SSL Certificate common name is invalid

My domain is: kiepownica.pl
My web server is (include version):
Apache/2.4.41
The operating system my web server runs on is:
Ubuntu Server 18.04 LTS
I can login to a root shell on my machine:
yes
I’m using a control panel to manage my site:
no
The version of my client is:certbot 0.31.0

The problem is that even though fox-clan.cz website doesn’t exist on my server, and certbot doesnt list it as one up for lets encrypt when running certbot-apache for some reason fox-clan.cz is the main common name for my certificate.

I have already tried recreating the certificate several times and made sure that there are no fox-clan.cz remnants, yet it’s still using fox-clan.cz instead of kiepownica.pl as the common name.

I am not really sure what are the consequences of this, but I’d rather see kiepownica.pl instead of fox-clan.cz on my certificates common name.

I have went through google and haven’t found any clear explanation of why this might be happening. Interesting part is that it’s working perfectly fine and everything is encrypted, but I’d rather break any connections with fox-clan.cz and having it as the common name of my main server is definitely not something I would like to see.

I noticed that currently certbot get started mentions package python-certbot-apache, do I really need it if I have both 2.7 and 3.7 python enviroment already?

Also, is certbot 0.31 the latest version? I did add the PPA, but it does say it is up-to-date, while the latest one on github is 0.38. My guess is that 0.31 would be the current stable release, correct me if I’m wrong please.

Thanks for any input.

PS. There’s no fox-clan.cz on apache2 on my server, which makes me even more confused.

What's the output of "sudo certbot certificates"?

You've issued two identical certificates recently. Neither includes fox-clan.cz.

By the way, don't issue too many duplicate certificates. Let's Encrypt has rate limits. If something is wrong, issuing duplicate certificates usually won't fix it.

Your web server may still be using the old fox-clan.cz certificate, but the new certificates exist.

What command(s) did you run to issue the new certificates? What did they output? (Please don't run them again to answer my question, though.)

For what it's worth, the common name field of certificates does not matter much. Modern TLS clients ignore it. Browsers display it prominently to users, but then their network code doesn't actually use it. The list of subject alternative names is what is used instead.

Originally, the Certbot packages used Python 2, so the apache plugin was in the python-certbot-apache package. Now they use Python 3, so the plugin is in the python3-certbot-apache package. There's still an empty transitional python-certbot-apache package, but you can just install python3-certbot-apache directly.

Every release is intended to be stable. But the Debian and Ubuntu packages aren't updated every time. Updating takes work, and it's less predictable to have old bugs fixed and new bugs introduced more frequently.

1 Like

Thanks a lot for clearing those things out.
I have provided the output of command via PM.
If I have both python2 and 3 running perfectly, is it neccesary to still install python3-certbot-apache package? I’m a bit worried they would conflict eachother and everything works, except for this dreaded misconfiguration issue.

There are two certificates:

The old one has the name kiepownica.pl, and the new one has the name kiepownica.pl-0001.

When Certbot creates a new certificate, if it's a superset of the names in an existing certificate, Certbot will offer to replace the old one. Otherwise, it will save it in a new directory.

When creating the certificate, you can override this by passing --cert-name kiepownica.pl, but it's too late now.

So you have two options:

One:

Edit your web server and other server configurations to change kiepownica.pl to kiepownica.pl-0001.

After making sure that nothing is using the old certificate, delete it with "sudo certbot delete --cert-name kiepownica.pl".

Two:

Issue another new certificate using "--cert-name kiepownica.pl" and the new list of names.

Then verify that nothing is using the kiepownica.pl-0001 certificate and delete it with "sudo certbot delete --cert-name kiepownica.pl-0001".

It's probably installed already.

1 Like

I went with the second approach as I couldn’t really find any mentions of kiepownica.pl-0001 anywhere in my server configuration
and this is the output
kiepownica@kiepownica:~$ sudo certbot --apache --cert-name kiepownica.pl
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/kiepownica.pl.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1
Keeping the existing certificate

We were unable to find a vhost with a ServerName or Address of fox-clan.cz.
Which virtual host would you like to choose?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: sinusbot.conf                  | Multiple Names        |       | Enabled
2: sinusbot.conf                  | Multiple Names        | HTTPS | Enabled
3: butlak.conf                    | Multiple Names        |       | Enabled
4: butlak.conf                    | Multiple Names        | HTTPS | Enabled
5: filerun.conf                   | Multiple Names        |       | Enabled
6: filerun.conf                   | Multiple Names        | HTTPS | Enabled
7: olokos.pl.conf                 | Multiple Names        |       | Enabled
8: olokos.pl.conf                 | Multiple Names        | HTTPS | Enabled
9: kiepownica.pl.conf             | Multiple Names        |       | Enabled
10: kiepownica.pl.conf             | Multiple Names        | HTTPS | Enabled
11: 00-default.conf                | Multiple Names        |       | Enabled
12: 00-default.conf                | Multiple Names        | HTTPS | Enabled
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-12] then [enter] (press 'c' to cancel):

In apache2.conf there is a directory rule for fox-clan website still, but since the website is turned off in apache2, that shouldnt be taken into consideration from what I know.

But kiepownica.pl.conf does indded link to -0001 certficate, I will try to rename it and see how it goes.

I did change all the websites to use kiepownica.pl certificate without -0001 but common name remains the same and it’s still saying unable to find host of fox-clan.cz for some reason, just like above

Currently the only remnant of fox-clan.cz on my server is sites-available(but not enabled) and the apache2.conf directory directives

as for the python, you are spot on, both packages are installed already.

I guess you would have to pass -d arguments to Certbot listing exactly which names you want to put in the new certificate. Like:

sudo certbot --apache --cert-name kiepownica.pl -d kiepownica.pl -d www.kiepownica.pl ...

Rename what? Don't rename files or directories in /etc/letsencrypt/.

1 Like

Thank you so much @mnordhoff !
Everything is now as it was supposed to be :smiley:
This did the trick and even offered me to remove fox-clan automagically.
Afterwards I proceeded with certbot delete --cert-name kiepownica.pl-0001 and everything is perfect now! Yayyyyy
I meant renaming conf files for my websites as I must have mistakenly allowed to setup redirect for me which lead into creating -0001 cert and using that in .conf files

To wrap it up:
sites-available had been using -0001 cert, so I removed -0001 from those
used certbot --apache --certname -d (…)
deleted redundant certificate

Thank you so much for help, have a great day! :slight_smile:

1 Like

That’s great! :smiley:

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.