Multiple domains: mixed certificates?


#1

There’re multiple websites on the Ubuntu server:
https://www.crystalidea.com
https://crystalbit.be

On some computers I have ERR_CERT_AUTHORITY_INVALID for https://crystalbit.be, and the browser says
that the certificate is from crystalidea! How can this be true?

server {
  
  listen 443 ssl http2;
  ssl_certificate /etc/letsencrypt/live/crystalbit.be/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/crystalbit.be/privkey.pem;
  ssl_trusted_certificate /etc/letsencrypt/live/crystalbit.be/fullchain.pem;

openssl s_client -showcerts -connect crystalbit.be:443
gives:

Server certificate
subject=/CN=crystalidea.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

Why is that? Thank you. Something is definitely wrong.


#2

Probably do to adding or removing the “www” for each of the domains served.
Check your virtual host files and certs to ensure you include the “www” with each domain and cert.


#3

Hi @crystaldea

checking this domain all is fine:

be

The certificate has two names - www and non-www. Same with crystalidea.com.

Both domains have the same ip address. So a modified hosts file (C:\windows\system32\drivers\etc\hosts) isn’t the problem.

Looks like a caching problem.

Test it with another browser.

PS

please share a screenshot. Perhaps the intermediate certificate is missing / not installed.

Oh - no, there is a problem. Checked with Ssllabs:

https://www.ssllabs.com/ssltest/analyze.html?d=crystalbit.be&hideResults=on

Your ipv6 - configuration sends the wrong certificate, your ipv4 - configuration is correct.

So check your ipv6. Perhaps you have only a standard website with the wrong certificate.

ipv6 sends the certificate

|Alternative names |crystalidea.com dev.crystalidea.com forums.crystalidea.com www.crystalidea.com MISMATCH|


#4

Ni, @JuergenAuer, thanks a lot for your response and research!

Every website I have is configured in nginx for ipv6 via
server {
listen 80;
listen [::]:80;

Not sure what I should do here.


#5

What about?:
listen 443;
listen [::]:443;

grep -Eri 'listen|443' /etc/nginx/


#6

Perfect! thanks a lot guys!


#7

Your port 80 doesn’t use certificates :wink:


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.