SSL_ERROR_BAD_CERT_DOMAIN because of host name as domain name in ssl

Amakesh · May 13, 2020, 5:31pm

I have 4 domains on 1 VDS server. Earlier Let’s encrypt certificates worked fine for for all of them.
Unfortunately i have now a problem with the certificates - SSL_ERROR_BAD_CERT_DOMAIN. https://www.ssllabs.com shows all of the certificates have Server hostname(rsvix170.gerwanserver.de) as domain name and not their own addresses.
https://www.ssllabs.com/ssltest/analyze.html?d=solaris-ustronie.eu

https://check-your-website.server-daten.de/?q=solaris-ustronie.eu

I can reissue the certificates via Plesk, but it makes it automatically and have no possibility to change domain name. Plesk shows no problems with ssl and all below, but if you try to go to eg. solaris-ustronie.eu it will give you SSL_ERROR_BAD_CERT_DOMAIN, because the domain name is still wrong.
I can, of course, use advanced settings and type domain name there and and choose request or self-signed. Tried to do that and choosed request, but generated certificate has only CSR part and private key and unable to use it…

Domain solaris-ustronie.eu Secured
Domain with the “www” prefix www.solaris-ustronie.eu Secured
Webmail access webmail.solaris-ustronie.eu Secured
Mail access IMAP, POP, SMTP Secured
Wildcard Wildcard SSL/TLS certificate *.solaris-ustronie.eu Secured
Server Configuration TLS versions and ciphers by Mozilla enabled

I can, of course, use advanced settings and type domain name there and and choose request or self-signed. Tried to do that and choosed request, but generated certificate has only CSR part and private key and unable to use it…

My domain is: solaris-ustronie.eu

I ran this command:

It produced this output:

My web server is (include version): VDS rsvix170.gerwanserver.de

The operating system my web server runs on is (include version): CentOS 7.8

My hosting provider, if applicable, is: domainprovider.de/Gerwan

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Plesk Obsidian

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

rg305 · May 13, 2020, 5:45pm

I am unfamiliar with VDS.

I do see something more familiar:

curl -Iki http://solaris-ustronie.eu/
HTTP/1.1 301 Moved Permanently
Server: nginx
Date: Wed, 13 May 2020 17:42:30 GMT
Content-Type: text/html; charset=iso-8859-1
Connection: keep-alive
Location: https://www.solaris-ustronie.eu/

NGINX
Are you familiar with nginx?

Please show the output of:
nginx -T | grep -i server_name

Amakesh · May 13, 2020, 6:22pm

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
server_names_hash_bucket_size 64;
server_name lists.;
server_name lists.;
server_name lists.;
server_name lists.;
server_name lists.;
server_name lists.;
server_name mbrcp.com;
server_name www.mbrcp.com;
server_name ipv4.mbrcp.com;
server_name mbrcp.com;
server_name www.mbrcp.com;
server_name ipv4.mbrcp.com;
server_name “webmail.mbrcp.com”;
server_name “webmail.mbrcp.com”;
server_name “webmail.nwn.mbrcp.com”;
server_name “webmail.nwn.mbrcp.com”;
server_name “webmail.smartrecepcja.pl”;
server_name “webmail.smartrecepcja.pl”;
server_name “webmail.solaris-ustronie.eu”;
server_name “webmail.solaris-ustronie.eu”;
server_name “webmail.zahnarzt-birresborn.de”;
server_name “webmail.zahnarzt-birresborn.de”;
server_name smartrecepcja.pl;
server_name www.smartrecepcja.pl;
server_name ipv4.smartrecepcja.pl;
server_name smartrecepcja.pl;
server_name www.smartrecepcja.pl;
server_name ipv4.smartrecepcja.pl;
server_name solaris-ustronie.eu;
server_name www.solaris-ustronie.eu;
server_name ipv4.solaris-ustronie.eu;
server_name solaris-ustronie.eu;
server_name www.solaris-ustronie.eu;
server_name ipv4.solaris-ustronie.eu;
server_name zahnarzt-birresborn.de;
server_name www.zahnarzt-birresborn.de;
server_name ipv4.zahnarzt-birresborn.de;
server_name zahnarzt-birresborn.de;
server_name www.zahnarzt-birresborn.de;
server_name ipv4.zahnarzt-birresborn.de;
server_name poczta.smartrecepcja.pl;
server_name www.poczta.smartrecepcja.pl;
server_name ipv4.poczta.smartrecepcja.pl;

rg305 · May 13, 2020, 9:39pm

The server name is being served by nginx.
But I don’t see “rsvix170.gerwanserver.de” anywhere in that output.
So, I’m not yet sure how nginx is serving that certificate.
You may have to take a closer look through the nginx config files to identify why/how it is being served.

You can use a CSR manually via a web site like: <a href="https://ZeroSSL.com/>ZeroSSL.
But manually processing a cert request is NOT recommended,
LE certs will expire every 90 days.
Using a method that can be automated is highly recommended.

system · June 12, 2020, 9:39pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.