Name mismatch issue

Help
#1

My domain is: antiochtechnologies.com
My web server is (include version): apache 2.4.18
The operating system my web server runs on is (include version): ubuntu 16.04
I can login to a root shell on my machine (yes or no, or I don’t know): y
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): webmin 1.902

suddenly having email issues that ive tracked down to certificate issues. when i check antiochtechnologies.com, it checks out fine. but when i check out any of the san names under that certificate, i get name mismatch issues that point to another domain hosted on that machine. kinda lost here…

#2

Hi,

How do you get that certificate initially?
Did you use the webmin extension to get the certificate?
https://doxfer.webmin.com/Webmin/Let's_Encrypt

Thank you

#3

Hi @D-2flmm4ry

there are two certificates visible ( https://check-your-website.server-daten.de/?q=antiochtechnologies.com ):

CN=antiochtechnologies.com
	22.04.2019
	21.07.2019
expires in 89 days	
antiochtechnologies.com, ftp.antiochtechnologies.com, 
lamp1.antiochtechnologies.com, mail.antiochtechnologies.com, 
smtp.antiochtechnologies.com, webmail.antiochtechnologies.com - 6 entries

CN=antiochtech.com
	22.04.2019
	21.07.2019
expires in 89 days	antiochtech.com, www.antiochtech.com - 2 entries

And the www-version isn't secure.

Domainname Http-Status redirect Sec. G
http://antiochtechnologies.com/
216.235.107.56 200 0.320 H
http://www.antiochtechnologies.com/
216.235.107.56 200 0.326 H
https://www.antiochtechnologies.com/
216.235.107.56 301 https://www.antiochtech.com/ 1.787 N
Certificate error: RemoteCertificateNameMismatch
https://www.antiochtech.com/ 200 2.417 I
https://antiochtechnologies.com/
216.235.107.56 200 1.826 B

So first you should add the www to your certificate with 6 domain names, so that certificate has 7 domain names.

Then you should check the vHosts of the subdomains.

Checked the webmail version ( https://check-your-website.server-daten.de/?q=webmail.antiochtechnologies.com ):

There is the same second certificate visible:

CN=antiochtech.com
	22.04.2019
	21.07.2019
expires in 89 days	antiochtech.com, www.antiochtech.com - 2 entries

That's something you have to change in your webmin. Every subdomain must use the correct certificate.

#4

my certificates were all initially, and to this day, obtained via the webmin implementation.

antiochtechnologies.com and antiochtech.com are intentionally separate. antiochtech.com is a vhost, the other domain is solely for webmin’s purposes, as per their recommendation. this is how it has been setup, and has worked flawlessly, for years.

now i cant say that ive ever bothered to look up mail.antiochtechnologies.com’s certificate, but it seems odd that it comes back with a totally different domain. i should also note that after the recent trouble began, and before i posted here, it returned another domain for a disused vhost instead. after deleting that disused vhost, it switched to antiochtech.com. i should also note that the now eliminated disused vhost’s domain came, alphabetically, just before antiochtech.com.

#5

so how does checking a san of antiochtechnologies.com’s certificate come back with a name mismatch for a completely unconnected domain?

#6

Your configuration may be wrong ( https://check-your-website.server-daten.de/?q=antiochtechnologies.com ):

Domainname Http-Status redirect Sec. G
http://antiochtechnologies.com/
216.235.107.56 200 0.324 H
http://www.antiochtechnologies.com/
216.235.107.56 200 0.324 H
https://www.antiochtechnologies.com/
216.235.107.56 301 https://www.antiochtech.com/ 1.630 N
Certificate error: RemoteCertificateNameMismatch
https://www.antiochtech.com/ 200 2.046 I
https://antiochtechnologies.com/
216.235.107.56 200 1.867 B

Your https://www.antiochtechnologies.com/ has the wrong certificate

CN=antiochtech.com
	22.04.2019
	21.07.2019
expires in 82 days	
antiochtech.com, www.antiochtech.com - 2 entries

perhaps the wrong vHost is used with that domain name. Perhaps the standard vHost, not an individual vHost.

Check your vHosts

apachectl -S

to find your vHost of antiochtechnologies.com.

Then check, if it is possible to add a

ServerAlias www.antiochtechnologies.com

so both domain names (non-www and www) use the same vHost. Then they use the same certificate.

#7

I'm not familiar with Webmin. personally, I use cPanel and Plesk.
I think it happens because Webmin only binds 1 hostname now, which is antiochtechnologies.com and does not cover the www version. However, I can't find a working solution to resolve this by only searching on the internet...

But talking about the www version of your domain, you actually might see that the certificate issued for this domain does not include the www version (it includes mail and other subdomains). I guess that's why it falls back to the tech.com one.

So maybe the better solution is:

  1. Issue a certificate yourself (from the letsencrypt plugin) and include all subdomains on this certificate (crt.sh | 1410490748) plus the www version.
  2. Using this tutorial Securing Webmin - Webmin Documentation, bind the issued certificate to your server certificate. (The tutorial might be a little bit outdated, hope it will help)
  3. refresh the browser and see if that works!

Thank you

#8

If this doesn’t work (It really might not work)…
You might need to add your domain as a virtual host on the server and add https for that whole virtualhost.
(You could also try to ask this question on webmin community)

#9

is the issue on line 4 where the vhost is listed as the default server for port 443, instead of antiochtechnologies.com?

[Mon Apr 29 22:37:47.366085 2019] [so:warn] [pid 10142] AH01574: module dav_module is already loaded, skipping
VirtualHost configuration:
216.235.107.56:443     is a NameVirtualHost
         default server antiochtech.com (/etc/apache2/sites-enabled/antiochtech.com.conf:55)
         port 443 namevhost antiochtech.com (/etc/apache2/sites-enabled/antiochtech.com.conf:55)
                 alias www.antiochtech.com
                 alias autoconfig.antiochtech.com
                 alias autodiscover.antiochtech.com
         port 443 namevhost antiochtechnologies.com (/etc/apache2/sites-enabled/antiochtechnologies.com.conf:1)
         port 443 namevhost vhostdomain1.tld (/etc/apache2/sites-enabled/vhostdomain1.tld.conf:62)
                 alias www.vhostdomain1.tld
                 alias webmail.vhostdomain1.tld
                 alias admin.vhostdomain1.tld
                 alias autoconfig.vhostdomain1.tld
                 alias autodiscover.vhostdomain1.tld
         port 443 namevhost vhostdomain2.tld (/etc/apache2/sites-enabled/vhostdomain2.tld.conf:62)
                 alias www.vhostdomain2.tld
                 alias webmail.vhostdomain2.tld
                 alias admin.vhostdomain2.tld
                 alias autoconfig.vhostdomain2.tld
                 alias autodiscover.vhostdomain2.tld
*:80                   is a NameVirtualHost
         default server antiochtechnologies.com (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost antiochtechnologies.com (/etc/apache2/sites-enabled/000-default.conf:1)
         port 80 namevhost antiochtech.com (/etc/apache2/sites-enabled/antiochtech.com.conf:1)
                 alias www.antiochtech.com
                 alias autoconfig.antiochtech.com
                 alias autodiscover.antiochtech.com
         port 80 namevhost vhostdomain1.tld (/etc/apache2/sites-enabled/vhostdomain1.tld.conf:1)
                 alias www.vhostdomain1.tld
                 alias webmail.vhostdomain1.tld
                 alias admin.vhostdomain1.tld
                 alias autoconfig.vhostdomain1.tld
                 alias autodiscover.vhostdomain1.tld
         port 80 namevhost vhostdomain2.tld (/etc/apache2/sites-enabled/vhostdomain2.tld.conf:1)
                 alias www.vhostdomain2.tld
                 alias webmail.vhostdomain2.tld
                 alias admin.vhostdomain2.tld
                 alias autoconfig.vhostdomain2.tld
                 alias autodiscover.vhostdomain2.tld
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex fcgid-proctbl: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/lock/apache2" mechanism=fcntl 
Mutex mpm-accept: using_defaults
Mutex fcgid-pipe: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: ENABLE_USR_LIB_CGI_BIN
User: name="www-data" id=33
Group: name="www-data" id=33
#10

Yep, that may be the problem.

It's always bad having two or more vHosts with the same combination of port and ServerName.

You can define a ServerName like "localhost" as the ServerName of your default host.

If your definitions are not clear, the default vHost is used -> then a domain has the wrong certificate (the certificate of the default vHost). And sometimes wrong redirects (the "default redirects").

#11

before i go ripping things apart that have worked for years, id just like to make sure that we’re all on the same page here. ur saying that changing my apache configuration will address issues im having with select email clients being able to retrieve their messages via imap?

#12

I have no idea about your mail configuration.

Your https://www.antiochtechnologies.com/ has the wrong certificate. So if a user uses this domain with mail, the same wrong certificate may be send. If a configuration is buggy, this configuration may have some other bugs I don't know and I don't see. So things should work - but the system crashes.

Configuring such systems there are three rules:

  • Make a backup
  • make a backup
  • if you have questions, start with step 1
#13

thats what this whole topic is about - mail issues. there are no websites for any variation of antiochtechnologies.com on ports 80 or 443. the only site hosted on that domain is webmin’s built-in server. the issue is that quite suddenly select mail clients are getting a name mismatch error with whatever vhost come first alphabetically.

attempting to setup the mail account for a test user on my handset produces the following in mail.log after turning on verbose ssl logging in dovecot:

May 3 13:00:26 lamp1 dovecot: imap-login: Debug: SSL: where=0x10, ret=1: before/accept initialization [166.175.186.245]
May 3 13:00:26 lamp1 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: before/accept initialization [166.175.186.245]
May 3 13:00:26 lamp1 dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: SSLv2/v3 read client hello A [166.175.186.245]
May 3 13:00:26 lamp1 dovecot: imap-login: Debug: SSL: where=0x2001, ret=1: unknown state [166.175.186.245]
May 3 13:00:26 lamp1 dovecot: message repeated 6 times: [ imap-login: Debug: SSL: where=0x2001, ret=1: unknown state [166.175.186.245]]
May 3 13:00:26 lamp1 dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: unknown state [166.175.186.245]
May 3 13:00:26 lamp1 dovecot: imap-login: Debug: SSL: where=0x2002, ret=-1: unknown state [166.175.186.245]
May 3 13:00:26 lamp1 dovecot: imap-login: Warning: SSL alert: where=0x4004, ret=558: fatal certificate unknown [166.175.186.245]
May 3 13:00:26 lamp1 dovecot: imap-login: Warning: SSL failed: where=0x2002: unknown state [166.175.186.245]
May 3 13:00:26 lamp1 dovecot: imap-login: Error: SSL: Stacked error: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown: SSL alert number 46
May 3 13:00:26 lamp1 dovecot: imap-login: Debug: SSL error: SSL_accept() failed: Unknown error
May 3 13:00:26 lamp1 dovecot: imap-login: Disconnected (no auth attempts in 0 secs): user=<>, rip=166.175.186.245, lip=216.235.107.56, TLS handshaking: SSL_accept() failed: Unknown error, session=<NOl8hv+HC2Smr7r1>

#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.