Net::err_cert_common_name_invalid


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.yellowthyme.com

I ran this command: How To Secure Apache with Let’s Encrypt on Ubuntu 16.04

It produced this output:NET::ERR_CERT_COMMON_NAME_INVALID

My web server is (include version):Apache2

The operating system my web server runs on is (include version):Ubuntu 16.04

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know):Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):Yes


#2

Your site is redirecting (301) to: https://142.93.221.73/
Which will NOT work as the cert only contains FQDNs (yellowthyme.com & www.yellowthyme.com):


#3

Thankyou for this.

But my other problem is that I also see a “Too many redirects” on my website after installing the certificate.
I don’t know how to solve it.


#4

Then you may need to start fresh.
I would remove all redirects.
Then add in only what should be required.


#5

any idea on how to do that?Where should I start?


#6

Start in the control panel.
Look for anything relating to redirection and disable it.
Also ensure the site name is never set to an IP anywhere in the control panel (nor in WordPress, if you use that) - always use the real domain name.

If you have any doubts, send a screenshot.

Also, since you can login, show the output of these commands:
ls -l /etc/apache2/sites-enabled/
grep -Eri 'servername|alias|rewrite|301' /etc/apache2/


#7

So this is what it looks like

chhavi@yellowthymedrop : ~ $ ls -l /etc/apache2/sites-enabled/

total 0

lrwxrwxrwx 1 root root 52 Oct 16 15:33 000-default-le-ssl.conf -> /etc/apache2/sites-available/000-default-le-ssl.conf

lrwxrwxrwx 1 root root 35 Oct 16 04:28 000-default.conf -> …/sites-available/000-default.conf

lrwxrwxrwx 1 root root 35 Oct 16 13:15 default-ssl.conf -> …/sites-available/default-ssl.conf

chhavi@yellowthymedrop : ~ $ grep -Eri ‘servername|alias|rewrite|301’ /etc/apache2/

/etc/apache2/sites-available/default-ssl.conf: servername 142.93.221.73

/etc/apache2/sites-available/default-ssl.conf: Server Alias www.yellowthyme.com

/etc/apache2/sites-available/default-ssl.conf.bak: servername 142.93.221.73

/etc/apache2/sites-available/000-default.conf: # The ServerName directive sets the request scheme, hostname and port that

/etc/apache2/sites-available/000-default.conf: # redirection URLs. In the context of virtual hosts, the ServerName

/etc/apache2/sites-available/000-default.conf: # ServerName www.example.com

/etc/apache2/sites-available/000-default.conf: Rewrite Engine on

/etc/apache2/sites-available/000-default.conf: Rewrite Cond %{SERVER_NAME} =yellowthyme.com

/etc/apache2/sites-available/000-default.conf: Rewrite Rule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

/etc/apache2/sites-available/le-redirect-142.93.221.73.conf: ServerName 142.93.221.73

/etc/apache2/sites-available/le-redirect-142.93.221.73.conf:Server Alias www.yellowthyme.com

/etc/apache2/sites-available/le-redirect-142.93.221.73.conf: Rewrite Engine On

/etc/apache2/sites-available/le-redirect-142.93.221.73.conf: Rewrite Rule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

/etc/apache2/sites-available/000-default-le-ssl.conf: # The ServerName directive sets the request scheme, hostname and port that

/etc/apache2/sites-available/000-default-le-ssl.conf: # redirection URLs. In the context of virtual hosts, the ServerName

/etc/apache2/sites-available/000-default-le-ssl.conf: # ServerName www.example.com

/etc/apache2/sites-available/000-default-le-ssl.conf: ServerName yellowthyme.com

/etc/apache2/conf-available/serve-cgi-bin.conf:<IfModule mod_ alias .c>

/etc/apache2/conf-available/serve-cgi-bin.conf: Script Alias /cgi-bin/ /usr/lib/cgi-bin/

/etc/apache2/conf-available/localized-error-pages.conf:# We use Alias to redirect any /error/HTTP_<error>.html.var response to

/etc/apache2/conf-available/localized-error-pages.conf:# Alias /error/include/ “/your/include/path/”

/etc/apache2/conf-available/localized-error-pages.conf:# even on a per-VirtualHost basis. If you include the Alias in the global server

/etc/apache2/conf-available/localized-error-pages.conf:# context, is has to come before the ’ Alias /error/ …’ line.

/etc/apache2/conf-available/localized-error-pages.conf:# The internationalized error documents require mod_ alias , mod_include

/etc/apache2/conf-available/localized-error-pages.conf:# <IfModule mod_ alias .c>

/etc/apache2/conf-available/localized-error-pages.conf:# Alias /error/ “/usr/share/apache2/error/”

/etc/apache2/magic:0 belong 0x0e031 301 application/x-hdf

/etc/apache2/mods-available/alias.conf:<IfModule alias _module>

/etc/apache2/mods-available/alias.conf: # Alias es: Add here as many alias es as you need (with no limit). The format is

/etc/apache2/mods-available/alias.conf: # Alias fakename realname

/etc/apache2/mods-available/alias.conf: # require it to be present in the URL. So “/icons” isn’t alias ed in this

/etc/apache2/mods-available/alias.conf: # We include the /icons/ alias for FancyIndexed directory listings. If

/etc/apache2/mods-available/alias.conf: Alias /icons/ “/usr/share/apache2/icons/”

/etc/apache2/mods-available/info.conf: # http:// servername /server-info (requires that mod_info.c be loaded).

/etc/apache2/mods-available/status.conf: # with the URL of http:// servername /server-status

/etc/apache2/mods-available/alias.load:LoadModule alias module /usr/lib/apache2/modules/mod alias .so

/etc/apache2/mods-available/vhost_alias.load:LoadModule vhost_ alias module /usr/lib/apache2/modules/mod_vhost alias .so

/etc/apache2/mods-available/proxy_balancer.load:# Depends: proxy alias slotmem_shm

/etc/apache2/mods-available/rewrite.load:LoadModule rewrite module /usr/lib/apache2/modules/mod rewrite .so

/etc/apache2/mods-available/mime.conf: # To use CGI scripts outside of Script Alias ed directories:


#8

I am not getting the too many redirects problem now…Though the mismatch between the certificate and the IP address persists.


#9

Although currently not is use, file
/etc/apache2/sites-available/le-redirect-142.93.221.73.conf
shows:
ServerName 142.93.221.73
Rewrite Rule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

So the redirect sends it to the “SERVER_NAME” which is defined as the IP and would create a cert name mismatch failure.


#10

Make these changes:

  1. file /etc/apache2/sites-available/000-default-le-ssl.conf
    add
    ServerAlias www.yellowthyme.com

  2. file /etc/apache2/sites-available/default-ssl.conf
    change
    servername 142.93.221.73
    to
    Servername yellowthyme.com
    and also change
    Server Alias www.yellowthyme.com
    to
    ServerAlias www.yellowthyme.com

  3. file /etc/apache2/sites-available/000-default.conf
    change
    Rewrite Cond %{SERVER_NAME} =yellowthyme.com
    Rewrite Rule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
    to:
    RewriteCond %{HTTPS} !=on
    RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

And you should probably just delete file:
/etc/apache2/sites-available/le-redirect-142.93.221.73.conf


#11

hey thankyou for the detailed input.
I did what you said but no change.

Also noticed that there is a line Redirect permanent “/” “https://142.93.221.73/
in the /etc/apache2/sites-available/000-default-le-ssl.conf file.

Should I remove it?


#12

It worked!!!

Thankyou so so much!!


#13

Now we can talk about implementing redirection (correctly)
If you haven’t already done that…

I see:
http://yellowthyme.com/ >>> [https://www.yellowthyme.com/] [GOOD]
http://www.yellowthyme.com/ >>> [no redirection] [BAD]
https://yellowthyme.com/ >>> [https://www.yellowthyme.com/] [not really needed - but OK]
https://www.yellowthyme.com/ >>> [no redirection required] [GOOD]

So, if you could, please show the current file:
/etc/apache2/sites-available/000-default.conf


#14

this is my current file.

<VirtualHost *:80>

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

#Redirect permanent “/” “https://142.93.221.73/

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]


#15

Some things seems missing in that file…
Like the servername.
Maybe get a screenshot of it.


#16


#17

That file should be unrelated to the specific domain in use.
It really needs to say something like:
servername _default_
or
servername 142.93.221.73
or something like that.
But it is not (should not be) what we are looking for.

Show:
grep -Eri 'servername|alias|yellow' /etc/apache2/sites-enabled/

or maybe it can be much more simple…
If you only use this site for one domain name, then you could use that vhost config for “ALL” traffic.
Try changing servername line to:
servername *
and then just remove all the other lines that start with # (for cleanliness and readability)
and restart Apache.


#18

Here is the latest file.
I tried Servername * but that gave an error.Changed it to the IP address and seems to be fine.
Also note that I removed the redirect permanent from the file.Is that the culprit?

<VirtualHost *:80>

    ServerName 142.93.221.73

    ServerAdmin webmaster@localhost
    DocumentRoot /var/www/html

#Redirect permanent “/” “https://142.93.221.73/

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

grep -Eri ‘servername|alias|yellow’ /etc/apache2/sites-enabled/

Doesn’t yield any results.


#19

OK.
I don’t see how it “works”, but both HTTP sites now reach “302 found” page that redirects to HTTPS.

So I think we are done.
:slight_smile: