Two DNS labels have certs but offering the same cert


Created two new certs for two DNS labels {geburtstag,www} works as expected.
But triggers a browser warning that the cert would belong to
I changed the certbot version from Debian Stretch to stretch-backports.
And can’t remeber when i created which cert exactly. May be that’s the point.

The full story:

My domain is:

and the two DNS labels I requested certs for are

I ran this command:
systemctl stop nginx
certbot certonly -d
certbot certonly -d

It produced this output:

all commands succeeded as expected

My web server is (include version):
looser@computer ~ # nginx -v
nginx version: nginx/1.14.0

The operating system my web server runs on is (include version):
looser@computer ~ # uname -a
Linux computer-neu 4.9.0-7-amd64 #1 SMP Debian 4.9.110-3+deb9u1 (2018-08-03) x86_64 GNU/Linux
A freshly installed stretch with nginx taken from stretch-backports

My hosting provider, if applicable, is: but this doesn’t matter
(bare-metal root server)

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes, and even boot a rescue system over pxe with preconfigured image over NFS
Doesn’t matter.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No. I’m a GNU only guy.

Having issued the commands above i started the webserver again
looser@computer ~ # systemctl start nginx

The works like a charm (if i manage to handle the content)
But results in browser warning that the certificate belongs to

Digging into it:
looser@computer ~ # pwd

looser@computer looser@computer # grep pem {geburtstag,www}*graf*    ssl_certificate /etc/letsencrypt/live/;    ssl_certificate_key /etc/letsencrypt/live/; ssl_certificate /etc/letsencrypt/live/; ssl_certificate_key /etc/letsencrypt/live/;
looser@computer  /etc/nginx/conf.d # grep pem {geburtstag,www}*graf*    ssl_certificate /etc/letsencrypt/live/;    ssl_certificate_key /etc/letsencrypt/live/; ssl_certificate /etc/letsencrypt/live/; ssl_certificate_key /etc/letsencrypt/live/;

# pretty OK then

looser@computer  /etc/letsencrypt # ls -l live/{geburtstag,www}
total 4
lrwxrwxrwx 1 root root  48 Aug 15 21:27 cert.pem -> ../../archive/
lrwxrwxrwx 1 root root  49 Aug 15 21:27 chain.pem -> ../../archive/
lrwxrwxrwx 1 root root  53 Aug 15 21:27 fullchain.pem -> ../../archive/
lrwxrwxrwx 1 root root  51 Aug 15 21:27 privkey.pem -> ../../archive/
-rw-r--r-- 1 root root 543 Aug 15 21:27 README

total 4
lrwxrwxrwx 1 root root  41 Aug 16 04:42 cert.pem -> ../../archive/
lrwxrwxrwx 1 root root  42 Aug 16 04:42 chain.pem -> ../../archive/
lrwxrwxrwx 1 root root  46 Aug 16 04:42 fullchain.pem -> ../../archive/
lrwxrwxrwx 1 root root  44 Aug 16 04:42 privkey.pem -> ../../archive/
-rw-r--r-- 1 root root 682 Aug 16 04:42 README

I also diff ed sure that the certs differ as expected.

And tried some other stupid things, like force renewing the cert for, revoking all and let certbot delete 'em in order to finally create a new one.
Nada, nothing, niente. still offers the wrong cert.
So I’m lost.

The DNS entries are just A records with no pinning or whatsoever. (except for DKIM and DMARC mail text records)



Can you please take a look at the Is there an Listen 443 for this virtual host?

Thank you



server {
        server_name ;
        listen         443;       

        ssl             on;
        ssl_certificate /etc/letsencrypt/live/;
        ssl_certificate_key /etc/letsencrypt/live/;

I even remembered that I used one time the --nginx option with certbot but can’t tell when exactly.
Sorry, for having this forgotten to mention in the first place.


Hi @Ihack

every vHost can have one certificate.

So you can create one certificate with three names:

certbot certonly -d,,

That should work if it worked creating two certificates.

Then you can add this single certificate to every vHost.


Did you actually spell it with a ‘j’ in the config?


@JuergenAuer Thanks, i didn’t knew that i can have a single cert for different labels. I immediately switched to this because it eases administration. Thank You very much!


@jmorahan You are so fu** right!!
Thank You very much.
As always: a layer 8 problem.

Problem solved.

Except for the fact, that Sonia is the daughter of a passed away friend of mine.
And Sonja is a girl i fall in love with 40 years ago.
Badly, I’m so old, that no psychiatrist will be able to fix this.

Thanks all.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.