Subdomain suddenly giving certificate error

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: 2test.fe.premiermobility.net

I ran this command: open in browser (Chrome on laptop and mobile, Edge, Samsung Internet browser)

It produced this output:
This server could not prove that it is 2test.fe.premiermobility.net; its security certificate is from premiermobility.default.premiermobility.uk0.bigv.io. This may be caused by a misconfiguration or an attacker intercepting your connection.

My web server is (include version): Apache 2

The operating system my web server runs on is (include version): Debian 8.11 jessie

My hosting provider, if applicable, is: Bytemark

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): n/a (Symbiosis?)

This subdomain has been in use for a couple of years with no problems, but now gives the error message as above. The main domain and other subdomains seem to be OK.

Let's debug gives the following output:

All OK!

No issues were found with 2test.fe.premiermobility.net. If you are having problems with creating an SSL certificate, please visit the Let's Encrypt Community forums and post a question there.

1 Like

Hi @MikeGeorge

the result is expected, see your check, 10 minutes old - https://check-your-website.server-daten.de/?q=2test.fe.premiermobility.net

The certificate

CN=www.2test.fe.premiermobility.net
	13.12.2020
	13.03.2021
expires in 90 days	www.2test.fe.premiermobility.net - 1 entry

has only one domain name, 2test.fe.premiermobility.net is missing -> Grade N.

Your old certificate

Issuer not before not after Domain names LE-Duplicate next LE
R3 2020-12-12 2021-03-12 www.2test.fe.premiermobility.net - 1 entries
Let's Encrypt Authority X3 2020-10-04 2021-01-02 2test.fe.premiermobility.net, www.2test.fe.premiermobility.net - 2 entries

had both domain names, your new only one, so the non-www version isn't secure.

Create one certificate with both domain names.

Letsdebug doesn't check such existing certificate configurations.

1 Like

Thank you @JuergenAuer.

I've always relied on Symbiosis to install and renew my letsencrypt certificates and I don't know how this changed or how to put it right. I'll check the Bytemark documentation again, but any tips for correcting this would be very much appreciated!

1 Like

You have created the wrong certificate if you want to use the non-www version.

works, that's

https://www.2test.fe.premiermobility.net/

the www version.

What's your client, what's your command? Add the non-www domain name.

1 Like

I'm not sure what you mean by client and command. All certificates on my server are generated automatically by Symbiosis and I've never created or edited one except with the symbiosis-ssl command.

1 Like

Then that command

is wrong or that tool has a wrong configuration.

So check the documentation of that tool.

Read

that symbiosis-ssl may be your ACME-client.

1 Like

Bytemark Symbiosis

Bytemark Symbiosis

1 Like

Thanks @rg305, my server is on Debian 8.11 but I think the letsencrypt configuration is the same. I'll check in the morning.

This domain and a few others have been in use for a couple of years and previous automatic renewals of the certificates have been OK, so I've emailed Bytemark support to ask if there's been any change.

2 Likes

I'm afraid I don't have the technical knowledge to understand the solutions given here so I used the sledgehammer approach - I deleted all the config files for the domain and let Symbiosis rebuild them from scratch. The new certificate that was generated now covers the www and non-www variants.

Thank you for your help.

2 Likes

Then your config was buggy.

Individual, unknown ACME-client -> nobody knows how that works.

Happy to read you have found a solution. :+1:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.