I'm not seeing that error from that domain: did you fix it by yourself
Hi @prakash_nov07,
Here SSL Server Test: nhps.siddhantait.com (Powered by Qualys SSL Labs) is showing "Certificate name mismatch"
And here is a list of issued certificates https://crt.sh/?q=siddhantait.com
Edit - I suspect there is a configuration issue with serving certificates that the proper one isn't being selected based off of the FQDN.
And here SSL Server Test: nhps.siddhantait.com (Powered by Qualys SSL Labs) you can see
And certificate 2
$ openssl s_client -showcerts -servername nhps.siddhantait.com -connect nhps.siddhantait.com:443 < /dev/null
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R10
verify return:1
depth=0 CN = adarsh-vidyalaya.siddhantait.com
verify return:1
---
Certificate chain
0 s:CN = adarsh-vidyalaya.siddhantait.com
i:C = US, O = Let's Encrypt, CN = R10
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Jan 10 15:51:52 2025 GMT; NotAfter: Apr 10 15:51:51 2025 GMT
-----BEGIN CERTIFICATE-----
MIIFNDCCBBygAwIBAgISAxGzgMIJrgmEX2PUWMr7QlLDMA0GCSqGSIb3DQEBCwUA
MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD
EwNSMTAwHhcNMjUwMTEwMTU1MTUyWhcNMjUwNDEwMTU1MTUxWjArMSkwJwYDVQQD
EyBhZGFyc2gtdmlkeWFsYXlhLnNpZGRoYW50YWl0LmNvbTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAOU9qzKEE9SbyafwhkvMo/EYXZzxLTQaGe9+sJBP
ZJr21AhUIDvD160KcdNUKSW2pukfG6XIHK/ChN/8XMoy8fU7pKgP3uL6M0C/3mw2
HzUlgKuNFXR8WFw6iodgaHzvVDEkI6VXYaZ27gGTd930k58mlv8X9aiTjPwKTPza
WtXQr0z67zttI6wWVfs0XAwiqAe6UlFRfmhNj11aNQKVB9RvjvAcKECOI9Rddohu
/VtzBsxO5J12+B7f7ujUxmYJUSYqkMYAIVkKJsbvCGoE8dXvUxaFhZ62moRrg+yy
anRMVSFF85bOWFffF/YOUaNqhXmWN8CrQNDLIjIXRYC2SxECAwEAAaOCAkgwggJE
MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
DAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUNDDEgxZT3CNcDdAUPMnAwXm7oUgwHwYD
VR0jBBgwFoAUu7zDR6XkvKnGw6RyDBCNojXhyOgwVwYIKwYBBQUHAQEESzBJMCIG
CCsGAQUFBzABhhZodHRwOi8vcjEwLm8ubGVuY3Iub3JnMCMGCCsGAQUFBzAChhdo
dHRwOi8vcjEwLmkubGVuY3Iub3JnLzBQBgNVHREESTBHgiNhZGFyc2gtdmlkeWEt
bWFuZGlyLnNpZGRoYW50YWl0LmNvbYIgYWRhcnNoLXZpZHlhbGF5YS5zaWRkaGFu
dGFpdC5jb20wEwYDVR0gBAwwCjAIBgZngQwBAgEwggEDBgorBgEEAdZ5AgQCBIH0
BIHxAO8AdQDM+w9qhXEJZf6Vm1PO6bJ8IumFXA2XjbapflTA/kwNsAAAAZRRH8BS
AAAEAwBGMEQCIDVhzCsrBsS2bT25L17J3aB59C3Ii5dgrK5e4FHErL9HAiBwnZRQ
iychqi7Y4Vm57ieZ9MYHRnnSgzT3gjRJu2SnMAB2AM8RVu7VLnyv84db2Wkum+ka
cWdKsBfsrAHSW3fOzDsIAAABlFEfwHQAAAQDAEcwRQIhAJles9qo8DOqCS/sVpGi
Xiiwy+S+d/TlSADh6PWXlFEvAiBHgSK8iAMv9PdWtbTOAi8nqBWHctSj/E4sS9Dj
cRlZ2jANBgkqhkiG9w0BAQsFAAOCAQEABGx6jYJpTDCyxD4unEXn2gxpDqYlj/GM
9WXMJ35wfR4E1FHwx/g/xz4bpLJFeXOnSmlOVT5OLqHou/XU6i4vauICJ6vG975y
BC28Zi+GcfHG+YORskNK8EB4tDhZFQl+yLzdfSbzWaJ/gw4Xmhsok9s5O3hGgCrO
hJsM5Daer9ZnETMRYxsPZcI8vnia0MjnhmlXmt05K0Oibw1tbwE2M4598+9Ta2E7
dyCr+BEXarPYAzY2nhFCIz8cEMG0qtqq7Q273qN7AmsnAlPZqjJk6pZCYwFUWwD7
mA38Bn4bD9dQ13BhMBHh6Fw3Huih45QoFcuZsqJcdN94cpCL9z52Uw==
-----END CERTIFICATE-----
1 s:C = US, O = Let's Encrypt, CN = R10
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Mar 13 00:00:00 2024 GMT; NotAfter: Mar 12 23:59:59 2027 GMT
-----BEGIN CERTIFICATE-----
MIIFBTCCAu2gAwIBAgIQS6hSk/eaL6JzBkuoBI110DANBgkqhkiG9w0BAQsFADBP
MQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFy
Y2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMTAeFw0yNDAzMTMwMDAwMDBa
Fw0yNzAzMTIyMzU5NTlaMDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBF
bmNyeXB0MQwwCgYDVQQDEwNSMTAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQDPV+XmxFQS7bRH/sknWHZGUCiMHT6I3wWd1bUYKb3dtVq/+vbOo76vACFL
YlpaPAEvxVgD9on/jhFD68G14BQHlo9vH9fnuoE5CXVlt8KvGFs3Jijno/QHK20a
/6tYvJWuQP/py1fEtVt/eA0YYbwX51TGu0mRzW4Y0YCF7qZlNrx06rxQTOr8IfM4
FpOUurDTazgGzRYSespSdcitdrLCnF2YRVxvYXvGLe48E1KGAdlX5jgc3421H5KR
mudKHMxFqHJV8LDmowfs/acbZp4/SItxhHFYyTr6717yW0QrPHTnj7JHwQdqzZq3
DZb3EoEmUVQK7GH29/Xi8orIlQ2NAgMBAAGjgfgwgfUwDgYDVR0PAQH/BAQDAgGG
MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcDATASBgNVHRMBAf8ECDAGAQH/
AgEAMB0GA1UdDgQWBBS7vMNHpeS8qcbDpHIMEI2iNeHI6DAfBgNVHSMEGDAWgBR5
tFnme7bl5AFzgAiIyBpY9umbbjAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAKG
Fmh0dHA6Ly94MS5pLmxlbmNyLm9yZy8wEwYDVR0gBAwwCjAIBgZngQwBAgEwJwYD
VR0fBCAwHjAcoBqgGIYWaHR0cDovL3gxLmMubGVuY3Iub3JnLzANBgkqhkiG9w0B
AQsFAAOCAgEAkrHnQTfreZ2B5s3iJeE6IOmQRJWjgVzPw139vaBw1bGWKCIL0vIo
zwzn1OZDjCQiHcFCktEJr59L9MhwTyAWsVrdAfYf+B9haxQnsHKNY67u4s5Lzzfd
u6PUzeetUK29v+PsPmI2cJkxp+iN3epi4hKu9ZzUPSwMqtCceb7qPVxEbpYxY1p9
1n5PJKBLBX9eb9LU6l8zSxPWV7bK3lG4XaMJgnT9x3ies7msFtpKK5bDtotij/l0
GaKeA97pb5uwD9KgWvaFXMIEt8jVTjLEvwRdvCn294GPDF08U8lAkIv7tghluaQh
1QnlE4SEN4LOECj8dsIGJXpGUk3aU3KkJz9icKy+aUgA+2cP21uh6NcDIS3XyfaZ
QjmDQ993ChII8SXWupQZVBiIpcWO4RqZk3lr7Bz5MUCwzDIA359e57SSq5CCkY0N
4B6Vulk7LktfwrdGNVI5BsC9qqxSwSKgRJeZ9wygIaehbHFHFhcBaMDKpiZlBHyz
rsnnlFXCb5s8HKn5LsUgGvB24L7sGNZP2CX7dhHov+YhD+jozLW2p9W4959Bz2Ei
RmqDtmiXLnzqTpXbI+suyCsohKRg6Un0RC47+cpiVwHiXZAW+cn8eiNIjqbVgXLx
KPpdzvvtTnOPlC7SQZSYmdunr3Bf9b77AiC/ZidstK36dRILKz7OA54=
-----END CERTIFICATE-----
---
Server certificate
subject=CN = adarsh-vidyalaya.siddhantait.com
issuer=C = US, O = Let's Encrypt, CN = R10
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3190 bytes and written 406 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE
This site https://www.thesslstore.com/ssltools/why-no-padlock.php#results shows "The domain name does not match the certificate common name or SAN!"
Edit 2
Definitely an intermittent issue
Successful.
$ curl -Ii https://nhps.siddhantait.com
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Tue, 04 Feb 2025 20:44:10 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
FAILURE!
$ curl -Ii https://nhps.siddhantait.com
curl: (60) SSL: no alternative certificate subject name matches target host name 'nhps.siddhantait.com'
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
Hi @prakash_nov07,
Please show the output of sudo nginx -T
And if you use Certbot please show the ouput of sudo certbot certificates
No sir, It's not fixed. Kindly find the link below.
As @Bruce5051 pointed out your domain sometimes returns the correct result and sometimes uses the wrong certificate. Many test sites show the same problem. See SSL Labs and note Certificate #1 and #2: SSL Server Test: nhps.siddhantait.com (Powered by Qualys SSL Labs)
I would first try restarting nginx. Otherwise, please show the output Bruce requested. And not as a video please. Just copy / paste text or upload a .txt file.
The upper case T is essential. You can put its very long output in a file doing:
sudo nginx -T >upload.txt
and upload that file. nginx will show you two lines but the file will be large
# These command were issued within seconds of each other
echo|openssl s_client -connect nhps.siddhantait.com:443 2>&1 | grep 's:CN'
0 s:CN = adarsh-vidyalaya.siddhantait.com
echo|openssl s_client -connect nhps.siddhantait.com:443 2>&1 | grep 's:CN'
0 s:CN = nhps.siddhantait.com
echo|openssl s_client -connect nhps.siddhantait.com:443 2>&1 | grep 's:CN'
0 s:CN = adarsh-vidyalaya.siddhantait.com
nginx_T.txt (528.4 KB)
certbot_certificates.txt (52.6 KB)
I don't see anything wrong with that nginx config.
Was nginx running when you ran the command to get that nhps
certificate?
Because there is a known bug in Certbot using the --nginx plugin if you do not have nginx running when using that command. It will start nginx but not using systemd. If you normally use systemd (and most systems do) this can create two nginx systems.
The easiest way to fix that is to reboot your server. But, you have so many server blocks I can see that would be disruptive. You did not provide any info about your o/s in your first post.
But, this command could identify this problem before rebooting.
sudo ps -eF | grep -i 'nginx' | grep -v grep
If you use systemd this is also useful
sudo systemctl status -l --no-pager nginx
My O/s is ubuntu. I will reboot the server when the load is minimum and then answer. Thanks
Show the output of those two commands and we can see whether you need to or not
certbot_certificates.txt (52.6 KB)
nginx_T.txt (528.4 KB)
No I meant to show output of these two
sudo ps -eF | grep -i 'nginx' | grep -v grep
www-data 343914 4150339 0 33663 62360 0 Jan27 ? 01:27:15 nginx: worker process
www-data 904651 4150339 0 33218 60972 0 08:07 ? 00:03:04 nginx: worker process
www-data 904652 4150339 0 33086 60556 4 08:07 ? 00:00:07 nginx: worker process
www-data 904653 4150339 0 33152 60876 3 08:07 ? 00:00:29 nginx: worker process
www-data 904654 4150339 0 33086 60556 3 08:07 ? 00:00:01 nginx: worker process
www-data 904655 4150339 0 33086 60492 1 08:07 ? 00:00:00 nginx: worker process
www-data 904656 4150339 0 33086 46272 0 08:07 ? 00:00:00 nginx: worker process
www-data 904657 4150339 0 33086 46272 0 08:07 ? 00:00:00 nginx: worker process
www-data 904658 4150339 0 33086 55812 1 08:07 ? 00:00:00 nginx: worker process
root 4150339 1 0 33009 51832 1 2024 ? 00:44:45 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
sudo systemctl status -l --no-pager nginx
nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2024-09-18 06:39:30 UTC; 4 months 18 days ago
Docs: man:nginx(8)
Process: 719317 ExecReload=/usr/sbin/nginx -g daemon on; master_process on; -s reload (code=exited, status=0/SUCCESS)
Main PID: 4150339 (nginx)
Tasks: 10 (limit: 19139)
Memory: 2.5G
CPU: 1d 11h 1min 24.692s
CGroup: /system.slice/nginx.service
├─ 343914 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
├─ 904651 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
├─ 904652 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
├─ 904653 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
├─ 904654 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
├─ 904655 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
├─ 904656 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
├─ 904657 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
├─ 904658 "nginx: worker process" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" ""
└─4150339 "nginx: master process /usr/sbin/nginx -g daemon on; master_process on;"
Jan 29 03:54:18 lemp43onubuntu2204-s-4vcpu-8gb-blr1-01 systemd[1]: Reloading A high performance web server and a reverse proxy server...
Jan 29 03:54:18 lemp43onubuntu2204-s-4vcpu-8gb-blr1-01 systemd[1]: Reloaded A high performance web server and a reverse proxy server.
Jan 31 16:21:11 lemp43onubuntu2204-s-4vcpu-8gb-blr1-01 systemd[1]: Reloading A high performance web server and a reverse proxy server...
Jan 31 16:21:12 lemp43onubuntu2204-s-4vcpu-8gb-blr1-01 systemd[1]: Reloaded A high performance web server and a reverse proxy server.
Jan 31 16:23:03 lemp43onubuntu2204-s-4vcpu-8gb-blr1-01 systemd[1]: Reloading A high performance web server and a reverse proxy server...
Jan 31 16:23:03 lemp43onubuntu2204-s-4vcpu-8gb-blr1-01 systemd[1]: Reloaded A high performance web server and a reverse proxy server.
Feb 01 01:49:47 lemp43onubuntu2204-s-4vcpu-8gb-blr1-01 systemd[1]: Reloading A high performance web server and a reverse proxy server...
Feb 01 01:49:48 lemp43onubuntu2204-s-4vcpu-8gb-blr1-01 systemd[1]: Reloaded A high performance web server and a reverse proxy server.
Feb 02 05:20:58 lemp43onubuntu2204-s-4vcpu-8gb-blr1-01 systemd[1]: Reloading A high performance web server and a reverse proxy server...
Feb 02 05:20:59 lemp43onubuntu2204-s-4vcpu-8gb-blr1-01 systemd[1]: Reloaded A high performance web server and a reverse proxy server.
That is unusual. But, the top worker process looks wrong. It has the correct parent PID but note the date (Jan27) is different than all the rest.
Try first reloading nginx. A reload is not disruptive. Then check the ps -eF
command again. If it still has an "old" worker then you will need to reboot your server.
Reloading the server did not help, but restarting it solved the issue.
https://www.ssllabs.com/ssltest/analyze.html?d=nhps.siddhantait.com