Net::err_cert_common_name_invalid

Help
1

My domain is: www.integratedhealing.co.in, www.gkconstruction.xyz
My web server is (include version): tomcat8
The operating system my web server runs on is (include version): centos
I can login to a root shell on my machine (yes or no, or I don't know): YES
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): NO

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.11.0

Getting NET::ERR_CERT_COMMON_NAME_INVALID for second domain
Having certificate for both domain
Certificate Name: www.gkconstruction.xyz

Key Type: RSA
Domains: www.gkconstruction.xyz
Expiry Date: 2021-09-22 12:53:44+00:00 (VALID: 87 days)

Certificate Name: www.integratedhealing.co.in

Key Type: RSA
Domains: www.integratedhealing.co.in

Tomcat configuration:

2

Could you please share it with us? While I don't have experience with Tomcat, it seems your Tomcat is misconfigured, as it shows the certificate for www.integratedhealing.co.in when connecting to www.gkconstruction.xyz..

1 Like
3

xml is not getting posted here.

"SSLHostConfig"
"Certificate certificateKeyFile="/etc/letsencrypt/live/www.integratedhealing.co.in/privkey.pem"
certificateFile="/etc/letsencrypt/live/www.integratedhealing.co.in/cert.pem"
certificateChainFile="/etc/letsencrypt/live/www.integratedhealing.co.in/chain.pem"
type="RSA"
"/SSLHostConfig

Replaced "for < and >

Yes there may be misconfiguration of certificate as i Dont know how to configure both certificate receptive to domains in tomcat

4

For "preformatted text" such as configuration file contents, you should put three backticks (```) above and below the contents of a file. That would prevent the forum software from trying to rendering the contents.

1 Like
5

'<'SSLHostConfig'>'
'<'Certificate certificateKeyFile="/etc/letsencrypt/live/www.integratedhealing.co.in/privkey.pem"
certificateFile="/etc/letsencrypt/live/www.integratedhealing.co.in/cert.pem"
certificateChainFile="/etc/letsencrypt/live/www.integratedhealing.co.in/chain.pem"
type="RSA" />
</SSLHostConfig'>'

6

Obviously, that file or its contents refer only to the certificate of www.integratedhealing.co.in.. As I said, I'm not familiar with Tomcat. Could you perhaps elaborate of the origin of the contents? And perhaps share the rest of the entire Tomcat contents? You should also have a similar file for www.gkconstruction.xyz, although I'm not sure how that would fair with Tomcat..

2 Likes
7

No.. Tomcat having only one xml file for all domains hosted in tomcat .
I tried below also.
'<'Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName="integratedhealing.co.in">
'<'SSLHostConfig hostName="integratedhealing.co.in" '>'
'<'Certificate certificateKeystoreFile="/tmp/integratedhealing.co.in.jks" certificateKeystorePassword="xxxxxxxx"
certificateKeyPassword="xxxxxxxx"
type="RSA" />
</SSLHostConfig'>'
'<'SSLHostConfig hostName="gkconstruction.xyz" '>'
'<'Certificate certificateKeystoreFile="/tmp/gkconstruction.xyz.jks" certificateKeystorePassword="xxxxxxxx"
certificateKeyPassword="xxxxxxxx"
type="RSA" />
</SSLHostConfig'>'
</Connector'>'

8

Your help will be appreciated.
Somehow I am able to manage certificate for my both domain.
https://www.integratedhealing.co.in this work with https
but for http://www.gkconstruction.xyz/ showing not secure
And if i try https.
This server could not prove that it is gkconstruction.xyz ; its security certificate is from www.gkconstruction.xyz . This may be caused by a misconfiguration or an attacker intercepting your connection.

9

Maybe someone with Tomcat experience can pitch in here, I'm not making heads or tails from this configuration pieces.

10

You have two different certificates for the two domain names. If they're both being hosted by the same server, it may be a lot easier to create just one certificate instead that covers both names. Tomcat didn't support server-side SNI until more recent versions than the Tomcat 8 you say you're using.

2 Likes
11

Having tomcat 8.5 version. If I check in browser i got valid certificate for integratedhealing and if i try for gkconstruction i got certificate for gkconstruction but with error common name not matching. Can you please try ones from browser to get better idea.

If tomcat not supports can you please cartbot command to make one for both certificate

12

Created single certificate by below command and it works... :grinning:
certbot --webroot -w /opt/tomcat/webapps/gkconstruction certonly -d www.gkconstruction.xyz -w /opt/tomcat/webapps/ih -d www.integratedhealing.co.in

13

An alternative to trying to get https working in Tomcat keep in mind techniques such as using nginx, apache or caddy as a front end for your web services, then proxying back to the tomcat services (which can be running on different ports etc as required).

This is a good way to work around limitations in Tomcat and ensures that you can keep your internet facing service up to date without destabilizing your tomcat application (which can be subject to compatibility issues when you have to upgrade tomcat itself).

14

Convert the pem key/cert(fullchain) into pkcs12 format using openssl, as following:

openssl pkcs12 -export -out fullchain.p12 -in fullchain.pem -inkey yourkey.pem -passout pass:key-pass

Then import the fullchain/key to a jks store

keytool -importkeystore -srckeystore fullchain.p12 -srcstoretype pkcs12 -destkeystore myjks.jks -alias server0

Use any alias you like, but remember it

Finally in tomcat, config the secure connector, like following

<Connector port="443" 
    SSLEnabled="true" scheme="https" secure="true"
    clientAuth="false" sslProtocol="TLS"
    keyAlias="server0" keystoreFile="myjks.jks"
    keystorePass="keypass_you_provided_to_keytool">
</Connector>

Hope it helps

1 Like
15

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.