Net::err_cert_common_name_invalid


#1

I run Debian 8 as a transparent proxy. I have nginx configured. I’m using certbot to issue certificates. My domain is https://journal.fledu.uz

NET::ERR_CERT_COMMON_NAME_INVALID occuring because of subjectAltName (as Google suggests).

I only have journal.fledu.uz domain, there’s no www.journal.fledu.uz version of the domain.

I’m new to nginx so I feel kinda lost here. Where can I configure subjectAltName?

Thanks.


#2

Hi @axodjakov

there is only

CN=fledu.uz
	13.12.2018
	13.03.2019
	fledu.uz - 1 entry

installed. So the connection ( https://check-your-website.server-daten.de/?q=journal.fledu.uz )

Domainname Http-Status redirect Sec. G
http://journal.fledu.uz/
213.230.99.192 301 https://journal.fledu.uz/ 0.250 A
https://journal.fledu.uz/
213.230.99.192 200 8.540 N
Certificate error: RemoteCertificateNameMismatch

isn’t secure. But checking the certificates there are certificates:

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:false;include_subdomains:false;domain:journal.fledu.uz&lu=cert_search

One with only journal.fledu.uz, one with 8 domain names.

So use one of these. Perhaps the certificate with 8 domain names, then you have only one certificate and you can delete the other certificates with certbot delete ...


#3

@JuergenAuer thank you for quick reply!

Honestly I didn’t completely understand what was going on and I deleted the certificates. All of them. Now I’m getting this error:

Feb 07 13:26:41 debian systemd[1]: Starting A high performance web server and a reverse proxy server... Feb 07 13:26:42 debian nginx[11242]: nginx: [warn] "ssl_stapling" ignored, issuer certificate not found Feb 07 13:26:42 debian nginx[11242]: nginx: [emerg] BIO_new_file("/etc/letsencrypt/live/fledu.uz-0001/fullchain.pem") Feb 07 13:26:42 debian nginx[11242]: nginx: configuration file /etc/nginx/nginx.conf test failed Feb 07 13:26:42 debian systemd[1]: nginx.service: Control process exited, code=exited status=1 Feb 07 13:26:42 debian systemd[1]: Failed to start A high performance web server and a reverse proxy server. Feb 07 13:26:42 debian systemd[1]: nginx.service: Unit entered failed state. Feb 07 13:26:42 debian systemd[1]: nginx.service: Failed with result 'exit-code'.

Now certbot renew is not working. How can I get a new certificate? What needs to be done in order to get the fullchain.pem file back?


#4

There should be a self signed certificate in your config. You can use that so your webserver has a certificate and can start.

Or you use your backup.


#5

I got totally lost here. This is my nginx configuration for the domain:

        listen 80;
        listen 443 ssl;
        server_name fledu.uz www.fledu.uz journal.fledu.uz;
        root /var/www/html/fledu.uz/public_html;
        index index.html index.php;
        ssl_certificate /etc/letsencrypt/live/fledu.uz/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/fledu.uz/privkey.pem; # managed by Certbot

I want to obtain certificate that works for journal.fledu.uz. Would the above config work to get certificate for journal.fledu.uz using this command:

certbot certonly --standalone --preferred-challenges tls-sni -d fledu.uz

#6

There

https://fledu.uz/

is a certificate with 8 domain names,

CN=books.fledu.uz
	06.12.2018
	06.03.2019
	books.fledu.uz, conference.fledu.uz, 
fledu.uz, journal.fledu.uz, kids.fledu.uz, 
lessons.fledu.uz, media.fledu.uz, www.fledu.uz - 8 entries

journal.fledu.uz is included. So please use this certificate. You have already the correct certificate.


#7

@JuergenAuer I deleted that certificate, then I created a new one which include fledu.uz and journal.fledu.uz. Nothing changed.

The current certificate does include journal.fledu.uz, but the error persists.


#8

Your web server still isn’t using a certificate that includes journal.fledu.uz for https://journal.fledu.uz/, whatever the reason.

crt.sh doesn’t show any recent certificates for journal.fledu.uz, but if you issued it just now, that’s not unusual.

https://crt.sh/?q=journal.fledu.uz

What does “sudo certbot certificates” – or whatever your Certbot command is – show?

What is the Nginx configuration? Is the virtual host configured to use the correct certificate?

Has Nginx been reloaded or restarted recently? Does e.g. “sudo service nginx restart” work? Does it help?


#9

The current cert in use is self-signed and only covers the name “GATEWAY”:
https://www.ssllabs.com/ssltest/analyze.html?d=journal.fledu.uz&ignoreMismatch=on

The responding server shows:
Server: nginx/1.10.3

So the problem lies in the nginx configuration.


#10

@mnordhoff

the certbot certificates command shows this:

Found the following certs:
  Certificate Name: ulugov.uz
    Domains: ulugov.uz anvar.ulugov.uz cloud.ulugov.uz wp.ulugov.uz
    Expiry Date: 2019-02-04 04:11:50+00:00 (INVALID: EXPIRED)
    Certificate Path: /etc/letsencrypt/live/ulugov.uz/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/ulugov.uz/privkey.pem
  Certificate Name: fledu.uz
    Domains: fledu.uz
    Expiry Date: 2019-05-08 08:41:22+00:00 (VALID: 88 days)
    Certificate Path: /etc/letsencrypt/live/fledu.uz/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/fledu.uz/privkey.pem

This is the nginx config:

server {
        listen 80;
        listen 443 ssl;
        server_name fledu.uz www.fledu.uz journal.fledu.uz;
        root /var/www/html/fledu.uz/public_html;
        index index.html index.php;
        ssl_certificate /etc/letsencrypt/live/fledu.uz/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/fledu.uz/privkey.pem; # managed by Certbot

        if ($scheme != "https") {
                return 301 https://$host$request_uri;
        } # managed by Certbot:

        location / {
                proxy_read_timeout 3600;
                try_files $uri @proxy;
        }
        location @proxy {
                proxy_pass https://83.69.139.143;
                include /etc/nginx/proxy_params;
        }

        # Redirect non-https traffic to https
        # if ($scheme != "https") {
        #     return 301 https://$host$request_uri;
        # } # managed by Certbot
}

service nginx restart works normally. I’ve just restarted nginx.


#11

Then create one certificate with these three domain names, so this vHost can use the certificate.

certbot --nginx -fledu.uz -d www.fledu.uz -d journal.fledu.uz -vvv

If this doesn’t work, share the output of

/var/log/letsencrypt/letsencrypt.log

#12

@JuergenAuer,

I tried to obtain a new certificate. It offered me to expand and replace the existing one, I chose to expand. Then error occurred. I deleted the existing certificate using certbot delete command.

Upon second attempt to obtain a new certificate error persisted. Here’s the log:

     Expires: Fri, 08 Feb 2019 11:03:51 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Fri, 08 Feb 2019 11:03:51 GMT
Connection: keep-alive

{
  "identifier": {
    "type": "dns",
    "value": "journal.fledu.uz"
  },
  "status": "valid",
  "expires": "2019-03-08T19:44:33Z",
  "challenges": [
    {
      "type": "dns-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/ULQHyIY52t0tNmj8iU00944a1xubxsCFEGPbwHpN_Es/12316000355",
      "token": "dAKiKIVjmpozHV02B5f_00lkuFbft3WG81wwsdpMEzw"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/ULQHyIY52t0tNmj8iU00944a1xubxsCFEGPbwHpN_Es/12316000356",
      "token": "uQYBoBxLGbtXOvNRKh3r9kj0kp1g8bPLWg9KKl4TFpM"
    },
    {
      "type": "http-01",
      "status": "valid",
      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/ULQHyIY52t0tNmj8iU00944a1xubxsCFEGPbwHpN_Es/12316000357",
      "token": "-bLjx1RhciRcwYgtHaXWPD5NpCFrScRw_8wTPW5H6M0",
      "validationRecord": [
        {
          "url": "http://journal.fledu.uz/.well-known/acme-challenge/-bLjx1RhciRcwYgtHaXWPD5NpCFrScRw_8wTPW5H6M0",
          "hostname": "journal.fledu.uz",
          "port": "80",
          "addressesResolved": [
            "213.230.99.192"
          ],
          "addressUsed": "213.230.99.192"
        },
        {
          "url": "https://journal.fledu.uz/.well-known/acme-challenge/-bLjx1RhciRcwYgtHaXWPD5NpCFrScRw_8wTPW5H6M0",
          "hostname": "journal.fledu.uz",
          "port": "443",
          "addressesResolved": [
            "213.230.99.192"
          ],
          "addressUsed": "213.230.99.192"
        }
      ]
    }
  ],
  "combinations": [
    [
      1
    ],
    [
      0
    ],
    [
      2
    ]
  ]
}
2019-02-08 11:03:51,355:DEBUG:acme.client:Storing nonce: 0-dnREi8NHRCmJ3V3U3ZDSf1x19KgD3O-UNBIeqKw94
2019-02-08 11:03:51,356:DEBUG:acme.challenges:tls-alpn-01 was not recognized, full message: {u'status': u'pending', u'token': u'uQYBoBxLGbtXOvNRKh3r9kj0kp1g8bPLWg9KKl4TFpM', u'type': u'tls-alpn-01', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge/ULQHyIY52t0tNmj8iU00944a1xubxsCFEGPbwHpN_Es/12316000356'}
2019-02-08 11:03:51,356:INFO:certbot.auth_handler:Performing the following challenges:
2019-02-08 11:03:51,356:INFO:certbot.auth_handler:tls-sni-01 challenge for fledu.uz
2019-02-08 11:03:51,357:CRITICAL:certbot.auth_handler:Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
2019-02-08 11:03:51,357:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.19.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 861, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 698, in run
    certname, lineage)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 85, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 357, in obtain_and_enroll_certificate
    certr, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 318, in obtain_certificate
    self.config.allow_subset_of_names)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 68, in get_authorizations
    self._choose_challenges(domains)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 103, in _choose_challenges
    self.authzr[dom].body.combinations)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 374, in gen_challenge_path
    return _find_smart_path(challbs, preferences, combinations)
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 411, in _find_smart_path
    _report_no_chall_path()
  File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 442, in _report_no_chall_path
    raise errors.AuthorizationError(msg)
AuthorizationError: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.

#13

Looks like your installation is corrupt. So update your certbot. What’s the version?

certbot --version

#14

@JuergenAuer,

certbot 0.19.0


#15

Then update it. This is too old.

Or check if you can use certbot-auto.


#16

@JuergenAuer,

I chose to install certbot-auto and removed existing certbot with apt-get remove certbot command. Installed certbot-auto, couldn’t handle it, removed it after a while. Then installed a new version of certbot (with nginx plugin).

Now it doesn’t work. Here’s the log:

2019-02-08 16:37:12,637:DEBUG:certbot.plugins.selection:Selected authenticator None and installer None

What can I do to completely remove everything, install a fresh certbot, and obtain a new certificate?


#17

This isn’t a log, this may be one row of a log. Please share your complete command and log.