Ssl_error_bad_cert_domain

I have used Let’s Encrypt for more than 6 domains on a Dedicated server.

I setup the latest domain, say example.org correctly as the others I had previously setup.

I go to the domain on a browser, and I get it’s an insecure domain and that the certificate is used for another domain [test2.example2.com], this is to tell you that the two domains are totally unrelated.

I have deleted the certificates and created another with the arguments -d example.org -d www.example.org

I have no idea what I am doing wrong.

Here is what it looks like on Firefox.

example.org uses an invalid security certificate.
The certificate is only valid for test2.example2.com
Error code: SSL_ERROR_BAD_CERT_DOMAIN

Probably misconfigured your webserver. But as you don't mention the webserver in question (you did see all those questions when you opened this thread, right? Any reason you chose to delete them?) I can't help you with that.

I have six domains say;

domain1
domain2
domain3
domain4
domain5
domain6

domain 6 has a subdomain demo.domain6

I setup a new domain7 the same way I setup all the previous 6.

Nginx didn’t give any errors when I tested domain7’s configurations.

On loading it to my browser, https//domain7 says the certificate used belongs to demo.domain6

By the way, I have seen almost all threads with almost similar issues the case I found had to do with creating an argument for -d domain7 -d www.domain7 which I already did even before checking the thread.

I want to know what might be the cause, since the configurations of the previous 6 are the same and all are working perfectly with no issues.

So do you understand the issue now?

Nginx 1.10.0

I understand the issue, but people on the forum here don't have crystal balls (or they are broken unfortunately). Much more information would be helpful and it is very exhausting if we need to ask all the relevant questions over and over. So I ask you again: why did you remove the initial questions presented to you when you opened this thread?

In any case, the exact method and command line of the client used (you didn't even mention which client you have used?) would be helpful, as wel as the nginx configuration files in question.

Anyway, I personally will be ignoring this thread from now on b/c of the above irritation points. Hopefully someone else can help you if you provide the required information.

Honestly, I didn’t see any questions presented to me.

The command line I used:

letsencrypt certonly -a webroot --webroot-path=/var/www/html -d domain7 -d www.domain7

Then the configurations used
server {
listen 80;
listen [::]:80;
server_name domain7.com www.domain7.com;
return 301 https://domain7.com$request_uri;
}

server {
       listen 443 ssl http2;
       listen [::]:443 ssl http2;
    
       ssl_certificate /etc/letsencrypt/live/domain7.com/fullchain.pem;
       ssl_certificate_key /etc/letsencrypt/live/domain7.com/privkey.pem;

       server_name www.domain7.com;
       return 301 https://domain7.com$request_uri;
}


server {  
        listen 443 ssl http2;
        listen [::]:443 ssl http2;

        ssl_certificate /etc/letsencrypt/live/domain7.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/domain7.com/privkey.pem;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	server_name domain7.com;

	root /var/www/html;
       
        
        location ~ /.well-known {
               allow all;
        }

The forum software wóuld have presented them to you as you selected the "Help" category:

Anyway, shouldn't you be providing server_name with domain7.com as wel as www.domain7.com in both the server {} blocks? Now you've got one without the www hostname and one only wíth the www hostname..

I only selected the Help after I was done typing. My deepest apologies.
Another thing is I didn’t know I was free to share the domain unlike other dev forums yo simply use example.com.

I did add the www.domain7.com to the server block of the one without www

The affected domain is nutcreative.com
It says the certificate is only valid for demo.wpnaija.com , a subdomain I set up several months back.
The host is Linode,
I can use SSH as root

In essence domain7 is nutcreative.com

Thank you

Ah, that explains a lot, sorry for my possible rude remarks, as you've clearly not misbehaved :wink:

I'm getting a CloudFlare certificate and consequently a CloudFlare "Invalid SSL certificate" error.

Anyhow, another question: did you reload/restart nginx after you've added the TLS configuration?

Thank you for understanding me.

Yes, I reloaded Nginx, nothing changed.

I already paused Cloudflare, so the invalid certificate error should be gone now.

What I am having is still Insecure connection error

Whatever hostname is provided for the SNI value, the certificate of demo.wpnaija.com is presented. Can you post the configuration files for that server block?

The server block for demo.wpnaija.com

server {
	listen 80;
	listen [::]:80;
        server_name demo.wpnaija.com;
        return 301 https://demo.wpnaija.com$request_uri;
}


server {
        listen 443 ssl http2;
        listen [::]:443 ssl http2;
  
        ssl_certificate /etc/letsencrypt/live/demo.wpnaija.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/demo.wpnaija.com/privkey.pem;
        ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;

	server_name demo.wpnaija.com;

	root /var/www/demo/public_html;
        access_log  /var/www/demo/logs/access.log;
        error_log   /var/www/demo/logs/error.log debug;
        index index.php;
        
        location ~ /.well-known {
                allow all;
}

}

Server block for NutCreative

server {
	listen 80;
	listen [::]:80;
        server_name nutcreative.com www.nutcreative.com;
        return 301 https://nutcreative.com$request_uri;
}


server {  
        listen 443 ssl http2;
        listen [::]:443 ssl http2;

        ssl_certificate /etc/letsencrypt/live/nutcreative.com/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/nutcreative.com/privkey.pem;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	server_name nutcreative.com www.nutcreative.com;

	root /var/www/nutcreative/public_html;
        access_log  /var/www/nutcreative/logs/access.log;
        error_log   /var/www/nutcreative/logs/error.log debug;
        index index.php;
        
        location ~ /.well-known {
               allow all;
        }

The missing } of the last server {} block is probably a copy/paste thing, right?

Do the nginx logs give any warning/errors when you reload/restart nginx?

As far as I can tell, it shóuld work… (If there’s actually another } present :stuck_out_tongue:)

It’s not a copy and paste thing though. There is another }

The configurations are okay, no errors whatsoever, that’s why I can’t figure out why the SSL_Error in the first place.

Can you check the certificate?

openssl x509 -noout -text </etc/letsencrypt/live/nutcreative.com/fullchain.pem

Should say nutcreative.com in the Subject and both hostnames in the Subject Alternative Names field.

Yes it says so

Subject Alternative Name:
                DNS:nutcreative.com, DNS:www.nutcreative.com

So what do you think is wrong?

Actually, I myself am out of options.. Perhaps someone else has a great idea?

At a glance, the configuration looks valid to me.

The HTTP part isn’t applying to http://nutcreative.com/ or http://www.nutcreative.com/ either.

Are you sure the configuration is getting loaded? When you reload Nginx, are you sure there aren’t any errors?

What does “nginx -T” output?

Edit: s/nutt/nut/

With that you're especially referring to the redirect not being in effect, correct?

First it is nutcreative not “nutt…”

The configuration is fine, it works for over 6 domains.

nginx -T
gives me:

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

@Osiris The redirect works

Right now it is delaying an important project.

The things I have tried so far,

  1. Deleted the live, renewal of demo.wpnaija.com and nutcreative as well
  2. recreated nutcreative first demo.wpnaija.com
  3. I still have the same error

Maybe I'm missing something but for me, redirect is not working, at least for the conf you are showing:

nutcreative.com doesn't redirect to https and it should because of your return 301 directive

$ curl -ILk http://nutcreative.com
HTTP/1.1 200 OK
Server: nginx/1.10.0 (Ubuntu)
Date: Tue, 18 Apr 2017 22:55:37 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Link: <http://nutcreative.com/wp-json/>; rel="https://api.w.org/"

www.nutcreative.com doesn't redirect to https and it should because of your return 301 directive, it only redirects to http://nutcreative.com.

$ curl -ILk http://www.nutcreative.com
HTTP/1.1 301 Moved Permanently
Server: nginx/1.10.0 (Ubuntu)
Date: Tue, 18 Apr 2017 22:59:44 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Location: http://nutcreative.com/

HTTP/1.1 200 OK
Server: nginx/1.10.0 (Ubuntu)
Date: Tue, 18 Apr 2017 22:59:45 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Link: <http://nutcreative.com/wp-json/>; rel="https://api.w.org/"

I suppose you have changed your conf since your post... but something strange is that you are redirecting nutcreative.com and www.nutcreative.com to demo.wpnaija.com with a 302 redirect.

$ curl -ILk https://nutcreative.com
HTTP/1.1 302 Found
Server: nginx/1.10.0 (Ubuntu)
Date: Tue, 18 Apr 2017 23:03:13 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Location: https://demo.wpnaija.com/

HTTP/1.1 200 OK
Server: nginx/1.10.0 (Ubuntu)
Date: Tue, 18 Apr 2017 23:03:14 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Vary: Accept-Encoding, Cookie
Cache-Control: max-age=3, must-revalidate
WP-Super-Cache: Served supercache file from PHP

You should have defined a 302 redirect somewhere in your conf, double check it.

Good luck.
sahsanu

1 Like