NET::ERR_CERT_COMMON_NAME_INVALID - Google Domain/DNS

Disclaimer: I’m new to creating Domains & SSL certs. So any guidance would be greatly appreciated.

I’m just using a Google Domain & SSL cert to create a secure (HTTPS) connection to my Emby Media Server. I’m also using a Reverse Proxy (Caddy V2) to help with managing the cert renewal and redirecting Port 80 traffic to Port 443.

My domain is: jgcmedia.net (created in Google Domains)

I ran this command: https://jgcmedia.net

It produced this output:

[NET::ERR_CERT_COMMON_NAME_INVALID

My web server is (include version):
Not using a web server. Using Emby Server v 4.4.2.0 and Caddy (as a Reverse Proxy) v 2.0

The operating system my web server runs on is (include version):
Windows Home Server 2011

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Not using Certbot. I used ZeroSSL to create my cert. I copied the Text created by the ZeroSSL .bat routine, created a “Custom Resource Record” under DNS within my Google Domain. The name and value is what “le64” provided. It verified the text record was present and issued the cert.

Please let me know if any additional information is needed. THANK YOU!!!

1 Like

There are a couple of problems.

#1 The HTTP to HTTPS redirection may be improper:

curl -Iki http://jgcmedia.net/
HTTP/1.1 302 Found
Cache-Control: private
Content-Length: 144
Content-Type: text/html; charset=utf-8
Location: https://jgcmedia.net/remote
Server: Microsoft-IIS/7.5
Set-Cookie: ASP.NET_SessionId=ym23qtwkgceyiz2ty352vpkh; path=/; HttpOnly; SameSite=Lax
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Date: Wed, 20 May 2020 18:00:19 GMT

#2 The cert provided by HTTPS doesn’t match the name requested:

1 Like

I see you managed to get a cert today:
https://crt.sh/?id=2834763128

So #1 may not be a problem.

#2 however remains.
You need to tell your IIS web server to use the new cert for the site jgcmedia.net

In addition…

That is a very manual process and LE certs expire every 90 days.
You should look into automating the cert renewal process.
Have a look at Windows ACME clients.
Like: Posh-ACME
Or the beta of Certbot for Windows.

1 Like

Thank you for your response. I have a couple questions:
#1 The HTTP to HTTPS redirection may be improper:
Location: https://jgcmedia.net/remote

How can I change the redirection to read: Location: https://jgcmedia.net

#2 however remains.
You need to tell your IIS web server to use the new cert for the site [jgcmedia.net]

IIS 7.5 doesn’t allow me to bind an SLL to an external domain. Do I need to physically install the LetsEncrypt cert on the IIS server and bind it to 443?

My apologies for these naive questions. I greatly appreciate the assistance.

2 Likes

Where, and how, did you make the redirection?

That will probably be your biggest problem.
IIS 7.5 doesn’t support SNI.
So you will have to use multiple (internal) IPs.
[One for each FQDN served.]
As the external router can only forward a single external IP:port to a single internal IP:port, that setup will only scale internally [unless you have multiple external IPs].
The Internet will only see one IP and that one IP will only connect to one site.
So, if you will need more than one site to be accessed from the Internet, you will have to upgrade IIS (>= 8) or add an updated SNI capable web proxy in front of it or get more Internet IPs.

1 Like

Thank you for your help. I have it working now. Yes, I had to upgrade my IIS version. Appreciate your help.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.