Ssl_error_bad_cert_domain & err_cert_common_name_invalid


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: clickee.fr

I ran this command: ./letsencrypt-auto certonly --apache --renew-by-default -d clickee.fr

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for clickee.fr
Waiting for verification…
Cleaning up challenges

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/clickee.fr/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/clickee.fr/privkey.pem
    Your cert will expire on 2018-11-21. To obtain a new or tweaked
    version of this certificate in the future, simply run
    letsencrypt-auto again. To non-interactively renew all of your
    certificates, run “letsencrypt-auto renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

My web server is (include version):
Server version: Apache/2.4.18 (Ubuntu)
Server built: 2018-06-07T19:43:03

The operating system my web server runs on is (include version):
Ubuntu 16.04.4 LTS

My hosting provider, if applicable, is: ovh

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no, i’m using

Hello, on my site, there is possibility of authentication and registration via social networks like facebook, google + and twitter. And when I try to connect via facebook, on Google Chrome
I have an error page telling me:
NET :: ERR_CERT_COMMON_NAME_INVALID

Subject: clickee.fr

Issuer: Let’s Encrypt Authority X3

Expires on: Nov 21, 2018

Current date: August 23, 2018

PEM encoded chain:
----- BEGIN CERTIFICATE -----
MIIF / zCCBOegAwIBAgISAwVtz4IdbQeVsuY / 4FXH2aP8MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA4MjMwNzIyMTZaFw0x
ODExMjEwNzIyMTZaMBUxEzARBgNVBAMTCmNsaWNrZWUuZnIwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCn0rfN9V7p2Yhs3 / MM6vHBWwn0cHQ5KqLoeB4V

    • W99r2d jDEQxUnpMpRY2QxK9YKLmvOaVu3o6K3MPB7dRvlr0XjOXevJIwZ / 6lmO
      BtIHefiuBpL0hEwWyacOrsLDH + 5hxVIfa4uhKJfDohQDeJQ7NBacvQVztG5PmmL9
      6 / tZNFZvtd / QJfN8A4A8 / t / U0kHXToZBwjDSw1cuakASpb / 8Tuhh / 3DUoWDSQL9Z
      UJrcSnSbXD5mz7nSUHm61woWSLzdJl5 + pC0GWT / zFJr0U7JpcrYUteVvzo4UT3TM
      pePxrJkc7HHmTQnkXzb / rpv0SM27zdiUZhy5DJKCTXxR7w1lAgMBAAGjggMSMIID
      DjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMC
      MAwGA1UdEwEB / wQCMAAwHQYDVR0OBBYEFNsVgmuo2MWNEy0gSwE / 0zMHzwtHMB8G
      A1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe / zqOyhMG8GCCsGAQUFBwEBBGMwYTAu
      BggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNyeXB0Lm9yZzAv
      BggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0Lm9yZy8w
      FQYDVR0RBA4wDIIKY2xpY2tlZS5mcjCB / gYDVR0gBIH2MIHzMAgGBmeBDAECATCB
      5gYLKwYBBAGC3xMBAQEwgdYwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2Vu
      Y3J5cHQub3JnMIGrBggrBgEFBQcCAjCBngyBm1RoaXMgQ2VydGlmaWNhdGUgbWF5
      IG9ubHkgYmUgcmVsaWVkIHVwb24gYnkgUmVseWluZyBQYXJ0aWVzIGFuZCBvbmx5
      IGluIGFjY29yZGFuY2Ugd2l0aCB0aGUgQ2VydGlmaWNhdGUgUG9saWN5IGZvdW5k
      IGF0IGh0dHBzOi8vbGV0c2VuY3J5cHQub3JnL3JlcG9zaXRvcnkvMIIBBAYKKwYB
      BAHWeQIEAgSB9QSB8gDwAHYAwRZK4Kdy0tQ5LcgKwQdw1PDEm96ZGkhAwfoHUWT2
      M2AAAAFlZeCCtAAABAMARzBFAiAqa17qEdIXDZwPXmQD + 1OwacbHOWztOj0TLkca
      dAJezAIhAM / ++ HxjRsxjtFUaw9vpMvYSye3lHUA2j3oeFXvySuZNAHYApFASaQVa
      FVReYhGrN7wQP2KuVXakXksXFEU + GyIQaiUAAAFlZeCCtgAABAMARzBFAiBJh0nC
      0RfcFMjH / dW69yTz + Jsp9dk9MH1LkxRXIveALQIhANTqLHv1059pirSBalw43mAd
      8AS5OoYJDgbYBf04wWtGMA0GCSqGSIb3DQEBCwUAA4IBAQBLCbcbSwU V7Gv3t5 + +
      Vf8cobgYuv0b9wDf27mbcTr4McK + zd9s2BJgMn5JAyzVqhpgyCXzEKiCX6sR1PnP
      vTlXxaVCmBvAXaVwiVlFYz3ow + B0jZQpvElfTqllzpdb9zU / eJbym6R6ja44agAy
      24HotRy8wxt7nsU8auvCEVPjQBGd0RRQ5pC1N1cZVWL0osdwQzjoC4mWjzYargrk
      wCFF45DFRH Bz6gfw4XU9nEeAP4n9G7HqeZaM + + + 8b3C2ESReEUmELv IzkKYiHFx5
      3V7WPJtXf9GBGiUVXx / bc1sIXyY9FXU7FxORP5Oyt / R6EpaUw / KhUfWAfjlt5qYC
      vdy /
      ----- END CERTIFICATE -----

And on firefox, I have the error SSL_ERROR_BAD_CERT_DOMAIN

What can I do to fix the problem please. Thank you


#2

Hi @rado

I don’t see any problem. You have a certificate, created today, no mixed content warnings.

But: Is it possible that user create a link to

https://www.clickee.fr/

The certificate has only one name - clickee.fr. So the certificate doesn’t work with https://www.clickee.fr/

Solution: Create a certificate with two names - clickee.free + www.clickee.free. If this is installed, add a redirect from www.clickee.fr to clickee.fr (or in the other direction).

But: You use sni-01 - challenge. This is deprecated and doesn’t work with new domains. So use the

–preferred-challenges http-01

option to switch to http-01 - validation.


#3

Hi,@JuergenAuer.
Thank you very much, problem is caused by crontab which i miss to add the domains name with www.


#4

Yep, now https://www.clickee.fr/ is secure.


#5

Now, i try to do the same thing with my other domaines-name Altee.com, but i have an error.

I type this commande : ./letsencrypt-auto --apache --preferred-challenges http-01 -d altee.com -d www.altee.com

And I have this results :

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache


You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/altee.com.conf)

It contains these names: altee.com

You requested these names for the new certificate: altee.com, www.altee.com.

Do you want to expand and replace this existing certificate with the new
certificate?


(E)xpand/©ancel: E
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for altee.com
http-01 challenge for www.altee.com
Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

Unable to restart apache using [‘apache2ctl’, ‘graceful’]
Cleaning up challenges
Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

Unable to restart apache using [‘apache2ctl’, ‘graceful’]
Encountered exception during recovery:
Traceback (most recent call last):
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/error_handler.py”, line 108, in _call_registered
self.funcs-1
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 310, in _cleanup_challenges
self.auth.cleanup(achalls)
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_apache/configurator.py”, line 2288, in cleanup
self.restart()
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_apache/configurator.py”, line 2151, in restart
self._reload()
File “/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_apache/configurator.py”, line 2179, in _reload
raise errors.MisconfigurationError(error)
MisconfigurationError: Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

Error while running apache2ctl graceful.
httpd not running, trying to start
Action ‘graceful’ failed.
The Apache error log may have more information.

(98)Address already in use: AH00072: make_sock: could not bind to address [::]:80
(98)Address already in use: AH00072: make_sock: could not bind to address 0.0.0.0:80
no listening sockets available, shutting down
AH00015: Unable to open logs

So what can be the problème?
Thanks in advanced.


#6

That domain seems to be using nginx, not apache? If so use --nginx rather than --apache in the letsencrypt-auto command…


#7

i’ve remplace the --apache by --nginx and this is the results :

Performing the following challenges:
http-01 challenge for altee.com
http-01 challenge for www.altee.com
Using default address 80 for authentication.
nginx: [warn] duplicate extension “eot”, content type: “application/vnd.ms-fontobject”, previous content type: “application/vnd.ms-fontobject” in /etc/nginx/mime.types:90
nginx: [warn] duplicate extension “woff”, content type: “font/x-woff”, previous content type: “application/font-woff” in /etc/nginx/mime.types:93
Waiting for verification…
Cleaning up challenges
nginx: [warn] duplicate extension “eot”, content type: “application/vnd.ms-fontobject”, previous content type: “application/vnd.ms-fontobject” in /etc/nginx/mime.types:90
nginx: [warn] duplicate extension “woff”, content type: “font/x-woff”, previous content type: “application/font-woff” in /etc/nginx/mime.types:93
Deploying Certificate to VirtualHost /etc/nginx/nginx.conf
Could not automatically find a matching server block for www.altee.com. Set the server_name directive to use the Nginx installer.

IMPORTANT NOTES:

  • Unable to install the certificate
  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/altee.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/altee.com/privkey.pem
    Your cert will expire on 2018-11-21. To obtain a new or tweaked
    version of this certificate in the future, simply run
    letsencrypt-auto again with the “certonly” option. To
    non-interactively renew all of your certificates, run
    “letsencrypt-auto renew”

#8

Well that’s definitely an improvement, as you now have a certificate! :slight_smile: You just need to install it.

Looks like the problem is you don’t have the www subdomain set up in your nginx configuration. Add it there and run certbot again (it should ask if you want to reinstall the existing certificate).


#9

Thank you very much, it’s work fine now.


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.