SSL: certificate subject name (*.hcx.global) does not match target host name 'hcx.global'


#1

Domain: hcx.global
Web server: Apache/2.4.18 (Ubuntu)
Operating system my web server runs on: Ubuntu 16.04
Can login to a root shell on my machine: Yes
Using a control panel: No

Obtained wildcard certificate with certbot-auto with the following command:

sudo ./certbot-auto certonly \
--server https://acme-v02.api.letsencrypt.org/directory \
--manual --preferred-challenges dns \
--renew-by-default \
-d *.hcx.global

Got the following 4 files

cert.pem chain.pem fullchain.pem privkey.pem

in location /etc/letsencrypt/live/hcx.global/

Setup Apache Vhost file with following:

<VirtualHost *:80>
   ServerName hcx.global
   Redirect permanent / https://hcx.global/
</VirtualHost>
<VirtualHost *:443>
        ServerName hcx.global
        ServerAlias www.hcx.global
	DocumentRoot /var/www/html
        SSLEngine on
        SSLCertificateFile /etc/letsencrypt/live/hcx.global/cert.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/hcx.global/privkey.pem
	SSLCertificateChainFile /etc/letsencrypt/live/hcx.global/chain.pem
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Then restarted apache server but browsers are complaining:

NET::ERR_CERT_COMMON_NAME_INVALID

The virtual host is working as it redirects http to https.

curl -v https://hcx.global

* Rebuilt URL to: https://hcx.global/
*   Trying 101.53.145.96...
* Connected to hcx.global (101.53.145.96) port 443 (#0)
* found 148 certificates in /etc/ssl/certs/ca-certificates.crt
* found 604 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* 	 server certificate verification OK
* 	 server certificate status verification SKIPPED
* SSL: certificate subject name (*.hcx.global) does not match target host name 'hcx.global'
* Closing connection 0
curl: (51) SSL: certificate subject name (*.hcx.global) does not match target host name 'hcx.global'

What could be the cause of error ?


#2

Hi @quakig

if you want to use a wildcard-certificate *.hcx.global with https://hcx.global/ - you have to create a wildcard certificate with two names:

*.hcx.global
hcx.global

*.hcx.global doesn’t match hcx.global.

So you need two dns-entries with the same name

_acme-challenge.hcx.global

and two different values.


#3

This is correct, and a really common mistake. *.hcx.global matches exactly that, something (dot) hcx (dot) global. It will not match hcx.global or a.b.hcx.global.

You need to add the base domain as a second name if you want the certificate for be valid for it.


#4

Inspired by rules for wildcards in Unix and DOS, where if the dot is present in the wildcard, it must also be present in matched filename.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.