The Certificate has a name mismatch

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: mail.4elife.net - 4elife.net

I ran this command: sudo certbot --nginx -d mail.4elife.net -d www.mail.4elife.net

It produced this output: You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/mail.4elife.net.conf)

It contains these names: mail.4elife.net

You requested these names for the new certificate: mail.4elife.net,
www.mail.4elife.net.

Do you want to expand and replace this existing certificate with the new
certificate?

(E)xpand/(C)ancel: E
Renewing an existing certificate for mail.4elife.net and www.mail.4elife.net

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/mail.4elife.net/fullchain.pem
Key is saved at: /etc/letsencrypt/live/mail.4elife.net/privkey.pem
This certificate expires on 2024-08-08.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Could not install certificate

NEXT STEPS:

  • The certificate was saved, but could not be installed (installer: nginx). After fixing the error shown below, try installing it again by running:
    certbot install --cert-name mail.4elife.net

Could not automatically find a matching server block for DOMAION. Set the server_name directive to use the Nginx installer.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

My web server is (include version): Ubuntu 20.04

The operating system my web server runs on is (include version): Ubuntu

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no - using putty

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0

I then used this command: sudo nginx -T | grep -Ei 'include|server_name|virtual'

And the output was: nginx: [warn] conflicting server name "" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "" on [::]:80, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
include /etc/nginx/conf-enabled/.conf;
include /etc/nginx/sites-enabled/.conf;
include /etc/nginx/mime.types;

Note: This file must be loaded before other virtual host config files,

server_name _;
include /etc/nginx/templates/misc.tmpl;
include /etc/nginx/templates/ssl.tmpl;
include /etc/nginx/templates/iredadmin.tmpl;
include /etc/nginx/templates/roundcube.tmpl;
include /etc/nginx/templates/sogo.tmpl;
include /etc/nginx/templates/netdata.tmpl;
include /etc/nginx/templates/php-catchall.tmpl;
include /etc/nginx/templates/stub_status.tmpl;
include /etc/nginx/templates/hsts.tmpl;
include uwsgi_params;

Strict-Transport-Security: max-age=expireTime [; includeSubDomains] [; preload]

uwsgi_param SERVER_NAME $server_name;

Running Roundcube as a subfolder on an existing virtual host

include /etc/nginx/templates/hsts.tmpl;
include /etc/nginx/templates/fastcgi_php.tmpl;

include fastcgi_params;
fastcgi_param SERVER_NAME $server_name;
include /etc/nginx/templates/hsts.tmpl;

Running netdata as a subfolder to an existing virtual host

include /etc/nginx/templates/fastcgi_php.tmpl;
include fastcgi_params;

Note: This file must be loaded before other virtual host config files,

server_name _;

Note: This file must be loaded before other virtual host config files,

server_name _;
2

Hi @HGMNinja, and welcome to the LE community forum :slight_smile:

DOMAION ?

And, are you going to use the cert for a website?
[looks like a mail cert by name]

What shows?;
certbot certificates

2 Likes
3

Hi @rg305 its for a mail server.

certbot certificates shows:

Found the following certs:
Certificate Name: mail.4elife.net
Serial Number: 49fa8bdd02d4f13497ba005dc6c107d1029
Key Type: RSA
Domains: mail.4elife.net www.mail.4elife.net
Expiry Date: 2024-08-08 07:21:12+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/mail.4elife.net/fullchain.pem
Private Key Path: /etc/letsencrypt/live/mail.4elife.net/privkey.pem

5

OK, so you have the cert you need for the mail server.
Do you know how to get the mail server to use it?
[certbot --nginx won't do that]

2 Likes
6

Also, the domain is used for iredmail and Roundcube Webmail.

7

No, I doint know how to get it working. mxtoolbox for 4elife.net and mail.4elifenet show different issues? Which is why I began to pursue the troubleshooting. But dont know where to go from this point.

I believe it wsays the new cert containin the www version isnt installed and waiting for the certbot update?

8

Im also not sure if the main domain 4elife.net is covered by the mail.4elife.net certificate. So was about to install one for a new virtual host I added for the 4elife.net. domain.

Thank you by the way. I appreciate it.

10

Email servers generally only need one FQDN.
They can serve many domains/subdomains, but their name is singular.
The EHLO/HELO name used by the server should match the rDNS entry for the outbound IP:

Name:    mail.4elife.net
Address: 146.59.233.14

How it uses TLS/SSL certs is outside the scope of this forum.
You have a valid cert that can be used for:

  • mail.4elife.net
  • www.mail.4elife.net

[I suspect you only really needed the first name]
As shown, by the rDNS, MX, and SPF records for your domain and IP:

"v=spf1 +a +mx +ip4:68.65.121.137 include:spf.web-hosting.com +ip4:198.54.125.95 +ip4:146.59.233.14 ~all"
4elife.net      MX preference = 0, mail exchanger = mail.4elife.net
mail.4elife.net internet address = 146.59.233.14
2 Likes
12

Also, SPF records work best with "-all".
"~all" essentially says "and there may be others" without specifying those IPs.
That leaves your domain open to be spoofed by every IP on the Internet.

That said, you must include all the IPs and domains/ESPs that are to be considered as allowed senders on your behalf in the SPF record or they will be blocked by anyone using SPF to block receiving emails from IPs that are not included in SPF records.

2 Likes
13

Thanks fopr that. I believe I've solved some of the issues by adding server_name mail.4elife.net www.mail.4elife.net; to the vhost. (apache talk)?
Now when I run the following command it seems to have installed cert for both domains with and without www.

sudo certbot install --cert-name mail.4elife.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Deploying certificate
Successfully deployed certificate for mail.4elife.net to /etc/nginx/sites-enabled/00-default-ssl.conf
Successfully deployed certificate for www.mail.4elife.net to /etc/nginx/sites-enabled/00-default-ssl.conf

I will have to check the mxtool later after a while for things to propagate.

Much appreciated for your help.

1 Like
14

You now you have a web site for those names.
That doesn't do much for the SMTP service.
[unless you are also trying to do something along the lines of webmail]

2 Likes
15

No, this is purely a mail server. Or an attempt at one. Its pretty much working but I want to eliminate most if not all of the errors and warnings mxtools kicks out.

17

And what might they be?

Then you don't need a web site.
Not even one just to get/renew the cert.
If you don't use Apache for anything else, I would uninstall it.

2 Likes
18

Thanks. The other errors are dns and mx saying DNS Record not found. Im speaking to namecheap at the moment about that. Those are the errors (along with one black list - which Im working toward fixing.)

Theres also a DMARC Quarantine/Reject policy not enabled WARNING. Which I hope to address as the first warning issue after fixing the errors. Theres only the 3 mentione, dns, mx and the black list. My server isnt used for anything dodgy so not sure why its blacklisted.

I just access the redmail admin and sometimes roundcube through the domain name.

19

Oh also, in fixing the 4elife.net certificate issue (now solved), Im now getting a too many redirects when I visit the domain name. Im also asking on Stackoverflow about that, but theyre usually not very helpful for me as a non developer. Not sure why?

20

I don't see that IP listed on any significant block lists:
MultiRBL.valli.org - Results of the query 146.59.233.14

Well, it's redirecting the HTTPS requests to itself [that creates a loop - and is then (at some count) considered too many redirections]:

curl -Ii https://4elife.net/     <<<<<<<<<<<<<<<<<<<< HTTPS request on site
HTTP/2 301     <<<<<<<<<<<<<<<<<<<< redirect
server: nginx
date: Fri, 10 May 2024 10:44:21 GMT
content-type: text/html
content-length: 162
location: https://4elife.net/     <<<<<<<<<<<<<<<<<<<< go to... same site!
x-frame-options: sameorigin
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
x-download-options: noopen
x-permitted-cross-domain-policies: none
content-security-policy: default-src https: data: 'unsafe-inline' 'unsafe-eval'
referrer-policy: strict-origin
2 Likes
21

The vhost config file is very different to what I normally see. But Im new to nginx. Heres the vhost file. Any ideas which pice needs cutting?

# HTTP
server {
    # Listen on ipv4

    server_name _;
	# I added the line below to solver: Could not automatically find a matching server block for mail.4elife.net. Set the `server_name` directive to use the Nginx installer.
	server_name 4elife.net www.4elife.net;

    # Redirect all insecure http:// requests to https://
    return 301 https://$host$request_uri;

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/4elife.net/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/4elife.net/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


}

server {
    if ($host = www.4elife.net) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = 4elife.net) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
    listen [::]:80;

    server_name _;
	server_name 4elife.net www.4elife.net;
    return 404; # managed by Certbot


}
22

This is the redirection loop culprit:

That must have been come from the HTTP server block - it can't be in the HTTPS server block.

3 Likes
23

MXTOOLBOX shows:

image
image824×410 26.9 KB

I only see two things [circled] to worry about.

2 Likes
24

Welcome to nginx! Thanks, that solved that problem.

1 Like