issuer=/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3 -
However, the same command on some of my other machines does not indicate a problem (openssl 1.1.1) since it reports api.surfingdirt.com instead of drawmeakicker.com:
CONNECTED(00000005)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
verify return:1
depth=0 CN = api.surfingdirt.com
verify return:1Certificate chain
Server certificate
0 s:CN = api.surfingdirt.com
i:C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
1 s:C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
-----BEGIN CERTIFICATE-----
…
-----END CERTIFICATE-----
subject=CN = api.surfingdirt.com
So I’m super confused. I don’t see why the certificate for drawmeakicker.com has anything to do with that of surfingdirt.com.
I feel like there is some kind of concept I’m missing here. Are the certbots commands I ran ok?