Created two new certs for two DNS labels {geburtstag,www}.sonia-graf.de
geburtstag.sonia-graf.de works as expected.
But www.sonia-graf.de triggers a browser warning that the cert would belong to geburtstag.sonia-graf.de
I changed the certbot version from Debian Stretch to stretch-backports.
And can’t remeber when i created which cert exactly. May be that’s the point.
The full story:
My domain is:
“sonia-graf.de”
and the two DNS labels I requested certs for are
www.sonia-graf.de
geburtstag.sonia-graf-de
I ran this command:
systemctl stop nginx
certbot certonly -d geburtstag.sonia-graf.de
certbot certonly -d www.sonia-graf.de
It produced this output:
all commands succeeded as expected
My web server is (include version):
looser@computer ~ # nginx -v
nginx version: nginx/1.14.0
The operating system my web server runs on is (include version):
looser@computer ~ # uname -a
Linux computer-neu 4.9.0-7-amd64 #1 SMP Debian 4.9.110-3+deb9u1 (2018-08-03) x86_64 GNU/Linux
A freshly installed stretch with nginx taken from stretch-backports
My hosting provider, if applicable, is:
hetzner.de but this doesn’t matter
(bare-metal root server)
I can login to a root shell on my machine (yes or no, or I don’t know):
Yes, and even boot a rescue system over pxe with preconfigured image over NFS
Doesn’t matter.
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No. I’m a GNU only guy.
Having issued the commands above i started the webserver again
looser@computer ~ # systemctl start nginx
The https://geburtstag.sonia-graf.de works like a charm (if i manage to handle the content)
But https://www.sonia-graf.de results in browser warning that the certificate belongs to geburtstag.sonia-graf.de
Digging into it:
looser@computer ~ # pwd
/etc/nginx/conf.d
looser@computer looser@computer # grep pem {geburtstag,www}*graf*
geburtstag.sonia-graf.de.conf: ssl_certificate /etc/letsencrypt/live/geburtstag.sonia-graf.de/fullchain.pem;
geburtstag.sonia-graf.de.conf: ssl_certificate_key /etc/letsencrypt/live/geburtstag.sonia-graf.de/privkey.pem;
www.sonia-graf.de.conf: ssl_certificate /etc/letsencrypt/live/www.sonia-graf.de/fullchain.pem;
www.sonia-graf.de.conf: ssl_certificate_key /etc/letsencrypt/live/www.sonia-graf.de/privkey.pem;
looser@computer /etc/nginx/conf.d # grep pem {geburtstag,www}*graf*
geburtstag.sonia-graf.de.conf: ssl_certificate /etc/letsencrypt/live/geburtstag.sonia-graf.de/fullchain.pem;
geburtstag.sonia-graf.de.conf: ssl_certificate_key /etc/letsencrypt/live/geburtstag.sonia-graf.de/privkey.pem;
www.sonia-graf.de.conf: ssl_certificate /etc/letsencrypt/live/www.sonia-graf.de/fullchain.pem;
www.sonia-graf.de.conf: ssl_certificate_key /etc/letsencrypt/live/www.sonia-graf.de/privkey.pem;
# pretty OK then
looser@computer /etc/letsencrypt # ls -l live/{geburtstag,www}.sonia-graf.de
live/geburtstag.sonia-graf.de:
total 4
lrwxrwxrwx 1 root root 48 Aug 15 21:27 cert.pem -> ../../archive/geburtstag.sonia-graf.de/cert1.pem
lrwxrwxrwx 1 root root 49 Aug 15 21:27 chain.pem -> ../../archive/geburtstag.sonia-graf.de/chain1.pem
lrwxrwxrwx 1 root root 53 Aug 15 21:27 fullchain.pem -> ../../archive/geburtstag.sonia-graf.de/fullchain1.pem
lrwxrwxrwx 1 root root 51 Aug 15 21:27 privkey.pem -> ../../archive/geburtstag.sonia-graf.de/privkey1.pem
-rw-r--r-- 1 root root 543 Aug 15 21:27 README
live/www.sonia-graf.de:
total 4
lrwxrwxrwx 1 root root 41 Aug 16 04:42 cert.pem -> ../../archive/www.sonia-graf.de/cert1.pem
lrwxrwxrwx 1 root root 42 Aug 16 04:42 chain.pem -> ../../archive/www.sonia-graf.de/chain1.pem
lrwxrwxrwx 1 root root 46 Aug 16 04:42 fullchain.pem -> ../../archive/www.sonia-graf.de/fullchain1.pem
lrwxrwxrwx 1 root root 44 Aug 16 04:42 privkey.pem -> ../../archive/www.sonia-graf.de/privkey1.pem
-rw-r--r-- 1 root root 682 Aug 16 04:42 README
I also diff ed sure that the certs differ as expected.
And tried some other stupid things, like force renewing the cert for www.sonia-graf.de, revoking all and let certbot delete 'em in order to finally create a new one.
Nada, nothing, niente.
www.sonia-graf.de still offers the wrong cert.
So I’m lost.
The DNS entries are just A records with no pinning or whatsoever. (except for DKIM and DMARC mail text records)