Renewal cert problem - certificate name mismatch returned

My domain is: podcasts.canstream.co.uk

I ran this command:

./certbot-auto --apache -d podcasts.canstream.co.uk -d www.podcasts.canstream.co.uk

It produced this output:

When I test it here:

https://www.ssllabs.com/ssltest/analyze.html?d=podcasts.canstream.co.uk&hideResults=on

I get: Certificate name mismatch

I’m running a bunch of VirtualHosts on this server and the certs for all of them have renewed ok but just this crucial one.

My web server is (include version):

Server version: Apache/2.2.15 (Unix)
Server built: Jun 19 2018 15:45:13

The operating system my web server runs on is (include version): Centos 6

My hosting provider, if applicable, is: me/self-hosted

I can login to a root shell on my machine: yes

The version of my client is: certbot 0.40.1

These directives are in place in the Apache config file:

SSLCertificateFile /etc/letsencrypt/live/podcasts.canstream.co.uk/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/podcasts.canstream.co.uk/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/podcasts.canstream.co.uk/chain.pem

And these files are here:

[root@machine ~]# ls /etc/letsencrypt/live/podcasts.canstream.co.uk/ -la
lrwxrwxrwx 1 root root 48 Nov 7 12:53 cert.pem -> …/…/archive/podcasts.canstream.co.uk/cert1.pem
lrwxrwxrwx 1 root root 49 Nov 7 12:53 chain.pem -> …/…/archive/podcasts.canstream.co.uk/chain1.pem
lrwxrwxrwx 1 root root 53 Nov 7 12:53 fullchain.pem -> …/…/archive/podcasts.canstream.co.uk/fullchain1.pem
lrwxrwxrwx 1 root root 51 Nov 7 12:53 privkey.pem -> …/…/archive/podcasts.canstream.co.uk/privkey1.pem

1 Like

Hi @ITCrowd

there is a check of your domain - 20 minutes old - https://check-your-website.server-daten.de/?q=podcasts.canstream.co.uk

You have created 4 identical certificates

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2019-11-07 2020-02-05 podcasts.canstream.co.uk, www.podcasts.canstream.co.uk - 2 entries duplicate nr. 4
Let’s Encrypt Authority X3 2019-11-07 2020-02-05 podcasts.canstream.co.uk, www.podcasts.canstream.co.uk - 2 entries duplicate nr. 3
Let’s Encrypt Authority X3 2019-11-07 2020-02-05 podcasts.canstream.co.uk, www.podcasts.canstream.co.uk - 2 entries duplicate nr. 2
Let’s Encrypt Authority X3 2019-11-06 2020-02-04 podcasts.canstream.co.uk, www.podcasts.canstream.co.uk - 2 entries duplicate nr. 1
Let’s Encrypt Authority X3 2019-08-11 2019-11-09 podcasts.canstream.co.uk, www.podcasts.canstream.co.uk - 2 entries

So that part works, it’s only an installation problem. Don’t create a new certificate.

A

CN=podcast.commedia.org.uk
	06.11.2019
	04.02.2020
expires in 89 days	podcast.commedia.org.uk, 
www.podcast.commedia.org.uk - 2 entries

is used. Looks like you have different vHosts, so the wrong vHost answers.

What says

certbot certificates
apachectl -S
2 Likes

Many thanks @JuergenAuer.

ok, ./certbot-auto certificates gives me the following:

[root@machine ~]# ./certbot-auto certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Renewal configuration file /etc/letsencrypt/renewal/listenagain.canstream.co.uk.conf produced an unexpected error: expected /etc/letsencrypt/live/listenagain.canstream.co.uk/cert.pem to be a symlink. Skipping.
Renewal configuration file /etc/letsencrypt/renewal/podcast.canstream.co.uk.conf produced an unexpected error: renewal config file {} is missing a required file reference. Skipping.


Found the following certs:
Certificate Name: canstream.co.uk
Domains: canstream.co.uk www.canstream.co.uk
Expiry Date: 2020-02-04 20:03:39+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/canstream.co.uk/fullchain.pem
Private Key Path: /etc/letsencrypt/live/canstream.co.uk/privkey.pem
Certificate Name: energy.commedia.org.uk
Domains: energy.commedia.org.uk www.energy.commedia.org.uk
Expiry Date: 2019-11-08 01:11:10+00:00 (VALID: 9 hour(s))
Certificate Path: /etc/letsencrypt/live/energy.commedia.org.uk/fullchain.pem
Private Key Path: /etc/letsencrypt/live/energy.commedia.org.uk/privkey.pem
Certificate Name: listen-again.gloucesterfm.com
Domains: listen-again.gloucesterfm.com
Expiry Date: 2020-02-04 20:06:52+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/listen-again.gloucesterfm.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/listen-again.gloucesterfm.com/privkey.pem
Certificate Name: listen-again.ujimaradio.com
Domains: listen-again.ujimaradio.com
Expiry Date: 2020-02-04 20:08:03+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/listen-again.ujimaradio.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/listen-again.ujimaradio.com/privkey.pem
Certificate Name: listen.commedia.org.uk
Domains: listen.commedia.org.uk www.listen.commedia.org.uk
Expiry Date: 2020-02-04 20:09:05+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/listen.commedia.org.uk/fullchain.pem
Private Key Path: /etc/letsencrypt/live/listen.commedia.org.uk/privkey.pem
Certificate Name: listenagain.canstream.co.uk-0001
Domains: listenagain.canstream.co.uk www.listenagain.canstream.co.uk
Expiry Date: 2019-11-08 12:35:10+00:00 (VALID: 20 hour(s))
Certificate Path: /etc/letsencrypt/live/listenagain.canstream.co.uk-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/listenagain.canstream.co.uk-0001/privkey.pem
Certificate Name: listenagain.radioharrow.org
Domains: listenagain.radioharrow.org www.listenagain.radioharrow.org
Expiry Date: 2020-02-04 20:10:50+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/listenagain.radioharrow.org/fullchain.pem
Private Key Path: /etc/letsencrypt/live/listenagain.radioharrow.org/privkey.pem
Certificate Name: podcast.canstream.co.uk-0001
Domains: podcast.canstream.co.uk www.podcast.canstream.co.uk
Expiry Date: 2020-02-04 19:50:25+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/podcast.canstream.co.uk-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/podcast.canstream.co.uk-0001/privkey.pem
Certificate Name: podcast.commedia.org.uk
Domains: podcast.commedia.org.uk www.podcast.commedia.org.uk
Expiry Date: 2020-02-04 20:11:52+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/podcast.commedia.org.uk/fullchain.pem
Private Key Path: /etc/letsencrypt/live/podcast.commedia.org.uk/privkey.pem
Certificate Name: podcasts.canstream.co.uk
Domains: podcasts.canstream.co.uk www.podcasts.canstream.co.uk
Expiry Date: 2020-02-05 11:53:28+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/podcasts.canstream.co.uk/fullchain.pem
Private Key Path: /etc/letsencrypt/live/podcasts.canstream.co.uk/privkey.pem
Certificate Name: podcasts.commedia.org.uk-0001
Domains: podcasts.commedia.org.uk www.podcasts.commedia.org.uk
Expiry Date: 2020-02-04 20:14:58+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/podcasts.commedia.org.uk-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/podcasts.commedia.org.uk-0001/privkey.pem
Certificate Name: podgraph.canstream.co.uk
Domains: podgraph.canstream.co.uk
Expiry Date: 2019-11-08 00:28:31+00:00 (VALID: 8 hour(s))
Certificate Path: /etc/letsencrypt/live/podgraph.canstream.co.uk/fullchain.pem
Private Key Path: /etc/letsencrypt/live/podgraph.canstream.co.uk/privkey.pem

The following renewal configurations were invalid:
/etc/letsencrypt/renewal/listenagain.canstream.co.uk.conf
/etc/letsencrypt/renewal/podcast.canstream.co.uk.conf


I’ll create a new post for the next output…

1 Like

[root@machine ~]# apachectl -S

VirtualHost configuration:
195.10.228.11:80 is a NameVirtualHost
default server canstream.co.uk (/etc/httpd/conf.d/canstream.conf:1)
port 80 namevhost canstream.co.uk (/etc/httpd/conf.d/canstream.conf:1)
alias www.canstream.co.uk
alias canstream.org.uk
alias www.canstream.org.uk
port 80 namevhost catchup.canstream.co.uk (/etc/httpd/conf.d/catchup.conf:1)
alias www.catchup.canstream.co.uk
alias podcasts.canstream.co.uk
alias www.podcasts.canstream.co.uk
alias podcast.commedia.org.uk
alias www.podcast.commedia.org.uk
port 80 namevhost energy.commedia.org.uk (/etc/httpd/conf.d/energy.conf:1)
alias www.energy.commedia.org.uk
port 80 namevhost euranet.commedia.org.uk (/etc/httpd/conf.d/euranet.conf:1)
alias www.euranet.commedia.org.uk
alias euranet.canstream.co.uk
alias www.euranet.canstream.co.uk
port 80 namevhost www.getmedia.org.uk (/etc/httpd/conf.d/getmedia.conf:1)
alias getmedia.org.uk
port 80 namevhost listen-again.gloucesterfm.com (/etc/httpd/conf.d/gloucesterfm.conf:1)
port 80 namevhost listenagain.radioharrow.org (/etc/httpd/conf.d/harrow.conf:1)
alias www.listenagain.radioharrow.org
alias podcast.canstream.co.uk/harrow
port 80 namevhost listen.commedia.org.uk (/etc/httpd/conf.d/listen.commedia.conf:1)
alias www.listen.commedia.org.uk
port 80 namevhost listenagain.canstream.co.uk (/etc/httpd/conf.d/listenagain.conf:1)
alias www.listenagain.canstream.co.uk
port 80 namevhost podcast.canstream.co.uk (/etc/httpd/conf.d/podcast.canstream.conf:1)
alias www.podcast.canstream.co.uk
port 80 namevhost podcasts.commedia.org.uk (/etc/httpd/conf.d/podcasts.commedia.conf:1)
alias www.podcasts.commedia.org.uk
port 80 namevhost podgraph.canstream.co.uk (/etc/httpd/conf.d/podgraph.conf:1)
port 80 namevhost listenagain.canstream.co.uk (/etc/httpd/conf.d/pure.conf:1)
port 80 namevhost radionation.commedia.org.uk (/etc/httpd/conf.d/radionation.conf:1)
alias www.radionation.commedia.org.uk
port 80 namevhost listenagain.seahavenfm.com (/etc/httpd/conf.d/seahaven.conf:1)
port 80 namevhost listen-again.ujimaradio.com (/etc/httpd/conf.d/ujima.conf:1)
port 80 namevhost listenagain.canstream.co.uk (/etc/httpd/conf.d/unity.conf:1)
port 80 namevhost pod1.canstream.co.uk (/etc/httpd/conf.d/wordpress.conf:1)
195.10.228.11:443 is a NameVirtualHost
default server canstream.co.uk (/etc/httpd/conf.d/canstream-le-ssl.conf:2)
port 443 namevhost canstream.co.uk (/etc/httpd/conf.d/canstream-le-ssl.conf:2)
alias www.canstream.co.uk
alias canstream.org.uk
alias www.canstream.org.uk
port 443 namevhost catchup.canstream.co.uk (/etc/httpd/conf.d/catchup-le-ssl.conf:2)
alias www.catchup.canstream.co.uk
alias podcasts.canstream.co.uk
alias www.podcasts.canstream.co.uk
alias podcast.commedia.org.uk
alias www.podcast.commedia.org.uk
port 443 namevhost energy.commedia.org.uk (/etc/httpd/conf.d/energy-le-ssl.conf:2)
alias www.energy.commedia.org.uk
port 443 namevhost listen-again.gloucesterfm.com (/etc/httpd/conf.d/gloucesterfm-le-ssl.conf:2)
port 443 namevhost listenagain.radioharrow.org (/etc/httpd/conf.d/harrow-le-ssl.conf:2)
alias www.listenagain.radioharrow.org
alias podcast.canstream.co.uk/harrow
port 443 namevhost listen.commedia.org.uk (/etc/httpd/conf.d/listen.commedia-le-ssl.conf:2)
alias www.listen.commedia.org.uk
port 443 namevhost listenagain.canstream.co.uk (/etc/httpd/conf.d/listenagain-le-ssl.conf:2)
alias www.listenagain.canstream.co.uk
port 443 namevhost podcast.canstream.co.uk (/etc/httpd/conf.d/podcast.canstream-le-ssl.conf:2)
alias www.podcast.canstream.co.uk
port 443 namevhost podcasts.canstream.co.uk (/etc/httpd/conf.d/podcasts.canstream-le-ssl.conf:2)
alias www.podcasts.canstream.co.uk
alias canstream.co.uk
alias www.canstream.co.uk
port 443 namevhost podcasts.commedia.org.uk (/etc/httpd/conf.d/podcasts.commedia-le-ssl.conf:2)
alias www.podcasts.commedia.org.uk
port 443 namevhost podgraph.canstream.co.uk (/etc/httpd/conf.d/podgraph-le-ssl.conf:2)
port 443 namevhost listen-again.ujimaradio.com (/etc/httpd/conf.d/ujima-le-ssl.conf:2)
wildcard NameVirtualHosts and default servers:
*:443 is a NameVirtualHost
default server listenagain.canstream.co.uk (/etc/httpd/conf.d/aaa-ssl.conf:77)
port 443 namevhost listenagain.canstream.co.uk (/etc/httpd/conf.d/aaa-ssl.conf:77)
alias www.listenagain.canstream.co.uk:443
alias listenagain.canstream.co.uk
port 443 namevhost listenagain.canstream.co.uk (/etc/httpd/conf.d/ssl.conf:74)
Syntax OK

1 Like

@JuergenAuer - do you think I ned to expand the certiifcate of a working domain to include that of podcasts.canstream.co.uk ???

Revoke the non-working cert and then expand with somehting like this:

./certbot-auto --expand -d existing.com -d example.com -d newdomain.com

Thaks in advance.

1 Like

There

you see the problem.

You don’t have a port 80 vHost with the two domain names you have used in your command. So split that vHost.

Same with your port 443 - there are two vHosts with the same domain name podcasts.canstream.co.uk, remove the alias in the long domain name list.

Change that, then again apachectl -S to see, if all duplicated entries are removed. Every combination of port and domain name must be unique.

If this is done, try

./certbot-auto --reinstall -i apache -d podcasts.canstream.co.uk -d www.podcasts.canstream.co.uk

Certbot should find the existing certificate and should install it.

3 Likes

Many thanks @JuergenAuer.

I’ll try this now and report back.

Hundertmal Danke!

1 Like

Thank you @JuergenAuer - it worked!

I had got in a mess with all the vhosts…

I just needed to delete where the domains had been repeated unnecessarily.

I didn’t even need to do the followng in the end:

I hope to be as helpful to someone else as you have been to me today :+1:t5::beers:

5 Likes