SSL Report : Certificate name mismatch


#1

Debian Server: Jessie 4.5.7
Apache: 2.4

Hello, I have a funny problem:
I have 2 domains at my Hoster: OVH that point to my machine:

Blockquote “Https://www.ssllabs.com/ssltest/analyze.html?d=kameleon.fr” = “Certificate name mismatch”

Yet I have 1 Vhost for each domain.

Do you have an idea ? And if I made a bad configuration LetsEncrypt for Kameleon.fr, how can I delete the certificate to simply extend that of Lucifart.com?

Thank you.


#2

Hi,

It seems that you could use two setups,

  1. Add another vHost listening to 443 for kameleon.fr, set the certificate you got from certbot to this vHost,then the kameleon.fr or the other might show “need SNI” for ssltest. (But that’s fine)
  2. Add another vHost listening 443 for kameleon.fr, extend the current certificate for lucifart.com to include kameleon.fr and set the included certificate to this vHost (however you’ll still need to use SNI if both site are serving different content)

Just run certbot delete (to delete the old certificate), then certbot --expand(to expand the current certificate)

Thank you


#3

… specifying all of the names with -d options in a single Certbot command.


#4

Thanks guys, I’ll make tests tomorrow :slight_smile:


#5

Hi,
I’m not sure I understand the command “delete”. I go to : /etc/letsencrypt/live and I run the command but I get an error ;

argument --cert-path is required

Maybe a dumb question :crazy_face:, but what does it mean “cert-path” ? Do I need to indicate the complete path to my cert ? Thx


#6

Yes… (My bad)

You will first need to run certbot certificates, find the certificate you want to delete, record the path for that (the full chain one). Then run certbot delete --cert-path [your cert path]


#7

I’m still very confusing, certbot always return error " certbot: error: unrecognized arguments: --cert-name lucifart.com "
Do I have an old version of LetsEncrypt ? How can I know ? What is strange, if I run :

renew --dry-run

it works. Many errors, but works.

Thanks.


#8

Maybe. What does “certbot --version” say?

If it’s version 0.10.2 from jessie-backports, it’s too old. You could use certbot-auto, or use rm to delete certificates.

I’m not sure you do need to delete any certificates, though.


#9

certbot 0.8.1

Mmm… I need an update.


#10

Hi guys, back to the front :slight_smile: !!

Certbot updated !! Peace of cake to delete my old certs :yum: Great job LetsEncrypters, really easiest to understand.

Thanks a lot.


#11

One more Hi :slight_smile:
My cert is ok now, thanks, and I cleaned up orphans too.

But I’ve a specific question because I’m using WordPress MU ;

  • my main site (attached to my domain) display well the green padlock, but when I switch to my sub-site (sub-directory configuration ; /domaine/sub-site , my adress is also https but no padlock anymore.

I tried plugin to try to fix mixed-content, but nothing change.

And I would prefer a non-plugin solution. Maybe htaccess/Apache re-write approche ?

Certbot has propose 2 options :

Please choose whether HTTPS access is required or optional.

1: Easy - Allow both HTTP and HTTPS access to these sites
2: Secure - Make all requests redirect to secure HTTPS access

But I choose the first one during installation. I don’t know if I can rollback.

I know now, it could be easier if I had chosen “sub-domain” installation.

If anybody have an idea :slight_smile:

Thanks.


#12

Hi,

In that case, can you share us an example? (Usually it’s die to the MU background set to http instead of https…or using drag and drop builder like breaver builder which will not update to https when site address changed.)


#13

So quick answer @stevenzhu :slight_smile:

Yes : kameleon.fr main site (my work) and Kameleon.fr (my shop)

Everything is working for the moment, admin et front. But for a Shop, not really cool to not have a padlok.


#14

Hi,

Please take a look at this page (a full analysis of that page)
https://www.whynopadlock.com/results/2e70931a-a5f6-47eb-bdcc-1f8f15bf5836

There’s a simple fix…
Move all your http configs to https then set 301 redirect from http to https (aka always on https)

Then reboot apacje server & refresh browser cache.


#15

Use Chrome or FireFox (Desktop), then

CTRL + Shift + I

then open the console. There you can find all errors.


#16

I thought I did it, but ok, I will read the page and verify :wink: I read a lot these days, I’m loosing my french :slight_smile: Thanks Steven.
Best regards.


#17

Thanks Juergen, I wiil do :slight_smile:


#18

I run a server that supplies hosting for about 20 wordpress sites. I decided that it was better to issue a certificate for each site.
Then to control the site through their separate virtual host configurations

This is my virtualhost conf file … as you see I do my rewrite rules inside the apache file rather than a htaccess file. I found I needed this line in the ssl conf for the site to stop getting SNI errors SSLStrictSNIVHostCheck off.

There are very few browsers around without SNI support today.

<VirtualHost *:80>
UseCanonicalName Off
ServerAdmin admin@example.org
ServerAlias www.example.org
ServerName example.org
#If you want to force https remove the hash from the following line
Redirect permanent / https://example.org

VirtualDocumentRoot /var/www/html/example.org/
DirectoryIndex index.php
Options All

    RewriteEngine On
    RewriteRule  ^/wp-admin/$ /wp-admin/index\.php [R=301,L]
    RewriteRule ^/uploads/(.*)$ /var/www/html/example.org/wp-content/uploads/$1 [L,NC]
    RewriteRule ^/wp-content/uploads/(.*)$ /var/www/html/example.org/wp-content/uploads/$1 [L]
    RewriteRule ^/wp-content/(.*)$ /var/www/html/example.org/wp-content/$1
    RewriteRule ^index\.php$ - [L]

For permalinks to work

    RewriteCond /var/www/html/example.org/%{REQUEST_URI} !-f
    RewriteCond /var/www/html/example.org/%{REQUEST_URI} !-d
    RewriteRule . /var/www/html/example.org/index.php [L]

#In case permalinks dont work … according to Debian Wiki

Options FollowSymLinks
AllowOverride All
Require all granted

#CustomLog /var/log/apache2/access.log vhost_combined
#Switch these on and turn the above setting off if there are problems
CustomLog /var/log/apache2/example.org-access.log common
ErrorLog /var/log/apache2/example.org-error.log

this is needed when activating multisite, WP needs to to a

fopen(“http://randomname.domain.com”) to verify

that apache is correctly configured

php_admin_flag allow_url_fopen on

<VirtualHost *:443>
UseCanonicalName Off
ServerAdmin admin@example.org
ServerAlias www.example.org
ServerName example.org
SSLEngine On
SSLCertificateFile /etc/letsencrypt/live/example.org/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.org/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateChainFile /etc/letsencrypt/live/example.org/fullchain.pem
SSLStrictSNIVHostCheck off

VirtualDocumentRoot /var/www/html/example.org/
DirectoryIndex index.php
Options All

    RewriteEngine On
    RewriteRule  ^/wp-admin/$ /wp-admin/index\.php [R=301,L]
    RewriteRule ^/uploads/(.*)$ /var/www/html/example.org/wp-content/uploads/$1 [L,NC]
    RewriteRule ^/wp-content/uploads/(.*)$ /var/www/html/example.org/wp-content/uploads/$1 [L]
    RewriteRule ^/wp-content/(.*)$ /var/www/html/example.org/wp-content/$1
    RewriteRule ^index\.php$ - [L]

For permalinks to work

    RewriteCond /var/www/html/example.org/%{REQUEST_URI} !-f
    RewriteCond /var/www/html/example.org/%{REQUEST_URI} !-d
    RewriteRule . /var/www/html/example.org/index.php [L]

#In case permalinks dont work … according to Debian Wiki

Options FollowSymLinks
AllowOverride All
Require all granted

#CustomLog /var/log/apache2/access.log vhost_combined
##In case of problems use the following logs instead
CustomLog /var/log/apache2/example.org-access.log common
ErrorLog /var/log/apache2/example.org-error.log

this is needed when activating multisite, WP needs to to a

fopen(“http://randomname.domain.com”) to verify

that apache is correctly configured

#php_admin_flag allow_url_fopen on


#19

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.