SAN: domain name mismatch (Android 2 / Windows XP)

I am using SAN certificate to provide support for Android 2 and Windows XP. I was already using Comodo certificated and it was working nicely. I tried to switch to LE but now I am getting error about incorrect domain name (screenshot -

Server config is the same (I used certonly and installed certificate manualy) and when I decode old (Comodo) and new (LE) certificated, I can’t see any difference (except for signature etc.).

Browser is getting correct certificate, but it is ignoring alternative domains.

Any ideas what am I doing wrong? Live example: (only without SNI - modern browser are getting different certificate)

could you show a shot of you browser showing the correct cert, including the SAN?
because you say that the browser is getting the correct one…
I dont have such old stuff to test it myself.

-----BEGIN CERTIFICATE----- MIILGDCCCgCgAwIBAgISAT/JwOJ//i6ZPb6pgTkhMS/3MA0GCSqGSIb3DQEBCwUA MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMTAeFw0xNTExMTcyMzI4MDBaFw0x NjAyMTUyMzI4MDBaMBwxGjAYBgNVBAMTEXd3dy4yNC1sZWthcm5hLmN6MIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvsijGr+dWEIgVY8EzgaKBR9nI/Ve WJGU7ORlFH2/3KcqVd/NKfAR7A6UiQPrZyOiWGoxRP7DwpoNXBLbdG3NeGX4MeMC KBuIKz9eS6WzEwqz2Dw6tioI3KxwgSV5zxp0+pArsYrubfqI9Y4UUUiv5cyTgEHc 9EMrdUA0LOzHLgjtCFP5pBmNB2QYiU3x04ZZGHyVNnZLaQPF+5zkyw/9nd0KVgdA SENIIThnUH7YL9f6PLkSaUQCY9yMWRmzEh1vOy5dUhfqX1n6F8tgZLTYuGBBr+g5 Lk4I26zqfM/oIo2z36P64+h5TShuXZleDzd8uGiutPxnKy6xO66l8ldcnQIDAQAB o4IIJDCCCCAwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr BgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBSDIMOdrk4bINhmn2JcuoDQ 2iMjgjAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBwBggrBgEFBQcB AQRkMGIwLwYIKwYBBQUHMAGGI2h0dHA6Ly9vY3NwLmludC14MS5sZXRzZW5jcnlw dC5vcmcvMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDEubGV0c2VuY3J5 cHQub3JnLzCCBikGA1UdEQSCBiAwggYcghh3d3cuZWxlY3RyaWMtY29sbGFycy5j b22CGXd3dy5vYnJvemEtZWxla3RyeWN6bmEucGyCDG0uYnV0bGVycy5odYITd3d3 LmtsaWt5LWtvdmFuaS5jeoILd3d3LmphZGkuY3qCD3d3dy5rYXNteXJhcy5sdIIL d3d3LmdsYW0uY3qCD3d3dy5tYWhvZ2FueS5zZYINd3d3Lmthc21pci5ocoIcd3d3 LnNrb2xuaS1ha3Rvdmt5LWJhdG9oeS5jeoIPd3d3Lm1haG9nYW55LnJvghB3d3cu dmFzYS1tb2RhLnNrghF3d3cubW9uZGl0cmFkZS5jeoIPd3d3LmZvdG9mYXN0LmN6 ghd3d3cuZGlnaW1heC1rcm9tZXJpei5jeoINd3d3Lm1hbHZpay5za4IVd3d3LmJ1 dGxlcnMtb25saW5lLnNrgg53d3cua2xlbm90YS5wbIIMd3d3LnBhZG5lLmN6gg53 d3cua2xlbm90YS51a4INd3d3Lmthc21pci5ncoIQbS5zZXhpY2Vrc2hvcC5jeoIP d3d3Lm1haG9nYW55LmJngg1lbi5rbGVub3RhLmN6gg93d3cuZnJvZ3BhY2suY3qC EXd3dy4yNC1sZWthcm5hLmN6ghF3d3cucGVrbnlkYXJlay5jeoINd3d3LmktbW9k YS5jeoIPd3d3Lm1haG9nYW55LnBsghF3d3cuc2lwZWtnbGFzcy5jeoIRd3d3Lm91 dGRvb3J3ZWIuY3qCFnd3dy5jYXNobWVyZWFyYWJpYS5jb22CEXd3dy5rcmFiY3lj bGVzLmN6gg13d3cua2FzbWlyLnNpgg53d3cuYnV0bGVycy5jeoINd3d3LmZlbGlw ZS5jeoIVd3d3LmdlbnRsZW1hbnN0b3JlLmN6ghB3d3cua3JtaXZhLTI0LmN6ggx3 d3cuYmV4aXMuc2uCF3d3dy5wZXJmZWt0bmUtcHJhZGxvLnNrgg53d3cudmlwaGFp ci5jeoIRd3d3LmthYmVsa2FybmEuY3qCFHd3dy5rYXNobWlybmV1bGUuY29tgg13 d3cubWFsdmlrLmN6ggt3d3cuamFkaS5za4IPd3d3Lm1vZGVseXJjLmN6ghR3d3cu dGlzc290aG9kaW5reS5za4IUd3d3LnVsdGltYXRlYmlrZXMuY3qCEHd3dy5jaHl0 YXB1c3QuY3qCFnd3dy5uYXJhZGktdGVjaG5pa2EuY3qCEHd3dy50aW1lc3RvcmUu Y3qCGHd3dy5uYWt1cG5pLWR1bS1wcmFoYS5jeoIUd3d3Lm5hcmFkaS1wcm9mZXMu Y3qCD3d3dy5qb2hucGF1bC5jeoIYd3d3LmVsZWt0cmlja2Utb2Jvamt5LnNrgg53 d3cua2xlbm90YS5jeoIOd3d3LmVhc3lidXkuY3qCFHd3dy51bHRpbWF0ZWJpa2Vz LnNrggltLmphZGkuY3qCDHd3dy5iZXhpcy5jeoISd3d3LnNleGljZWtzaG9wLmN6 ghZ3d3cucGVyZmVrdG5pcHJhZGxvLmN6ghB3d3cucGlua3N0b3JlLmN6ghJ3d3cu c2V4aWNla3Nob3Auc2uCEXd3dy5nc20tbWFya2V0LmN6ghB3d3cua2FzbWlyY2ku Y29tghV3d3cuZWxla3Ryby1vYm9qa3kuY3qCDnd3dy5rbGVub3RhLmRlgg93d3cu bWFob2dhbnkuaHWCDnd3dy5rbGVub3RhLnNrghN3d3cudG9wLWNva29sYWRhLmN6 ghJ3d3cuc2lwZWtnbGFzcy5jb22CC3d3dy5iaWNpLmN6ghFjbHViLnNwb3J0bWFk ZS5jeoIOd3d3LmZyb2dtYW4uY3qCFHd3dy5rYXNobWlyZ2Vuc2VyLm51gg93d3cu Y2F4ZW1pcmEucHSCFHd3dy5wbGF2a3ktcHJhZGxvLmN6ghp3d3cuc3BvZG5pLXBy YWRsby10aWFyYS5jeoIRd3d3Lmp1bmdsZS1neW0uY3qCDXd3dy56b3BpdG8uY3qC FHd3dy5rbGlreS1rb3ZhbmkubmV0gg53d3cuYnV0bGVycy5odYINd3d3Lmthc21p ci5zazCCAQAGA1UdIASB+DCB9TAKBgZngQwBAgEwADCB5gYLKwYBBAGC3xMBAQEw gdYwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIGrBggr BgEFBQcCAjCBngyBm1RoaXMgQ2VydGlmaWNhdGUgbWF5IG9ubHkgYmUgcmVsaWVk IHVwb24gYnkgUmVseWluZyBQYXJ0aWVzIGFuZCBvbmx5IGluIGFjY29yZGFuY2Ug d2l0aCB0aGUgQ2VydGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8vbGV0 c2VuY3J5cHQub3JnL3JlcG9zaXRvcnkvMA0GCSqGSIb3DQEBCwUAA4IBAQBNo0FK DLO8XxDtlDk5z/2sGSQAXF1jhdUzl0u0iFEev0kqlXm+fLRUNDXxF+CRf6k87arX xaQeAjxv+x4lq6/JTT6Ogb3wh/ebHi54MYD/n0TpbcGu8zoieF+14BCFmQ2un2Oi 7du82kgwguT/4XjCLTbU0Up5XfY0AcMnd7Lp/wMmJhvPZkaabjiX6zulZH7/RRb5 IejiBpHcMhfysxkNfEPEzHp2O6nm10ZQsHhSCdTZ38eHxTasdcxnhcb/udNVo2rH aLxRhlh5H+IWiHecUScBAq1R+uD/HvZyENm2z7nRoFiPkAdAo2GdGl0AIP5V1qy1 5ICmyza62iwrFu4h -----END CERTIFICATE-----

hmm… now the question is: does IE8 on XP even recognize SAN?

winxp is quite some old stuff and similar to android 2 it’s going down, slowly, but for sure.
according to the android stuff there’s like 4% of android devices active with <4.0

well WinXP pre-SP3 doesn’t support sha256 based SSL certificates nor does Android <2.3

so could be the old Comodo certificate was issued with sha1 ?

for winxp try using Firefox latest browser and double check

well yeah even for winxp at least firefox should do sha256 certs and even SNI, because it doesnt rely on any system components for that matter…


well can a server actually serve different certs based on the operating system/Browser of the user? at least I see with FF42 on w8.1 a sha256 cert

Believe Cloudflare does that ? BoringSSL supports equal preference ssl cipher/ssl certs but not many web servers use BoringSSL as opposed to OpenSSL or LibreSSL.

Wikimedia foundation has patched Nginx for multple SSL certificate support see Multiple certificate support revisited. So hoping Nginx would merge such patches eventually :slight_smile:

We've forward-ported Filipe's Apr 27 variant onto Debian's 1.9.3-1
package. Most of the porting was trivial (offsets / whitespace /
etc). There were a couple of slightly more substantial issues around
the newer OCSP Stapling valid-timestamp checking, and the porting of
the general multi-cert work to the newer stream modules. The
ported/updated variant of the patches we're running is available here
in our repo:

Our configuration uses a pair of otherwise-identical RSA and ECDSA
keys and an external OCSP ssl_stapling_file (certs are from
GlobalSign, chain/OCSP info is identical in the pair). Our typical
relevant config fragment in the server section looks like this:

ssl_certificate /etc/ssl/localcerts/;
ssl_certificate_key /etc/ssl/private/;
ssl_certificate /etc/ssl/localcerts/;
ssl_certificate_key /etc/ssl/private/;
ssl_stapling on;
ssl_stapling_file /var/cache/ocsp/unified.ocsp;

I am testing on Windows XP SP3 with IE8. It does support SHA256 and SAN.

I doubt that SHA is the problem here - error message would be different. It doesn’t have problem with signature but only with domain identification.

SAN (on Cloudflare)

SHA256 - Comodo without SAN but on same host (different IP) as my LE SAN certificate

ssllabs reports for 2 ips on Amazon EC2, 1 ip covers non-www and www version but other ip only covers www version of domain without non-www coverage

SSLLabs is always testing SNI certificate.

How did you build so many dns name.
I tried a lot of ways not possible.

U just passed them all as argument to letsencrypt. But there is probably some problem with created CSR and I will try to generate CSR manually.

Can you give an example, I tried many times will not work.
For example: and these two domain names, with CSR, in one cert.

You can pass multiple domains to the client with -d domain1 -d domain2, etc.
Full example with webroot:

letsencrypt-auto certonly -a webroot --webroot-path /var/www/html -d -d
1 Like

I copied your certificate to My Computer (winxp sp3).
Then display something like this:

meaning is : "Name of the certificate is invalid, this name is not included in the Allow list or directly excluded. "
However, there is no problem in win7 system.

This may be the operating system does not support.

Windows XP SP3 definitely supports SAN certificates (see screenshots above). But for some reason it has problem with SAN certificate from LE.

I fully agree with this

Feels like a problem with the interpretation of Name Constraints in Windows XP…
Just found a blog post about it…
So… I am not sure if we need to reissue a new Root Cert if we need to support XP…


Windows XP is slowly dying but the problem also affects Android 2 which still has significant market share (bigger on markets like China or India)