Www giving error SSL_ERROR_BAD_CERT_DOMAIN


#1

I recently followed the instructions here:
https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-14-04

To setup certs for two of my domains. Everything turned out perfect but when I access the domains using https://www in firefox and ie i get the SSL_ERROR_BAD_CERT_DOMAIN error.

In chrome the redirects kick in and everything works fine.

https://domain.com | works
https://www.domain.com | SSL_ERROR_BAD_CERTIN_DOMAIN
http://www.domain.com | redirects to https://domain.com perfectly
http://domain.com | redirects to https://domain.com perfectly

Is there a certain way redirects to remove www. should be done with ssl?


#2

The certificate has to include the name www.domain.com and the web server has to be configured to use it.

E.g. you might use “sudo certbot --apache -d domain.com -d www.domain.com”.

What does “sudo certbot certificates” display?

Chrome ignores this error.


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):


#3

Thanks for the quick response!

I used the command “sudo certbot certificates” and got the following.

I believe when I set this up the first time, I selected option 2 for my vhosts file and the setup failed. That second key looks to be what happened when I tried again using only one domain.

Found the following certs:
Certificate Name: brandoncaballero.com
Domains: brandoncaballero.com www.brandoncaballero.com
Expiry Date: 2019-03-27 17:07:14+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/brandoncaballero.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/brandoncaballero.com/privkey.pem
Certificate Name: brandoncaballero.com-0001
Domains: brandoncaballero.com
Expiry Date: 2019-03-27 17:24:32+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/brandoncaballero.com-0001/fullchain.pem
Private Key Path: /etc/letsencrypt/live/brandoncaballero.com-0001/privkey.pem



#4

That cert is not the one being served.
Have you restarted the web server since you got that new cert?


#5

I would have to disagree on the use of the word “perfectly”.
Yes, it may redirect (as you instructed it), but “perfectly” will imply different things to different people…
To me it includes “best practices” - which these redirects do not.

It is considered best practice to first redirect
http to https (keeping the same FQDN)
Then to redirect
one secure name to another secure name (https://www.domain.com to just https://domain.com)
[or visa-versa, depending on your preference - some people like to see the www]


#6

Thanks for your help. I have restarted the server and I’m seeing the same result. My end goal is to have all 4 combinations end up at https://domain.com. What is the best way to do this?

Currently I have an A name pointed at the IP of the server and a CNAME for the www as an alias of the domain. To start would that be the correct?


#7

Hi @brandonflatsoda

your dns settings are irrelevant if you want to manage your redirects.

Your redirects are incomplete:

Domainname Http-Status redirect Sec. G
http://brandoncaballero.com/
107.170.104.137 301 https://brandoncaballero.com/ 0.197 A
http://www.brandoncaballero.com/
107.170.104.137 301 http://brandoncaballero.com/ 0.197 D
https://www.brandoncaballero.com/
107.170.104.137 301 http://brandoncaballero.com/ 2.093 N
Certificate error: RemoteCertificateNameMismatch
https://brandoncaballero.com/
107.170.104.137 200 2.360 B

But first test something like

certbot --reinstall -d brandoncaballero.com -d www.brandoncaballero.com

so Certbot should install the correct certificate, not the wrong.


#8

Thank you for the help JergenAuer, I get the following when trying your command:

Keeping the existing certificate
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/000-default-le-ssl.conf

We were unable to find a vhost with a ServerName or Address of www.brandoncaballero.com.
Which virtual host would you like to choose?


1: 000-default.conf | | | Enabled
2: 000-default-le-ssl.conf | brandoncaballero.com | HTTPS | Enabled



#9

Ok in each vhost config add:
ServerAlias www.brandoncaballero.com
[just below ServerName brandoncaballero.com]


#10

Your web server should respond to both names and both protocols:
[and they should redirect in this way “>”]

For this, you will need to get a cert with both names on it (or one cert for each name).


#11

rg305 JuergenAuer mnordhoff

Thanks again for all the help. I finally got this working on the domain I asked for help with and an additional domain.

One last question @mnordhoff, In my response to your instructions to run the command sudo certbot certificates the message I got back from my server was one cert first serving the non and www domains, with a cert immediately following only serving the non www. Do I need to remove that second one and if so, what is the command for that?


#12

sudo certbot delete
should prompt you for deletion.


#13

thanks! that worked, i was able to remove the old one and restart the server.