Two DNS labels have certs but offering the same cert


#1

Created two new certs for two DNS labels {geburtstag,www}.sonia-graf.de
geburtstag.sonia-graf.de works as expected.
But www.sonia-graf.de triggers a browser warning that the cert would belong to geburtstag.sonia-graf.de
I changed the certbot version from Debian Stretch to stretch-backports.
And can’t remeber when i created which cert exactly. May be that’s the point.

The full story:

My domain is:
sonia-graf.de

and the two DNS labels I requested certs for are
www.sonia-graf.de
geburtstag.sonia-graf-de

I ran this command:
systemctl stop nginx
certbot certonly -d geburtstag.sonia-graf.de
certbot certonly -d www.sonia-graf.de

It produced this output:

all commands succeeded as expected

My web server is (include version):
looser@computer ~ # nginx -v
nginx version: nginx/1.14.0

The operating system my web server runs on is (include version):
looser@computer ~ # uname -a
Linux computer-neu 4.9.0-7-amd64 #1 SMP Debian 4.9.110-3+deb9u1 (2018-08-03) x86_64 GNU/Linux
A freshly installed stretch with nginx taken from stretch-backports

My hosting provider, if applicable, is:
hetzner.de but this doesn’t matter
(bare-metal root server)

I can login to a root shell on my machine (yes or no, or I don’t know):
Yes, and even boot a rescue system over pxe with preconfigured image over NFS
Doesn’t matter.

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
No. I’m a GNU only guy.

Having issued the commands above i started the webserver again
looser@computer ~ # systemctl start nginx

The https://geburtstag.sonia-graf.de works like a charm (if i manage to handle the content)
But https://www.sonia-graf.de results in browser warning that the certificate belongs to geburtstag.sonia-graf.de

Digging into it:
looser@computer ~ # pwd
/etc/nginx/conf.d

looser@computer looser@computer # grep pem {geburtstag,www}*graf*
geburtstag.sonia-graf.de.conf:    ssl_certificate /etc/letsencrypt/live/geburtstag.sonia-graf.de/fullchain.pem;
geburtstag.sonia-graf.de.conf:    ssl_certificate_key /etc/letsencrypt/live/geburtstag.sonia-graf.de/privkey.pem;
www.sonia-graf.de.conf: ssl_certificate /etc/letsencrypt/live/www.sonia-graf.de/fullchain.pem;
www.sonia-graf.de.conf: ssl_certificate_key /etc/letsencrypt/live/www.sonia-graf.de/privkey.pem;
looser@computer  /etc/nginx/conf.d # grep pem {geburtstag,www}*graf*
geburtstag.sonia-graf.de.conf:    ssl_certificate /etc/letsencrypt/live/geburtstag.sonia-graf.de/fullchain.pem;
geburtstag.sonia-graf.de.conf:    ssl_certificate_key /etc/letsencrypt/live/geburtstag.sonia-graf.de/privkey.pem;
www.sonia-graf.de.conf: ssl_certificate /etc/letsencrypt/live/www.sonia-graf.de/fullchain.pem;
www.sonia-graf.de.conf: ssl_certificate_key /etc/letsencrypt/live/www.sonia-graf.de/privkey.pem;

# pretty OK then

looser@computer  /etc/letsencrypt # ls -l live/{geburtstag,www}.sonia-graf.de
live/geburtstag.sonia-graf.de:
total 4
lrwxrwxrwx 1 root root  48 Aug 15 21:27 cert.pem -> ../../archive/geburtstag.sonia-graf.de/cert1.pem
lrwxrwxrwx 1 root root  49 Aug 15 21:27 chain.pem -> ../../archive/geburtstag.sonia-graf.de/chain1.pem
lrwxrwxrwx 1 root root  53 Aug 15 21:27 fullchain.pem -> ../../archive/geburtstag.sonia-graf.de/fullchain1.pem
lrwxrwxrwx 1 root root  51 Aug 15 21:27 privkey.pem -> ../../archive/geburtstag.sonia-graf.de/privkey1.pem
-rw-r--r-- 1 root root 543 Aug 15 21:27 README

live/www.sonia-graf.de:
total 4
lrwxrwxrwx 1 root root  41 Aug 16 04:42 cert.pem -> ../../archive/www.sonia-graf.de/cert1.pem
lrwxrwxrwx 1 root root  42 Aug 16 04:42 chain.pem -> ../../archive/www.sonia-graf.de/chain1.pem
lrwxrwxrwx 1 root root  46 Aug 16 04:42 fullchain.pem -> ../../archive/www.sonia-graf.de/fullchain1.pem
lrwxrwxrwx 1 root root  44 Aug 16 04:42 privkey.pem -> ../../archive/www.sonia-graf.de/privkey1.pem
-rw-r--r-- 1 root root 682 Aug 16 04:42 README

I also diff ed sure that the certs differ as expected.

And tried some other stupid things, like force renewing the cert for www.sonia-graf.de, revoking all and let certbot delete 'em in order to finally create a new one.
Nada, nothing, niente.
www.sonia-graf.de still offers the wrong cert.
So I’m lost.

The DNS entries are just A records with no pinning or whatsoever. (except for DKIM and DMARC mail text records)


#2

Hi,

Can you please take a look at the www.sonia-graf.de.conf? Is there an Listen 443 for this virtual host?

Thank you


#3

@stevenzhu:

server {
        server_name    www.sonja-graf.de ;
        listen         443;       

        ssl             on;
        ssl_certificate /etc/letsencrypt/live/www.sonia-graf.de/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/www.sonia-graf.de/privkey.pem;
        --cut---

I even remembered that I used one time the --nginx option with certbot but can’t tell when exactly.
Sorry, for having this forgotten to mention in the first place.


#4

Hi @Ihack

every vHost can have one certificate.

So you can create one certificate with three names:

certbot certonly -d sonja-graf.de,www.sonia-graf.de,geburtstag.sonia-graf.de

That should work if it worked creating two certificates.

Then you can add this single certificate to every vHost.


#5

Did you actually spell it with a ‘j’ in the config?


#6

@JuergenAuer Thanks, i didn’t knew that i can have a single cert for different labels. I immediately switched to this because it eases administration. Thank You very much!


#7

@jmorahan You are so fu** right!!
Thank You very much.
As always: a layer 8 problem.

Problem solved.

Except for the fact, that Sonia is the daughter of a passed away friend of mine.
And Sonja is a girl i fall in love with 40 years ago.
Badly, I’m so old, that no psychiatrist will be able to fix this.

Thanks all.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.