Net::err_cert_common_name_invalid


#1

Hello.
I used this tutorial in digitalocean to install Letencrypt on my website. everything worked as expected. But now when I try to open my website (https://etuts.ir) it says the connection is not private.

I searched and found lots of topics but none of them were the case.
when I run sudo letsencrypt certificates, it shows me one certificate for etuts.ir and www.etuts.ir

Found the following certs:
  Certificate Name: etuts.ir
    Domains: etuts.ir www.etuts.ir

My DNS records are like this:

A     etuts.ir     IP
A     www.etuts.ir     IP

I’m using apache. In the etuts.ir-le-ssl.conf file I see these lines at the end of the file

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/etuts.ir/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/etuts.ir/privkey.pem

Help please


#2

Hi @vmohir

you have two certificates, created today:

https://crt.sh/?q=etuts.ir

This is good. But you don’t use these. Instead, you have a curious configuration ( https://check-your-website.server-daten.de/?q=etuts.ir ):

Your authoritative nameserver doesn’t answer: But there are a lot of ip-addresses:

etuts.ir A 185.143.232.5 no
A 185.143.232.21 no
A 185.143.232.53 no
A 185.143.232.69 no
A 185.143.233.5 no
A 185.143.233.21 no
A 185.143.233.53 no
A 185.143.233.69 no
A 185.143.234.5 no
A 185.143.234.21 no
A 185.143.234.53 no
A 185.143.234.69 no

The certificate you use:

CN=*.arvancloud.com, OU=EssentialSSL Wildcard, OU=Domain Control Validated
	02.05.2017
	09.06.2020
	*.arvancloud.com, arvancloud.com - 2 entries

Is this your hoster or another own domain?

And you have a two-step-loop - http redirects to https, https redirects to http.

Looks like this config

etuts.ir-le-ssl.conf

isn’t used. Did you reload your apache? Is there a standard vHost with the other certificate name?


#3

Yes I had a etuts.ir.conf enabled with this configuration at the end of it:

RewriteCond %{SERVER_NAME} =etuts.ir [OR]
RewriteCond %{SERVER_NAME} =www.etuts.ir
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

which I think these are added by certbot because I’ve chosen the option to redirect http to https.

I don’t know about the IPs that https://check-your-website.server-daten.de/?q=etuts.ir is showing as none of them is related the IP of my server which is 193.176.243.114
I actually don’t know what these are and where I can fix something about these.

and arvancloud.com is the website were I got my Ubuntu server from.

I have these configurations enabled in apache:

  • etuts.ir.conf
  • etuts.ir-le-ssl.conf

the first one is the one that I’ve created using this tutorial, and the second one is created by certbot.


#4

First thought, my tool has an error. But rechecking with

there is the same picture: Nameservers from different locations - all see the same block:

185.143.233.21
185.143.232.21
185.143.234.53
185.143.232.53
185.143.233.53
185.143.232.5
185.143.233.5
185.143.234.5
185.143.234.69
185.143.232.69
185.143.233.69
185.143.234.21

Perhaps your hoster has an own CDN.

Do you see your website internal, with your ip?

Oh, what’s that? Last week I’ve added a direct ipv4- and ipv6 - check, tested that with your ip - https://check-your-website.server-daten.de/?q=193.176.243.114

There is your certificate:

CN=etuts.ir
	01.02.2019
	02.05.2019
	etuts.ir, www.etuts.ir - 2 entries

created today, 90 days valide.

So your ip use your new certificate, but your domain name doesn’t use your ip address.

That’s completely curious, never seen such a configuration.

Perhaps your hoster has additional options so the certificate must be used with these ip addresses.


#5

Oh thanks man you said about CDN and I just tried disabling a CDN option in my hoster panel and now everything is working fine!
the CDN option was something related to the DNS A records.


#6

Yep, now I see your ip address:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
etuts.ir A 193.176.243.114 yes 1 0
AAAA yes
www.etuts.ir A 193.176.243.114 yes 1 0
AAAA yes

And the loop is gone:

Domainname Http-Status redirect Sec. G
http://etuts.ir/
193.176.243.114 301 https://etuts.ir/ 0.200 A
http://www.etuts.ir/
193.176.243.114 301 https://www.etuts.ir/ 0.203 A
https://etuts.ir/
193.176.243.114 200 2.120 B
https://www.etuts.ir/
193.176.243.114 200 2.733 B

Both domains - www and non-www - are now secure.

So your hoster has an official CDN. But that works only without a certificate, so the hoster adds a redirect https -> http, that was the loop.

And that covers the individual ip address of the domain using this CDN.