RSA server certificate CommonName (CN) does NOT match server name

Help
1

Hi, my certificate seems not working.
Checking the ssl_error_log I find the message:" [warn] RSA server certificate CommonName (CN) `hostname (the hostname of the server?!)’ does NOT match server name!? "
So I decoded the “/etc/pki/tls/certs/localhost.crt” file. In the Common Name field I find my hostname. I expected my domain.
Tanks a lot.
Pietro
My domain is: www.pietro-onesti.cloud

I ran this command:

It produced this output:

My web server is (include version): Apache/2.2.15

The operating system my web server runs on is (include version): CentOS release 6.9 (Final)

My hosting provider, if applicable, is: Aruba

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.3.0

2

As far as I know, that's just a self signed certificate put there by CentOS (and probably other distributions too). It's not for actual use.

I can see you've already got a Let's Encrypt certificate issued in March. You say you've used certbot.

A few things:

  • what exact command did you use with certbot to get that certificate?
  • your webserver returns a "No route to host" error on port 443 (but not on port 80): is your webserver running a HTTPS virtualhost? Or is this a firewall issue perhaps?
  • your certificates (the current symbolic links anyway) can be found in /etc/letsencrypt/live/nameofcertificate/
  • you only got a certificate for www.pietro-onesti.cloud without the base domain. If someone might forget the www, they'll get a certificate error, because you haven't added pietro-onesti.cloud to the certificate. You might want to reissue your certificate and add the base domain.
3

Tanks a lot for your kind answer.

  1. wget https://dl.eff.org/certbot-auto
    sudo mv certbot-auto /usr/local/bin/certbot-auto
    sudo chown root /usr/local/bin/certbot-auto
    sudo chmod 0755 /usr/local/bin/certbot-auto
  2. at the bottom of http.conf there is a line “Include /etc/httpd/conf/httpd-le-ssl.conf”, this file contains:

    <VirtualHost 94.177.176.14:443 >
    ServerAdmin pietro.onesti@gmail.com
    DocumentRoot /var/www/html/pietro-onesti
    ServerName www.pietro-onesti.cloud
    ErrorLog logs/pietro-onesti.cloud_error_log
    CustomLog logs/pietro-onesti.cloud-access_log common
    SSLCertificateFile /etc/letsencrypt/live/www.pietro-onesti.cloud/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/www.pietro-onesti.cloud/privkey.pem
    Include /etc/letsencrypt/options-ssl-apache.conf
    SSLCertificateChainFile /etc/letsencrypt/live/www.pietro-onesti.cloud/chain.pem


    which I supposed was the https virtual host.
    Tanks. Pietro
4

I'm guessing everything works from your end then?

In any case, it still doesn't work from my end: still getting a no route to host on port 443 (while port 80 works fine and ping works too..). Perhaps a firewall in between blocking port 443?

5

Tanks again,
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
but still the same
I’m becoming crazy…

6

It could be there's currently another rule blocking the requests, adding one after that one doesn't help.

IMHO it really is a firewall issue. When I traceroute your server with different options, I'm getting different replies:

Standard traceroute www.pietro-onesti.cloud:

...
13  host14-176-177-94.serverdedicati.aruba.it (94.177.176.14)  61.171 ms !X  62.718 ms !X  61.408 ms !X

(Notice the !X, which means "communication administratively prohibited" is replied by the server)

However, port 80 works fine (sudo traceroute -T -p 80 www.pietro-onesti.cloud):

(...)
13  host14-176-177-94.serverdedicati.aruba.it (94.177.176.14)  57.665 ms  56.835 ms  56.652 ms

Notice the absence of the !X marks.

Port 22 works too (sudo traceroute -T -p 22 www.pietro-onesti.cloud):

(...)
13  host14-176-177-94.serverdedicati.aruba.it (94.177.176.14)  56.593 ms  57.875 ms  54.742 ms

However, when I try port 443 (sudo traceroute -T -p 443 www.pietro-onesti.cloud):

(...)
13  host14-176-177-94.serverdedicati.aruba.it (94.177.176.14)  61.747 ms !X  62.057 ms !X  63.501 ms !X

There are those pesky !X marks again!

So to me it tells a firewall is still blocking port 443 somewhere.

7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.