Wrong certificate loading

certb0t · April 13, 2021, 9:24am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: alkarkhi.org

I ran this command: certbot certonly --manual --preferred-challenges=dns --email dodyjassim@hotmail.no --server https://acme-v02.api.letsencrypt.org/directory --agree-tos -d *.alkarkhi.org -d alkarkhi.org

It produced this output:

Warning: Potential Security Risk Ahead

Firefox detected a potential security threat and did not continue to alkarkhi.org. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.

Web sites prove their identity via certificates. Firefox does not trust this site because it uses a certificate that is not valid for alkarkhi.org. The certificate is only valid for the following names: *.alkarkhi.com, alkarkhi.com, temp.m.alkarkhi.com

Error code: SSL_ERROR_BAD_CERT_DOMAIN

My web server is (include version): Apache 2.4.38

The operating system my web server runs on is (include version):Linux server 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u2 (2019-08-08) x86_64 GNU/Linux

My hosting provider, if applicable, is: https://evolution-host.com/

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No, ssh

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.14.0

I own both domains alkarkhi.com and alkarkhi.org. The alkarkhi.org domain loads the wrong certificate despite creating a certificate for alkarkhi.org. Both domains are pointing to different ip's

Osiris · April 13, 2021, 10:07am

Creating a certificate by itself isn't enough: when using certonly you're required to manually install it in your webserver.

Also, I see you've created MANY certificates for your .com domain:

https://crt.sh/?Identity=alkarkhi.com&deduplicate=Y

Please refrain from issuing duplicate certificates for no good reason.

certb0t · April 13, 2021, 10:08am

What do you mean? Should I omit certonly?

Osiris · April 13, 2021, 10:13am

I'm not sure if I can explain it any simpler, but I'll try: if you tell certbot it should only get a certificate, but not install it (which the subcommand certonly means, please look in the certbot documentation if you
don't know what a command actually means and/or does), then your webserver doesn't know the certificate exists. You need to configure your webserver manually for it to actually use the certificate.

If you want certbot to install the certificate into your Apache for you, you should omit certonly indeed. You could add -i apache to tell certbot to use the apache plugin as an installer.

Also, as you've already got a certificate, you should specify --keep on the command line for this time (not for renewals in the future), so you won't issue a new duplicate certificate for no good reason.

certb0t · April 13, 2021, 10:16am

I got this output:

No vhost exists with servername or alias for domain *.alkarkhi.org. No vhost was selected. Please specify ServerName or ServerAlias in the Apache config. No vhost selected

certb0t · April 13, 2021, 10:19am

Should I add *alkarkhi.org to servername?

certb0t · April 13, 2021, 2:34pm

SIlly me. I used the wrong IP for DNS. Problem solved.

system · May 13, 2021, 2:34pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.