Wrong common name for www subdomain

Hi all - on my cent0s 8 server, I've successfully used certbot to install certs on my non-www domain, as well as a couple other sub-domains - but for my www subdomain, it shows my xxx.members.linode.com as the common name, and this is invalidating the cert.

It seems like this should be a simple fix, but I'm stumped. In addition, the www domain throws a 403 error (but shows the apache test page - http version shows the expected page).

https://www.twop1pager.com/ (403 error)
http://www.twop1pager.com/ (works - shows "Back soon")
https://api.twop1pager.com/ (works, and http redirects to https)

An apachectl configtest shows my syntax is ok, haven't found any clues in the logs.

When I initially installed the cert - it didn't pick up the "www" - but I added it with:

certbot-auto certonly --cert-name twop1pager.com -d twop1pager.com,www.twop1pager.com,api.twop1pager.com```

And now when i do certbot-auto certificates I see:


Found the following certs:
Certificate Name: twop1pager.com
Serial Number: 4baaa79fedc62fb8f2e67b362f3a84e0984
Domains: twop1pager.com api.twop1pager.com www.twop1pager.com
Expiry Date: 2021-01-19 22:26:36+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/twop1pager.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/twop1pager.com/privkey.pem


```
I've reloaded/restarted httpd - am I missing something?

5 Replies

The cert used by https://www.twop1pager.com/ appears to be self-issued and self-signed. The cert used by https://api.twop1pager.com/ is a Let's Encrypt cert.

Are you sure your configuration for https://www.twop1pager.com/ is using the right cert file(s)? Did you blow your server cache before restarting:

  • stop server;
  • blow server cache;
  • start server?

Here's info on how to blow the server cache:

http://httpd.apache.org/docs/current/programs/htcacheclean.html

Just to make sure, it would probably of benefit to blow your browser cache too…

-- sw

Thanks @stevewi - I appreciate the reply. Unfortunately, no dice.

I stopped the server, ran sudo htcacheclean -r -p/var/cache/httpd and verified the dirs in /var/cache/httpd/ were all empty, restarted httpd and still the same.

But it did lead me down another rabbit hole, and I think my problem is in here:

sudo httpd -S
VirtualHost configuration:
*:80                   is a NameVirtualHost
         default server api.twop1pager.com (/etc/httpd/sites-enabled/api.twop1pager.com.conf:7)
         port 80 namevhost api.twop1pager.com (/etc/httpd/sites-enabled/api.twop1pager.com.conf:7)
         port 80 namevhost fetch.twop1pager.com (/etc/httpd/sites-enabled/fetch.twop1pager.com.conf:7)
         port 80 namevhost twop1pager.com (/etc/httpd/sites-enabled/twop1pager.com.conf:7)
                 alias www.twop1pager.com
*:443                  is a NameVirtualHost
         default server li1974-33.members.linode.com (/etc/httpd/conf.d/ssl.conf:40)
         port 443 namevhost li1974-33.members.linode.com (/etc/httpd/conf.d/ssl.conf:40)
         port 443 namevhost twop1pager.com (/etc/httpd/sites-available/twop1pager.com-le-ssl.conf:2)
         port 443 namevhost api.twop1pager.com (/etc/httpd/sites-available/api.twop1pager.com-le-ssl.conf:2)
         port 443 namevhost fetch.twop1pager.com (/etc/httpd/sites-available/fetch.twop1pager.com-le-ssl.conf:2)

If you post the contents of /etc/httpd/conf.d/ssl.conf, maybe we can help you out (redact anything that may be private).

-- sw

Thanks again @stevewi - this is a practically new install, haven't modified anything here yet:

https://pastebin.com/9KRXAtbN

I would add

  #
  ServerName www.twop1pager.com

after the <VirtualHost _default_:443> directive.

I'm assuming you have another VirtualHost with a ServerName of api.twop1pager.com.

-- sw

Reply

Please enter an answer
Tips:

You can mention users to notify them: @username

You can use Markdown to format your question. For more examples see the Markdown Cheatsheet.

> I’m a blockquote.

I’m a blockquote.

[I'm a link] (https://www.google.com)

I'm a link

**I am bold** I am bold

*I am italicized* I am italicized

Community Code of Conduct