Multiple domains: mixed certificates?

crystaldea · October 11, 2018, 9:50am

There’re multiple websites on the Ubuntu server:
https://www.crystalidea.com
https://crystalbit.be
…

On some computers I have ERR_CERT_AUTHORITY_INVALID for https://crystalbit.be, and the browser says
that the certificate is from crystalidea! How can this be true?

server {
  
  listen 443 ssl http2;
  ssl_certificate /etc/letsencrypt/live/crystalbit.be/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/crystalbit.be/privkey.pem;
  ssl_trusted_certificate /etc/letsencrypt/live/crystalbit.be/fullchain.pem;

openssl s_client -showcerts -connect crystalbit.be:443
gives:

Server certificate
subject=/CN=crystalidea.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

Why is that? Thank you. Something is definitely wrong.

rg305 · October 11, 2018, 10:01am

Probably do to adding or removing the “www” for each of the domains served.
Check your virtual host files and certs to ensure you include the “www” with each domain and cert.

JuergenAuer · October 11, 2018, 10:12am

Hi @crystaldea

checking this domain all is fine:

The certificate has two names - www and non-www. Same with crystalidea.com.

Both domains have the same ip address. So a modified hosts file (C:\windows\system32\drivers\etc\hosts) isn't the problem.

Looks like a caching problem.

Test it with another browser.

PS

please share a screenshot. Perhaps the intermediate certificate is missing / not installed.

Oh - no, there is a problem. Checked with Ssllabs:

https://www.ssllabs.com/ssltest/analyze.html?d=crystalbit.be&hideResults=on

Your ipv6 - configuration sends the wrong certificate, your ipv4 - configuration is correct.

So check your ipv6. Perhaps you have only a standard website with the wrong certificate.

ipv6 sends the certificate

|Alternative names |crystalidea.com dev.crystalidea.com forums.crystalidea.com www.crystalidea.com MISMATCH|

crystaldea · October 11, 2018, 10:19am

Ni, @JuergenAuer, thanks a lot for your response and research!

Every website I have is configured in nginx for ipv6 via
server {
listen 80;
listen [::]:80;

Not sure what I should do here.

rg305 · October 11, 2018, 10:20am

What about?:
listen 443;
listen [::]:443;

grep -Eri 'listen|443' /etc/nginx/

crystaldea · October 11, 2018, 10:25am

Perfect! thanks a lot guys!

JuergenAuer · October 11, 2018, 10:27am

Your port 80 doesn't use certificates

system · November 14, 2018, 9:08am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.