Net::err_cert_common_name_invalid

Hello friends -

I followed the instructions to generate and install a Let’s Encrypt certificate - however, my site still rejects ssl connections.

To try to diagnose, I went to https://globalsign.ssllabs.com/analyze.html?d=thumbby.com

There, it says that there are certificate issues - the certificates are out of order, and there are extra certs. Looking under Certification Paths, I see the two Let’s Encrypt Certificates, and a self-signed certificate in the trust store.

I wonder, could someone help me get this sorted out? I’m out of my depth.

My domain is: thumbby.com

I ran this command:

It produced this output:

My web server is (include version): Apache 2.0, API version 20120211

The operating system my web server runs on is (include version): RHEL 7

My hosting provider, if applicable, is: rackspace.com

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot-auto 0.40.1

1 Like

Hi @wolfalohalani

checking your domain you see the problem - https://check-your-website.server-daten.de/?q=thumbby.com

com

Your server sends your own certificate twice.

Should look like

There is an Apache.

Share your port 443 vHost config, the part with the certificate files.

Perhaps you use cert.pem and fullchain.pem. Use only fullchain.pem and restart your server.

PS: The fullchain.pem contains the cert.pem -> that’s duplicated.

1 Like

Hello Juergen -

My ssl config for thumbby.com:443 looks like this:

SSLCertificateFile /etc/letsencrypt/live/thumbby.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/thumbby.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/thumbby.com/fullchain.pem
Include /etc/letsencrypt/options-ssl-apache.conf

When I take out the SSLCertificateFile line and restart, the restart fails:
Job for httpd.service failed because the control process exited with error code. See “systemctl status httpd.service” and “journalctl -xe” for details.

1 Like

If that doesn’t work, you need these three lines.

Two options (the result is the same):

  • You should have a chain.pem file. Use that instead of the fullchain.pem
  • The fullchain.pem contains the cert.pem and the chain.pem. So (first make a backup) open it with an editor and remove the first certificate. Then the content is the same like chain.pem
1 Like

SSLCertificateFile needs to be set. What needs to be changed is what things are set to.

Try this:

SSLCertificateFile /etc/letsencrypt/live/thumbby.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/thumbby.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/thumbby.com/chain.pem
Include /etc/letsencrypt/options-ssl-apache.conf

The problem is that using both cert.pem and fullchain.pem duplicates your certificate. You can resolve that by using cert.pem and chain.pem instead.

2 Likes

Agreed; the main cert is also included in fullchain, so it is being provided twice.

1 Like

So, it turns out that there is an additional problem - I don’t have a certificate for www.thumbby.com. Looking at my httpd.conf, I saw that I had a 443 section set up for thumbby.com, but none for www.thumbby.com. I added it, restarted the server, and looking on check-your-website.server-daten.de, I get all kinds of messages about not having a certificate for the www url.

So, how do I proceed? Rerun certbot and start over?

Thanks,

Katherine

1 Like

Looking further, I see that https://www.thumbby.com will automagically forward to https://thumbby.com, and that works. Maybe this is good enough for now.

1 Like

You need to look closer: That is a fail.
[as there is no cert for www]

1 Like

Can you show what you added?
[in any case you will need a cert - not sure if one for just www or a new one with both names on it]

1 Like

You have to recheck your domain - https://check-your-website.server-daten.de/?q=thumbby.com

There is only one check - Checked: 28.11.2019 22:16:35.

If you change your configuration -> recheck the domain.

1 Like

Here are the sections for thumbby.com and www.thumbby.com:

<VirtualHost 172.24.16.96:443>
DocumentRoot “/var/www/thumbby”
ServerName thumbby.com

# Other directives here
SSLCertificateFile /etc/letsencrypt/live/thumbby.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/thumbby.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/thumbby.com/chain.pem
Include /etc/letsencrypt/options-ssl-apache.conf

<VirtualHost 172.24.16.96:443>
DocumentRoot “/var/www/thumbby”
ServerName www.thumbby.com

# Other directives here
SSLCertificateFile /etc/letsencrypt/live/thumbby.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/thumbby.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/thumbby.com/chain.pem
Include /etc/letsencrypt/options-ssl-apache.conf

Thanks,

Katherine

1 Like

So how do I add the www.thumbby.com certificate? Do I start over with certbot?

Thanks,

Katherine

The last check - https://check-your-website.server-daten.de/?q=thumbby.com - shows one certificate with both domain names.

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2019-11-23 2020-02-21 thumbby.com - 1 entries
Let’s Encrypt Authority X3 2019-11-23 2020-02-21 thumbby.com, www.thumbby.com - 2 entries

So

  • use certbot certificates to find that certificate (path + file name)
  • why are two vHosts? One is enough. Use
ServerName thumbby.com
ServerAlias www.thumbby.com

and remove the other vHost (port 80 and port 443 vHosts).

Then use the certificate with both domain names, restart your Apache.

1 Like

Hello Juergen -

This is what certbot says:

letsencrypt]# ./certbot-auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log


Found the following certs:
Certificate Name: thumbby.com
Domains: thumbby.com
Expiry Date: 2020-02-21 19:31:11+00:00 (VALID: 80 days)
Certificate Path: /etc/letsencrypt/live/thumbby.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/thumbby.com/privkey.pem


So it looks like there’s only one certificate.

Thanks,

Katherine

1 Like

That’s bad (but not critical, because the rate limit …).

Then first step: Merge your vHosts, so you have only one port 80, one port 443 vHost. With ServerName/ServerAlias.

Second step: Create a certificate with both domain names.

Ah, I see the problem -

your Apache is very old.

If Certbot can’t install the certificate, do that manual (replace the lines, restart the Apache).

1 Like

Sorry for the delay, you can combine them both into one by using two “servername” statements in one file. [and delete the other file]
Like:

ServerName thumbby.com
ServerAlias www.thumbby.com
1 Like