Solved: Incorrect validation certificate and showing weird domain names

Help
1

Hi everyone.

My domain is: klemon.ch

I ran this command: ./certbot-auto

It produced this output:

Domain: www.klemon.ch
   Type:   unauthorized
   Detail: Incorrect validation certificate for tls-sni-01 challenge.
   Requested
   edc44d0fe63012452c2e468e05168c6b.5c5cfb1c6047e9571421cb4d1ce08e93.acme.invalid
   from [2400:cb00:2048:1::6819:cf66]:443. Received 3 certificate(s),
   first certificate had names "*.approvediphoneunlock.co.uk,
   *.asta-javas.nl, *.bigmensfashion.nl, *.buy-jwh.eu,
   *.bypaularutgersdesign.nl, *.byshybani.nl, *.cokidsfashion.nl,
   *.cpareviewforfree.com, *.gewoonhuis.nl, *.ijzerhandelwessel.nl,
   *.ilovemyt-shirt.nl, *.joyathome.nl, *.kaysil.com,
   *.kiekeboekids.nl, *.kiki-assen.nl, *.kinderschaatsen.nl,
   *.klemon.ch, *.kokarate.nl, *.lieffeling.nl, *.linlicious.nl,
   *.pasadenalanguage.com, *.petpass.com, *.sexpornlist.net,
   *.tresmasculin.nl, *.userlogos.org, *.vetcoclinics.com,
   approvediphoneunlock.co.uk, asta-javas.nl, bigmensfashion.nl,
   buy-jwh.eu, bypaularutgersdesign.nl, byshybani.nl,
   cokidsfashion.nl, cpareviewforfree.com, gewoonhuis.nl,
   ijzerhandelwessel.nl, ilovemyt-shirt.nl, joyathome.nl, kaysil.com,
   kiekeboekids.nl, kiki-assen.nl, kinderschaatsen.nl, klemon.ch,
   kokarate.nl, lieffeling.nl, linlicious.nl, pasadenalanguage.com,
   petpass.com, sexpornlist.net, ssl375364.cloudflaressl.com,
   tresmasculin.nl, userlogos.org, vetcoclinics.com"

My web server is (include version): Apache 2.2.15

The operating system my web server runs on is (include version): Centos 6

I can login to a root shell on my machine, yes!

The list of domains is very worrying!!?!? What’s going on?

2

Hi @markushausammann,

It looks like www.klemon.ch is pointed at 104.25.207.102 and 104.25.208.102, which are both IPs owned by Cloudflare.

Cloudflare is terminating the Let's Encrypt validation authorities challenge request with a certificate that has domain names for many of their customers (probably yours included) and that's why you see unfamiliar names. This is a very common practice with CDNs like Cloudflare.

You will want to use the HTTP-01 challenge (Certbot's webroot mode) if you intend to have Cloudflare in front of the domain you're issuing for with Let's Encrypt.

If you provide more information about how you're using Certbot someone will likely be able to give some concrete advice.

Hope that helps!

1 Like
3

I just keep forgetting about the existence of Cloudflare... this explains a lot of course. I guess now I might be able to solve the problem. Thanks for the input, I should have known.

1 Like
4

Hi @cpu, that was it, I don’t even need a letsencrypt cert for this domain. I had an old valid cert which expired and Cloudflare setting “Full (strict)”. With changing that to strict I’m fine.

1 Like
5

Great! Glad to hear you have everything you need :slight_smile: :tada:

1 Like
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.