Seeing PEM encoded chain in ERR_CER_COMMON message, what does this mean?

My hosting provider, if applicable, is:
Heroku

I can login to a root shell on my machine (yes or no, or I don’t know):
No

Made a cert with www.mydomain.test. https://www.mydomain.test works fine, just that when I am testing the root domain i get https:// failues.

NET::ERR_CERT_COMMON_NAME_INVALID

Subject: www.mydomain.text
Issuer: Let's Encrypt Authority X3
Expires on: 24 Feb 2017
Current date: 27 Nov 2016
PEM encoded chain: -----BEGIN CERTIFICATE-----
MIIFBDCCA+ygAwIBAgISA0tf04WajytXq+n9GjZ9k7CBMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
RUnbMB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMHAGCCsGAQUFBwEB
BGQwYjAvBggrBgEFBQcwAYYjaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNyeXB0
Lm9yZy8wLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlw
dC5vcmcvMBsGA1UdEQQUMBKCEHd3dy5tb29kbm90ZXMubWUwgf4GA1UdIASB9jCB
8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpodHRw
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

What does this mean and did we screw up somewhere with the cert returning this?

Lastly, for setting up with the root domain, do we just create another cert with the root domain? Or would there be some application specific way to do this? Since this is not a wildcard cert, how does the community approach it?

Yes, probably the certificate is for the wrong name or names. The most common cause here is that you have a certificate just for www.example.com and that’s not valid for example.com because it’s a different name. Humans think they’re basically the same, but machines do not. You can ask Let’s Encrypt for up to 100 names in the certificate, you will be able to pass the challenges (to prove you control the name) much the same for example.com as for www.example.com

If you use the “cerbot” tool to get certificates and now realise you need extra names in the certificate, check the --expand flag in the documentation for how to add names in an easy to understand way.

If it’s not a missing name, the next thing is to inspect the names on the certificate and the name you typed into the browser carefully to check they’re really the same - in your comment here you wrote sometimes “.test” and sometimes “.text” and of course those are different and it matters in a real system, so check carefully.

2 Likes

okay great! --expand just works ™ . Pretty amazing, kudos to the letsencrypt folks.

Though is the big dump of PEM Encoded chain a security leak on un-ssled domains? Or is this just common.

1 Like

Certificates are public documents, in fact your certificates will have automatically been logged to the Certificate Transparency system, and are (or will be in a few hours if new) visible in Log Monitors such as https://crt.sh/

SSL is “public key cryptography” your server has a pair of keys, one public (included in the certificate, and so sent to everybody who connects, as well as being logged as above) and one private, which you (well, your web server) must never show to anybody and which no-one should ask to see. Here’s a cool video if you are inclined to learn why this is even mathematically possible. If you aren’t, don’t worry, it’s pretty simple to remember the public keys are public, so it’s OK for everybody to know what those are, private keys aren’t just secret (like a password), they’re truly private, nobody needs to know them except you.

2 Likes

Ahh yup thanks. I was afraid that it was a private key leak due to mis configs, thanks for the helpful info!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.