"requested domain name does not match the server's certificate"

ssimpo · April 29, 2016, 10:16pm

NB: I have replaced the dot (.) in domain names below with a comma (,) so it would allow me to post this. Apparently, new users can only post two links in a post! Actually, they are not links, just examples, sort of makes asking a question about SSL on a domain difficult but never mind. So the comma’s are not typos and are not in my actual setup.

I am getting the above message when attempting to access my site via SSL. I am at a loss trying to figure out a fix.

Basically I set of domains, say:
www,example.com
example,com
mail,example,com

I am using letsencrypt-auto to create certificates to use in nginx server. I have used the following:

sudo ./letsencrypt-auto certonly --webroot -w /var/www/example/ -d www,example,com -d example,com -d mail,example,com

Certificates are created and I link these into nginx:

server_name www,example,com example,com mail,example,com;
ssl_certificate /etc/letsencrypt/live/www,example,com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www,example,com/privkey.pem;

All would appear to be well … but, when I try it in the browser, I get: “requested domain name does not match the server’s certificate”. On closer inspection the certificate issued to the browser is for another domain set on my server (say example,org, www,example,org, …etc). I am at a loss to where this info is coming from and how it is getting into the certificate for other domain.

I originally tried to use the nginx plugin but it didn’t work for me. Perhaps something got set when I did this that is now stopping me issuing certificates correctly? The irony is that the domain, which is cross-contaminating is now on another server.

I need to issue a series of separate certificates on this server; I assume this is possible?

Does anyone know what may be causing this and how I can work round it?

pfg · April 29, 2016, 10:24pm

I’d start with something like:

grep -r "ssl_certificate" /etc/nginx

And then review all files that show up, to make sure nginx isn’t accidentally picking the wrong server block for your domain (for example because of a wildcard in a server_name somewhere else or something like that).

ssimpo · April 30, 2016, 6:57am

Thanks, none of the the config items look suspect. The only certificates being used are the ones described above.

I have done some further investigation by inspecting the actual keys, so:

sudo openssl x509 -in /etc/letsencrypt/live/www,example,com/fullchain.pem -text -noout

The result looks good, www,example,com and no mention of the other domain. I then checked the certificate the browser claims to have received and looks the same as the one on the server. So all good except the browser is claiming it does not match.

Also, tried on my iPad to see if it was just an issue with my laptop and get the same bug.

The iPad is actually giving me more info. It claims the certificate was issued by startssl. It is possible there was previously and unused startssl certificate (for the other domain) but I cannot see anything in nginx config where it is being used. In fact the server has been rebuilt since then so difficult to see where it might be coming from.

Could there be another certificate linked to the IP not being issued by our server, which is causing this (ie. out there on the Internet)? Sorry, I am new SSL, so my knowledge is a bit patchy.

Anyone have any suggestions on how to fix this or encountered a similar bug?

Thanks

serverco · April 30, 2016, 7:01am

Are you happy to provide your domain name, so we can check it ?

when the browser says it doesn’t match the domain name - what domain does that cert say it’s for ? does that give some clues as to where it’s loaded ?

pfg · April 30, 2016, 7:05am

The certificate is something the server sends to the client, as defined in your configuration. Other certificates that you might have used in the past wouldn’t have any effect - the browser would have no way of knowing about it.

Are you sure you’re connecting to the correct (i.e. new) server? Maybe some old server is still up and running and the IP address is still cached in your DNS or browser? If you’re positive that you’re connecting to the correct server, that nginx is serving your HTTPS traffic and that there’s no reference to another certificate anywhere in your nginx config, I’m not sure what’s causing this. Are you serving your site from behind some CDN (e.g. CloudFlare) by any chance?

ssimpo · April 30, 2016, 8:04am

Yes, no problem. It is currently on a very old site (that did not have SSL) but I intend creating a number of certificates for domains on this server.

https://driveandsucceed.co.uk

Thanks

serverco · April 30, 2016, 8:41am

The cert is for hollybush.cc - which looks to be also hosted on the same server. I’d suspect in the config this domain is listening on port 443 with a wildcard “*” rather than a hostname, hence when you go to the server on https it picks this SSL config first. Does that give some pointers as to where to check in your server config ?

ssimpo · April 30, 2016, 8:54am

Yes, I am looking into this myself. Actually it is on a different server but I think maybe SSL traffic is not be routed correctly by our firewall.

Thanks

ssimpo · April 30, 2016, 9:00am

Thanks, yes, that pointed me in the right direction.

We have a few different servers and IP address’. Basically SSL traffic was all be pushed to one server. We never noticed this before as this was the only server that had SSL sites on it! A quick re-ordering of rules in the firewall has fixed it.

Thanks, everyone for your patience and help.

system · May 30, 2016, 9:00am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.