Wrong certificate after server move - nginx


#1

I’ve been trying to move a site that was hosted on it’s own server to a server that will be shared with another site (the first site is being phased out so cutting down on hosting costs). I’ve moved everything over and generated new certificates for the domain on the new server successfully using

certbot certonly --standalone --preferred-challenges http-01 -d vendorengrams.xyz -d www.vendorengrams.xyz

The certificate was generated correctly, installed, and shows up under certbot certificates

The site is powered by nginx and is setup to run only in https mode and without the www. This is the nginx sites-available file for the site

server
{
        listen 80;
        listen [::]:80;
        server_name vendorengrams.xyz;
        return 301 https://vendorengrams.xyz$request_uri;
}

server
{
        listen 80;
        listen [::]:80;
        listen 443;
        listen [::]:443;
        server_name www.vendorengrams.xyz;
        return 301 https://vendorengrams.xyz$request_uri;
        ssl_certificate /etc/letsencrypt/live/vendorengrams.xyz/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/vendorengrams.xyz/privkey.pem;
}

server 
{

        listen 443 ssl http2;
        listen [::]:443 ssl http2;
        root /var/www/html/vendorengrams.xyz/public_html;

        index index.html index.htm index.php;
        server_name vendorengrams.xyz;

        ssl_certificate /etc/letsencrypt/live/vendorengrams.xyz/fullchain.pem;
        ssl_certificate_key /etc/letsencrypt/live/vendorengrams.xyz/privkey.pem;
}

When I try to visit the site on the new server (DNS switchover completed), however, I get errors from the browser saying NET::ERR_CERT_COMMON_NAME_INVALID. If I examine the certificate in the browser it shows it’s using the certificate for one of the other domains on the server.

It would seem the fault lies with the nginx setup pulling the wrong certificate, or redirect the the other site by default, but this is the exact same config file used on the previous server…


#2

Hi @jskrwyk

your second part is “special”. If you have a 443 listen and a redirect to https / port 443, this is a loop.

So remove your second server complete and add the server name www … to your first server. And your third server should have the same two server_names.


#3

I’ve changed the config to be

server
{
        listen 80;
        listen [::]:80;
        server_name www.vendorengrams.xyz vendorengrams.xyz;
        return 301 https://vendorengrams.xyz$request_uri;
}
server {

    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    root /var/www/html/vendorengrams.xyz/public_html;

    index index.html index.htm index.php;
    server_name vendorengrams.xyz www.vendorengrams.xyz;;

    ssl_certificate /etc/letsencrypt/live/vendorengrams.xyz/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/vendorengrams.xyz/privkey.pem;


}

but the issue is occurring just the same. The previous setup had been running successfully for over a year on the old server.


#4

This domain

is correct. But your non-www and your www - version have different ip addresses:

D:\temp>nslookup www.vendorengrams.xyz.
Name: www.vendorengrams.xyz
Addresses: 2a01:7e00::f03c:91ff:fe97:a567
139.162.240.44

D:\temp>nslookup vendorengrams.xyz.
Name: vendorengrams.xyz
Addresses: 2a01:7e00::f03c:91ff:fe97:a567
45.79.133.131

Your 139-address has the name mystraldesign.com, your 45-address the name vendorengrams.xyz.

So it looks like you have a wrong ip configuration.


#5

That’s strange…

The 139. address is the new server (which is also hosting the mystraldesign.com domain), the 45. address is the old server. The name-servers haven’t changed, though, and both the www and non-www entry have the 139. entry in the DNS manager of the hosting company (using their name-servers).

I just ran an nslookup and I’m getting the correct responses

iMac:lets jskrwyk$ nslookup vendorengrams.xyz

Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
Name: vendorengrams.xyz
Address: 139.162.240.44

iMac:lets jskrwyk$ nslookup www.vendorengrams.xyz

Server: 8.8.8.8
Address: 8.8.8.8#53

Non-authoritative answer:
Name: www.vendorengrams.xyz
Address: 139.162.240.44

It would also appear that the domain is going to the correct server with both addresses (www and non-www) as the incorrect certificate that is being served is one from a domain hosted on that server; the certificate for api.mystral.xyz


#6

The problem is fixed. It was a bad Symbolic Link between the nginx sites-available and sites-enabled directories causing the server the use the default config, hence why the wrong certificate was showing.


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.