RESOLVED: NET::ERR_CERT_COMMON_NAME_INVALID for Chrome not Firefox

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: neutralparadox.dev

I ran this command:

visited https://neutralparadox.dev on firefox, safari and chrome

It produced this output:

Chrome: NET::ERR_CERT_COMMON_NAME_INVALID
Firefox: works fine.
Safari: works fine.

My web server is (include version):

nginx(1.22.1)

The operating system my web server runs on is (include version): Debian 12

My hosting provider, if applicable, is: Domain through Google Domains. DNS servers from Digital Ocean

I can login to a root shell on my machine (yes or no, or I don't know):

yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

Not currently using a control panel

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Certbot 2.6.0

Hi @HighAltitudeNoChutes, and welcome to the LE community forum

Check with the HSP.
The site isn't serving a cert for that name:
SSL Server Test: neutralparadox.dev (Powered by Qualys SSL Labs)

This looks fine to me.

❯ echo | openssl s_client neutralparadox.dev:443
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = neutralparadox.dev
verify return:1
---
Certificate chain
 0 s:CN = neutralparadox.dev
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 18:24:54 2023 GMT; NotAfter: Dec  3 18:24:53 2023 GMT
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEJzCCAw+gAwIBAgISAxwS4bVEDO0QUxRR9E4bkw/kMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzA5MDQxODI0NTRaFw0yMzEyMDMxODI0NTNaMB0xGzAZBgNVBAMT
Em5ldXRyYWxwYXJhZG94LmRldjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFSO
O3jkZA5lk9ltMq/tkpeKzw7XAH9UrHAzxi7QpM/V0FOD7Pus7bPeYDAwjVhHAPQ8
CNtFk5T7giompFdbsSyjggIVMIICETAOBgNVHQ8BAf8EBAMCB4AwHQYDVR0lBBYw
FAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFNpB
T1C7/ljoWAZBLoH9/yZ9NmW5MB8GA1UdIwQYMBaAFBQusxe3WFbLrlAJQOYfr52L
FMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDovL3IzLm8ubGVu
Y3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5vcmcvMB0GA1Ud
EQQWMBSCEm5ldXRyYWxwYXJhZG94LmRldjATBgNVHSAEDDAKMAgGBmeBDAECATCC
AQUGCisGAQQB1nkCBAIEgfYEgfMA8QB3AHoyjFTYty22IOo44FIe6YQWcDIThU07
0ivBOlejUutSAAABimGns9oAAAQDAEgwRgIhAPiQtGkQwDtQwJl+dYxLughI93mF
NBxjD2F5aNsxxIEzAiEAwUuZiEGsARULD5u0HBfQ1+h22Xr8QhVkLt4dYh81YrsA
dgC3Pvsk35xNunXyOcW6WPRsXfxCz3qfNcSeHQmBJe20mQAAAYphp7QcAAAEAwBH
MEUCIQDSFmiN2gmFixo1dIMWsnN9cNK0W2TLCMUA5/Eq90K63QIgXoNrkvsFRmG1
2XkwM6lYoP8CKHc24MbY5dTcQnmkKBMwDQYJKoZIhvcNAQELBQADggEBAAOMJmEa
no5Ebb8N5vTgaSSo5KsKBJnddkyZ6JDYCyZvFcibD/vh4x7aXxa9cXHVn12+JmMr
Pznbi5hMmKhiVa/L/vdb5+7Vno+So8KNj/VHAc+8I2UvzD6IORddHizFtDQxfF/f
l0MOohUHMRey3hsllcpanYAkcmDxDh0y9b6zbVO2qDFr+jZ1PeeARY6xkFS8RhFI
BfrtfUOB+QV8eF/g9K8ntDgc4ihVIEHg49rtqq0WeC2otiB4/7yLFkhYoKoGiqBg
3HYsvtvItD+N7PWRyT8XIrjBya5qa84TdSleWygJSMtgZSTgE/RTvBe+lli+J3xP
5AjDMPwl9qg5xks=
-----END CERTIFICATE-----
subject=CN = neutralparadox.dev
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4137 bytes and written 400 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE

Because you are getting a different [updated] DNS response.

It seems that DNS was recently changed and the global TTL hasn't expired yet.

Compare:

with:

nslookup neutralparadox.dev ns1.digitalocean.com
Name:    neutralparadox.dev
Address: 159.89.185.206

Does Chrome Cache DNS queries? Just closed and Chrome and works now. Thanks for the quick responses and the help!

Thanks Again.

Both presently show an IPv4 Address of 159.89.185.206
https://unboundtest.com/m/A/neutralparadox.dev/J2L3PSFF
https://letsdebug.net/neutralparadox.dev/1602149?debug=y

Your O/S might.
Most DNS systems do.

Just as an odd update. When I closed and opened chrome, it worked. But then I refreshed the page and its back. I wonder if there is a dns conflict somewhere. I just got the site last night and setup the server at the same time.

Show this output:

Still seeing mix DNS Responses from around the world using this online tool https://check-host.net/
Permanent link to this check report

Wtf.

❯ delv ns neutralparadox.dev
; unsigned answer
neutralparadox.dev.     1037    IN      NS      ns1.digitalocean.com.
neutralparadox.dev.     1037    IN      NS      ns2.digitalocean.com.
neutralparadox.dev.     1037    IN      NS      ns3.digitalocean.com.

~
❯ delv ns neutralparadox.dev +short
ns1.expiereddnsmanager.com.
ns2.expiereddnsmanager.com.

~
❯ delv ns neutralparadox.dev +short
ns1.expiereddnsmanager.com.
ns2.expiereddnsmanager.com.

~
❯ delv ns neutralparadox.dev
; unsigned answer
neutralparadox.dev.     1800    IN      NS      ns1.digitalocean.com.
neutralparadox.dev.     1800    IN      NS      ns2.digitalocean.com.
neutralparadox.dev.     1800    IN      NS      ns3.digitalocean.com.

~
❯ delv +short ns neutralparadox.dev
ns1.digitalocean.com.
ns2.digitalocean.com.
ns3.digitalocean.com.

~
❯ delv ns neutralparadox.dev
; unsigned answer
neutralparadox.dev.     1744    IN      NS      ns1.expiereddnsmanager.com.
neutralparadox.dev.     1744    IN      NS      ns2.expiereddnsmanager.com.

~
❯ delv ns neutralparadox.dev
; unsigned answer
neutralparadox.dev.     959     IN      NS      ns1.digitalocean.com.
neutralparadox.dev.     959     IN      NS      ns2.digitalocean.com.
neutralparadox.dev.     959     IN      NS      ns3.digitalocean.com.

@HighAltitudeNoChutes you introduced a typo.

(I should not be using fish as a shell... but this is a phone. :D)

~
❯ for ns in $(dig +short ns dev)
      echo $ns ;
      dig @$ns  ns neutralparadox.dev ;
  end
ns-tld5.charlestonroadregistry.com.

; <<>> DiG 9.16.41 <<>> @ns-tld5.charlestonroadregistry.com. ns neutralparadox.dev
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42763
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;neutralparadox.dev.            IN      NS

;; AUTHORITY SECTION:
neutralparadox.dev.     10800   IN      NS      ns3.digitialocean.com.
neutralparadox.dev.     10800   IN      NS      ns1.digitalocean.com.
neutralparadox.dev.     10800   IN      NS      ns2.digitalocean.com.

;; Query time: 163 msec
;; SERVER: 216.239.60.105#53(216.239.60.105)
;; WHEN: Tue Sep 05 01:31:32 CEST 2023
;; MSG SIZE  rcvd: 131

ns-tld2.charlestonroadregistry.com.

; <<>> DiG 9.16.41 <<>> @ns-tld2.charlestonroadregistry.com. ns neutralparadox.dev
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48543
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;neutralparadox.dev.            IN      NS

;; AUTHORITY SECTION:
neutralparadox.dev.     10800   IN      NS      ns3.digitialocean.com.
neutralparadox.dev.     10800   IN      NS      ns1.digitalocean.com.
neutralparadox.dev.     10800   IN      NS      ns2.digitalocean.com.

;; Query time: 76 msec
;; SERVER: 216.239.34.105#53(216.239.34.105)
;; WHEN: Tue Sep 05 01:31:32 CEST 2023
;; MSG SIZE  rcvd: 131

ns-tld3.charlestonroadregistry.com.

; <<>> DiG 9.16.41 <<>> @ns-tld3.charlestonroadregistry.com. ns neutralparadox.dev
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28708
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;neutralparadox.dev.            IN      NS

;; AUTHORITY SECTION:
neutralparadox.dev.     10800   IN      NS      ns3.digitialocean.com.
neutralparadox.dev.     10800   IN      NS      ns2.digitalocean.com.
neutralparadox.dev.     10800   IN      NS      ns1.digitalocean.com.

;; Query time: 120 msec
;; SERVER: 216.239.36.105#53(216.239.36.105)
;; WHEN: Tue Sep 05 01:31:32 CEST 2023
;; MSG SIZE  rcvd: 131

ns-tld1.charlestonroadregistry.com.

; <<>> DiG 9.16.41 <<>> @ns-tld1.charlestonroadregistry.com. ns neutralparadox.dev
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58173
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;neutralparadox.dev.            IN      NS

;; AUTHORITY SECTION:
neutralparadox.dev.     10800   IN      NS      ns3.digitialocean.com.
neutralparadox.dev.     10800   IN      NS      ns2.digitalocean.com.
neutralparadox.dev.     10800   IN      NS      ns1.digitalocean.com.

;; Query time: 93 msec
;; SERVER: 216.239.32.105#53(216.239.32.105)
;; WHEN: Tue Sep 05 01:31:32 CEST 2023
;; MSG SIZE  rcvd: 131

ns-tld4.charlestonroadregistry.com.

; <<>> DiG 9.16.41 <<>> @ns-tld4.charlestonroadregistry.com. ns neutralparadox.dev
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16767
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;neutralparadox.dev.            IN      NS

;; AUTHORITY SECTION:
neutralparadox.dev.     10800   IN      NS      ns2.digitalocean.com.
neutralparadox.dev.     10800   IN      NS      ns1.digitalocean.com.
neutralparadox.dev.     10800   IN      NS      ns3.digitialocean.com.

;; Query time: 76 msec
;; SERVER: 216.239.38.105#53(216.239.38.105)
;; WHEN: Tue Sep 05 01:31:32 CEST 2023
;; MSG SIZE  rcvd: 131

Hawk !
Nice catch

Thought this it would resolve on its own so walked away for a bit. Thanks for the catch! Fixed the typo and it might be all good.

Thanks Again!

Looks good from here:

neutralparadox.dev.     10800   IN      NS      ns1.digitalocean.com.
neutralparadox.dev.     10800   IN      NS      ns2.digitalocean.com.
neutralparadox.dev.     10800   IN      NS      ns3.digitalocean.com.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.