Three Domains getting Confused

My domain is:

advanceroofing.co.nz
grafterroofing.co.nz
balcluthaglass.co.nz

I ran this command:

certbot certificates

It produced this output:

Found the following certs:
Certificate Name: advanceroofing.co.nz
Serial Number: 45e2eadef36f3a4fb52b4ddba4488ff34b8
Domains: advanceroofing.co.nz www.advanceroofing.co.nz
Expiry Date: 2020-10-26 21:23:52+00:00 (VALID: 70 days)
Certificate Path: /etc/letsencrypt/live/advanceroofing.co.nz/fullchain.pem
Private Key Path: /etc/letsencrypt/live/advanceroofing.co.nz/privkey.pem
Certificate Name: balcluthaglass.co.nz
Serial Number: 47f5fe102197c7f2c75b5d25614a8e95e27
Domains: balcluthaglass.co.nz www.balcluthaglass.co.nz
Expiry Date: 2020-05-10 21:05:44+00:00 (INVALID: EXPIRED)
Certificate Path: /etc/letsencrypt/live/balcluthaglass.co.nz/fullchain.pem
Private Key Path: /etc/letsencrypt/live/balcluthaglass.co.nz/privkey.pem
Certificate Name: grafterroofing.co.nz
Serial Number: 3ca7a3399fe3d06f7d84a66a2f2a9bf540c
Domains: grafterroofing.co.nz www.grafterroofing.co.nz
Expiry Date: 2020-11-13 17:09:25+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/grafterroofing.co.nz/fullchain.pem
Private Key Path: /etc/letsencrypt/live/grafterroofing.co.nz/privkey.pem

My web server is (include version):

nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version):

Ubuntu 18.04.4 LTS

My hosting provider, if applicable, is:

n/a

I can login to a root shell on my machine (yes or no, or I don’t know):

yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot 1.7.0

Further Information
All three domains were being served from the same machine with the public IP address of 192.241.203.130

The domain balcluthaglass.co.nz has moved to a different server. That domain has an active Let’s Encrypt certificate. However, when visiting the domain my browser reports that the domain is not secure. At the moment I am not trying to resolve that issue. I am trying to determine why the other two domains are not setup correctly.

The domain advanceroofing.co.nz and the domain grafterglass.co.nz both have the same three issues. I’ll describe the issues for advanceroofing.co.nz.

Issue 1.
SSL cert for advanceroofing.co.nz has Subject Alternative Names (SANs) which differ:
balcluthaglass.co.nz
www.balcluthaglass.co.nz

Issue 2.
The certificate has expired.

Issue 3.
The hostname (advanceroofing.co.nz) does NOT match the Common Name in the certificate (balcluthaglass.co.nz). This certificate is currently invalid for this host.

DNS
advanceroofing.co.nz resolves to 192.241.203.130.

What steps should I take to begin to resolve these issues?

2 Likes

Welcome. Let’s see what we can do for you.

My initial leaning is to suggest getting a proper certificate for your domains. I’m doing a little research now.

Some history https://crt.sh/?q=advanceroofing.co.nz :

1 Like

So you’ve got more than a few things going astray…

First off, your site does not seem to redirect from http to https. Secondly, see the images below:

1 Like

This is absolutely true. Even though you do have an unexpired Let's Encrypt cert (and 2 unexpired CloudFlare certs) per crt.sh | advanceroofing.co.nz, it appears you have the wrong certificate (ie balcluthaglass.co.nz) installed for advanceroofing.co.nz.

We can see crt.sh | balcluthaglass.co.nz :

1 Like

Looking at the wrong certificate you’re serving for advanceroofing.co.nz, its serial number begins with:
04:7f:5f

This certificate that expired on 5/10/2020 only covers the domains:
balcluthaglass.co.nz
www.balcluthaglass.co.nz

1 Like

Meanwhile, for balcluthaglass.co.nz, you’re serving a certificate that is nowhere close to your domain. See the images below:

1 Like

So… considering these factors, I would suggest the following:

  1. For advanceroofing.co.nz, you should fix the redirect from http to https. You should install the Let’s Encrypt certificate you’ve already created that expires 10/26/2020 with serial number beginning with 04:5e:2e.

  2. For balcluthaglass.co.nz, you should fix the redirect from http to https. You could install the Let’s Encrypt certificate you’ve already created that expires 10/19/2020 with serial number beginning with 04:38:39. Keep in mind that this certificate doesn’t cover *.balcluthaglass.co.nz like your previous certificates. I recommend that you generate and install a new Let’s Encrypt certificate that covers both balcluthaglass.co.nz and *.balcluthaglass.co.nz.

1 Like

As for grafterglass.co.nz, let’s take a look…

According to GoDaddy, this domain isn’t registered at all:

1 Like

Pardon me. The correct domain is grafterroofing.co.nz

2 Likes

Let’s take a look at grafterroofing.co.nz :

Per https://crt.sh/?q=grafterroofing.co.nz :

1 Like

This comment also applies for grafterroofing.co.nz.

You seem to have 3 unexpired Let's Encrypt certificates for grafterroofing.co.nz, but only the latest certificate expiring 11/13/2020 with serial number beginning with 03:ca:7a covers both grafterroofing.co.nz and www.grafterroofing.co.nz. It's not a wildcard (*.) certificate, but it would probably satisfy your needs if you don't want to generate a new wildcard certificate.

1 Like

If I just enter the domain I get a redirect to www.balcluthaglass.co.nz on plain http (unencrypted). If I explicitly go to https://www.balcluthaglass.co.nz I get an expired certificate for another website altogether.

The question comes automatic: did you install the certificate when you moved servers?

2 Likes

These are the same issue. Your webserver is sending the wrong certificate. Certificate which has expired and cannot be renewed because the domain names for which it is are pointing to another server.

You need to configure your webserver for advanceroofing.co.nz, www.advanceroofing.co.nz to use this certificate:

2 Likes

@9peppe
Were my explanations not thorough enough? :thinking:

2 Likes

Probably too much, as they were really too long for me to read. :smiley: :wink:

2 Likes

I got TL;DRed :pensive:

Glad we independently came to the same conclusion though. :kissing_heart:

My only concern is that it's possible that @budasy might not have the private keys corresponding to the correct certificates, in which case he would need to regenerate all of the certificates with the correct domain combinations.

2 Likes

This is probably not an issue (if they can run certbot certificates they can also access the keys, I'd say).

I'm more worried the new hosting they choose for balcluthaglass.co.nz isn't too happy to play along with Let's Encrypt.

2 Likes

That’s possibly true. I mean, there’s always the client I have on my website to fallback on, but not as preferable as something more automated.

1 Like

I’m looking forward to being able to get back to this. I’ve been caught in a bureaucratic whirlpool and it’s taken me away from the task at hand.

thanks for your inputs,

2 Likes

You’re welcome. We can get things straightened out when you have time. :slightly_smiling_face:

1 Like