Net::err_cert_common_name_invalid

Hello.
I used this tutorial in digitalocean to install Letencrypt on my website. everything worked as expected. But now when I try to open my website (https://etuts.ir) it says the connection is not private.

I searched and found lots of topics but none of them were the case.
when I run sudo letsencrypt certificates, it shows me one certificate for etuts.ir and www.etuts.ir

Found the following certs:
  Certificate Name: etuts.ir
    Domains: etuts.ir www.etuts.ir

My DNS records are like this:

A     etuts.ir     IP
A     www.etuts.ir     IP

I’m using apache. In the etuts.ir-le-ssl.conf file I see these lines at the end of the file

Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/etuts.ir/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/etuts.ir/privkey.pem

Help please

Hi @vmohir

you have two certificates, created today:

This is good. But you don't use these. Instead, you have a curious configuration ( https://check-your-website.server-daten.de/?q=etuts.ir ):

Your authoritative nameserver doesn't answer: But there are a lot of ip-addresses:

etuts.ir A 185.143.232.5 no
A 185.143.232.21 no
A 185.143.232.53 no
A 185.143.232.69 no
A 185.143.233.5 no
A 185.143.233.21 no
A 185.143.233.53 no
A 185.143.233.69 no
A 185.143.234.5 no
A 185.143.234.21 no
A 185.143.234.53 no
A 185.143.234.69 no

The certificate you use:

CN=*.arvancloud.com, OU=EssentialSSL Wildcard, OU=Domain Control Validated
	02.05.2017
	09.06.2020
	*.arvancloud.com, arvancloud.com - 2 entries

Is this your hoster or another own domain?

And you have a two-step-loop - http redirects to https, https redirects to http.

Looks like this config

etuts.ir-le-ssl.conf

isn't used. Did you reload your apache? Is there a standard vHost with the other certificate name?

Yes I had a etuts.ir.conf enabled with this configuration at the end of it:

RewriteCond %{SERVER_NAME} =etuts.ir [OR]
RewriteCond %{SERVER_NAME} =www.etuts.ir
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]

which I think these are added by certbot because I’ve chosen the option to redirect http to https.

I don’t know about the IPs that https://check-your-website.server-daten.de/?q=etuts.ir is showing as none of them is related the IP of my server which is 193.176.243.114
I actually don’t know what these are and where I can fix something about these.

and arvancloud.com is the website were I got my Ubuntu server from.

I have these configurations enabled in apache:

  • etuts.ir.conf
  • etuts.ir-le-ssl.conf

the first one is the one that I’ve created using this tutorial, and the second one is created by certbot.

First thought, my tool has an error. But rechecking with

there is the same picture: Nameservers from different locations - all see the same block:

185.143.233.21
185.143.232.21
185.143.234.53
185.143.232.53
185.143.233.53
185.143.232.5
185.143.233.5
185.143.234.5
185.143.234.69
185.143.232.69
185.143.233.69
185.143.234.21

Perhaps your hoster has an own CDN.

Do you see your website internal, with your ip?

Oh, what's that? Last week I've added a direct ipv4- and ipv6 - check, tested that with your ip - https://check-your-website.server-daten.de/?q=193.176.243.114

There is your certificate:

CN=etuts.ir
	01.02.2019
	02.05.2019
	etuts.ir, www.etuts.ir - 2 entries

created today, 90 days valide.

So your ip use your new certificate, but your domain name doesn't use your ip address.

That's completely curious, never seen such a configuration.

Perhaps your hoster has additional options so the certificate must be used with these ip addresses.

1 Like

Oh thanks man you said about CDN and I just tried disabling a CDN option in my hoster panel and now everything is working fine!
the CDN option was something related to the DNS A records.

1 Like

Yep, now I see your ip address:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
etuts.ir A 193.176.243.114 yes 1 0
AAAA yes
www.etuts.ir A 193.176.243.114 yes 1 0
AAAA yes

And the loop is gone:

Domainname Http-Status redirect Sec. G
http://etuts.ir/
193.176.243.114 301 https://etuts.ir/ 0.200 A
http://www.etuts.ir/
193.176.243.114 301 https://www.etuts.ir/ 0.203 A
https://etuts.ir/
193.176.243.114 200 2.120 B
https://www.etuts.ir/
193.176.243.114 200 2.733 B

Both domains - www and non-www - are now secure.

So your hoster has an official CDN. But that works only without a certificate, so the hoster adds a redirect https -> http, that was the loop.

And that covers the individual ip address of the domain using this CDN.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.