Yet another "Certificate name mismatch" problem

sse450 · August 29, 2020, 2:37pm

I have 2 domains on our VPS: wintess.com and onartstructures.com

I generated LE certificates using the below command:
certbot certonly --dns-linode --dns-linode-credentials ~/.secrets/certbot/linode.ini --dns-linode-propagation-seconds 1000 -d *.onartstructures.com -d onartstructures.com

vhost calls the certificates with these lines:
SSLCertificateFile /etc/letsencrypt/live/onartstructures.com-0001/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/onartstructures.com-0001/privkey.pem

The website works fine with padlock.

However, SSLlabs says “certificate name mismatch.”
Try these other domain names (extracted from the certificates):

[*.wintess.com]
[wintess.com]

I deleted and generated the certificates, but still the same problem. I tried with other domain names. They all exhibit the same issue. There is an invisible link with my main domain (wintess.com) which I cannot break.

I have read many posts regarding this problem but couldn’t fix it.

I would appreciate any help.

Thank you.

Information on my setup:

My domains are: wintess.com, onartstructures.com
I ran this command: apachectl -S
It produced this output:
VirtualHost configuration:
172.104.150.134:443 is a NameVirtualHost
default server www.wintess.com (/etc/httpd/conf.d/1.wintess.com.conf:1)
port 443 namevhost www.wintess.com (/etc/httpd/conf.d/1.wintess.com.conf:1)
port 443 namevhost mantis.wintess.com (/etc/httpd/conf.d/mantis.wintess.com.conf:1)
port 443 namevhost webmail.wintess.com (/etc/httpd/conf.d/webmail.wintess.com.conf:1)
port 443 namevhost www.onartstructures.com (/etc/httpd/conf.d/www.onartstructures.com.conf:1)
172.104.150.134:80 is a NameVirtualHost
default server www.wintess.com (/etc/httpd/conf.d/1.wintess.com.conf:13)
port 80 namevhost www.wintess.com (/etc/httpd/conf.d/1.wintess.com.conf:13)
alias wintess.com
port 80 namevhost mantis.wintess.com (/etc/httpd/conf.d/mantis.wintess.com.conf:21)
port 80 namevhost webmail.wintess.com (/etc/httpd/conf.d/webmail.wintess.com.conf:21)
port 80 namevhost www.onart.com.tr (/etc/httpd/conf.d/www.onart.com.tr.conf:1)
alias onart.com.tr
port 80 namevhost www.onartstructures.com (/etc/httpd/conf.d/www.onartstructures.com.conf:13)
alias onartstructures.com
*:443 www.wintess.com (/etc/httpd/conf.d/ssl.conf:40)
ServerRoot: “/etc/httpd”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/etc/httpd/logs/error_log”
Mutex lua-ivm-shm: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/etc/httpd/run/" mechanism=default
Mutex cache-socache: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex watchdog-callback: using_defaults
Mutex proxy-balancer-shm: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex authdigest-client: using_defaults
PidFile: “/etc/httpd/run/httpd.pid”
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“apache” id=48
Group: name=“apache” id=48

My web server is (include version): Apache/2.4.37
The operating system my web server runs on is (include version): CentOS Linux release 8.2.2004
My hosting provider, if applicable, is: Linode
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 1.6.0

Osiris · August 29, 2020, 2:50pm

Your redirect redirects to the www subdomain, i.e. www.onartstructures.com which does send the correct certificate.

If you look at that SSLabs test, it doesn’t give the same error: https://www.ssllabs.com/ssltest/analyze.html?d=www.onartstructures.com&hideResults=on

Looking at your apachectl -S output, you don’t have a HTTPS namevhost configured for the bare domain name, only for the www subdomain.

The same goes for wintess.com, but as that’s the default virtualhost, you don’t get any trouble there. Strangely enough, you do have the aliases for the bare domain name on the HTTP virtualhosts though.

JuergenAuer · August 29, 2020, 2:57pm

Hi @sse450

your configuration is buggy - see https://check-your-website.server-daten.de/?q=onartstructures.com

Domainname	Http-Status	redirect	Sec.	G
• http://onartstructures.com/ 172.104.150.134	301	https://www.onartstructures.com/ Html is minified: 100,00 %	0.047	E

• http://www.onartstructures.com/ 172.104.150.134	301	https://www.onartstructures.com/ Html is minified: 100,00 %	0.046	A

• https://onartstructures.com/ 172.104.150.134	301	https://www.wintess.com/	2.640	N
Certificate error: RemoteCertificateNameMismatch

• https://www.onartstructures.com/ 172.104.150.134 No GZip used - 15064 / 67194 - 22,42 % possible Inline-JavaScript (∑/total): 31/11133 Inline-CSS (∑/total): 3/2488	200	Html is minified: 140,62 %	3.500	B

• https://www.wintess.com/ No GZip used - 20608 / 94453 - 21,82 % possible Inline-JavaScript (∑/total): 30/12836 Inline-CSS (∑/total): 5/8387	200	Html is minified: 137,07 %	2.904	B

https + non-www has the wrong certificate and a wrong redirect, https + www has the correct certificate.

And your vHost list is buggy. Create a correct port 80 vHost list (non-www and www per domain), then the matching port 443 vHosts.

May be Certbot doesn't really understand your config with a wildcard certificate, so fix that manual.

sse450 · August 30, 2020, 1:36pm

Osiris and JuergenAuer, I appreciate your support.

I changed Apache conf and added “ServerAlias onartstructures.com”. Deleted and re-created the cert. Now, it passed the SSLLabs test.

apachectl -S
now gives:

VirtualHost configuration:
172.104.150.134:443    is a NameVirtualHost
         default server www.wintess.com (/etc/httpd/conf.d/1.wintess.com.conf:1)
         port 443 namevhost www.wintess.com (/etc/httpd/conf.d/1.wintess.com.conf:1)
                 alias wintess.com
         port 443 namevhost mantis.wintess.com (/etc/httpd/conf.d/mantis.wintess.com.conf:1)
         port 443 namevhost post.wintess.com (/etc/httpd/conf.d/post.wintess.com.conf:1)
         port 443 namevhost webmail.wintess.com (/etc/httpd/conf.d/webmail.wintess.com.conf:1)
         port 443 namevhost www.onartstructures.com (/etc/httpd/conf.d/www.onartstructures.com.conf:1)
                 alias onartstructures.com
172.104.150.134:80     is a NameVirtualHost
         default server www.wintess.com (/etc/httpd/conf.d/1.wintess.com.conf:14)
         port 80 namevhost www.wintess.com (/etc/httpd/conf.d/1.wintess.com.conf:14)
                 alias wintess.com
         port 80 namevhost mantis.wintess.com (/etc/httpd/conf.d/mantis.wintess.com.conf:21)
         port 80 namevhost post.wintess.com (/etc/httpd/conf.d/post.wintess.com.conf:21)
         port 80 namevhost webmail.wintess.com (/etc/httpd/conf.d/webmail.wintess.com.conf:21)
         port 80 namevhost www.onartstructures.com (/etc/httpd/conf.d/www.onartstructures.com.conf:14)
                 alias onartstructures.com
*:443                  www.wintess.com (/etc/httpd/conf.d/ssl.conf:40)
ServerRoot: "/etc/httpd"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/etc/httpd/logs/error_log"
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex authdigest-client: using_defaults
Mutex lua-ivm-shm: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/etc/httpd/run/" mechanism=default 
Mutex cache-socache: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex watchdog-callback: using_defaults
Mutex proxy-balancer-shm: using_defaults
PidFile: "/etc/httpd/run/httpd.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="apache" id=48
Group: name="apache" id=48

Does it look OK now?

Juergen, I also tried to check with the tool in your message, but too complicated for me. Do you still see any error?

Thank you very much.

JuergenAuer · August 30, 2020, 1:51pm

Then read the details. Nothing you can do in 10 minutes.

There are a lot of things. Some things you may not be able to change. A lot of things you can change.

All not green -> check it.

Bad: Your chain is incomplete. Ssllabs reports the same - https://www.ssllabs.com/ssltest/analyze.html?d=onartstructures.com

This server's certificate chain is incomplete. Grade capped to B.

Missing external SRI is always bad. If the external resource is hacked, your website is hacked too.

Osiris · August 30, 2020, 1:55pm

Offtopic: Sorry, but even the details are often very unclear in my opinion. The fact it's too complicated for @sse450 shouldn't envoke a "it's your own fault" reaction, but rather a "how can I improve my tool".

JuergenAuer · August 30, 2020, 2:01pm

Nobody says configuring a website is easy. If you want that, you have to learn it. Not only you, everyone (me included).

If you think my tool is "unclear": Create your own, better tool and publish it instead of complaining.

Osiris · August 30, 2020, 2:03pm

Offtopic: I'm not complaining about the tool itself, because I don't use it. I was reacting to your reply to @sse450 which, IMO, was kind of rude and not very empathic.

griffin · August 30, 2020, 4:26pm

@JuergenAuer, @Osiris

_{^{Sorry if I’ve gotten in the middle of something. From what I can see, @JuergenAuer has made a very powerful (and extensive) tool, albeit a huge Swiss Army knife. It looks quite helpful, but rather daunting to even a somewhat seasoned web developer. Have you @JuergenAuer any “subtools” that break down checks into more dedicated aspects? In my own experience, TL;DR can really hurt even the best products. I agree with @Osiris in the sense that I don’t feel an effective response to a math student who wants to understand how to calculate the area of a rectangle is to hit him in the head with a calculus book. Again, sorry for my intrusion.}}

system · September 29, 2020, 4:26pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.