Net::err_cert_common_name_invalid

#1

My domain is: https://missoula.live/

I ran this command:
I followed the instructions on this page: https://certbot.eff.org/lets-encrypt/centos6-apache
I did have to change one command to get things working to the following:
sudo /usr/local/bin/certbot-auto --apache-challenge-location /etc/httpd/conf

It produced this output:
The SSL worked for about a week, and now I get the usual “your ssl doesn’t work” error when I visit the site. Rerunning the command above makes everything run smoothly for another week or so.

My web server is (include version): Apache on CentOS 6

My hosting provider, if applicable, is: Bluehost

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
I do have access to Cpanel and WHM

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.34.2

Other details: I have a few domains on this server. One of them is https://missoulachamber.com/ and I have recently rerun the certbot-auto --apache command above to get the SSL working again. This domain, and all others on the server, stop using the right SSL at seemingly the same time. I left missoula.live with the broken one so we could troubleshoot.
Renewing provides this output:
“You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.”
1: Attempt to reinstall this existing certificate fixes everything.

Somehow it looks like the SSLs all start to point to a different SSL I have on the account. Why is this happening?

#2

Hi @andrewwindfall

you have some Letsencrypt certificates ( https://check-your-website.server-daten.de/?q=missoula.live ):

CertSpotter-Id Issuer not before not after Domain names LE-Duplicate next LE
904447977 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-05-10 16:55:02 2019-08-08 16:55:02 missoula.live, missoula-live.windfall.studio, www.missoula.live, www.missoula-live.windfall.studio
4 entries duplicate nr. 1
888423800 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-04-30 21:06:05 2019-07-29 21:06:05 missoula.live, missoulachamber.com, missoulachamber-com.windfall.studio, missoula-live.windfall.studio, www.missoula.live, www.missoulachamber.com, www.missoulachamber-com.windfall.studio
7 entries
888322974 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-04-30 19:38:20 2019-07-29 19:38:20 mail.missoulachamber.com, missoula.live
2 entries
888318415 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-04-30 19:34:12 2019-07-29 19:34:12 missoula.live, missoulachamber.com
2 entries

Created April, 3 and May, 10. Bt you don’t use it.

Instead, there is a wildcard windfall.studio - certificate:

CN=*.windfall.studio, OU=PositiveSSL Wildcard, OU="Hosted by BlueHost.Com, INC", OU=Domain Control Validated (7592)
	28.03.2018
	12.04.2019
35 days expired	
*.windfall.studio, windfall.studio - 2 entries

With names you have in your certificate.

Normally, it’s the best you split certificates:

One domain (with non-www and www), one vHost (ServerName non-www, ServerAlias www) and one certificate with both domain names.

So create one new certificate with something like

certbot yourOtherParameters -d missoula.live -d www.missoula.live

But first check your vHosts:

apachectl -S