Domain Certificate Mismatch

Discussion in 'ISPConfig 3 Priority Support' started by Barbara, Jul 11, 2016.

  1. Barbara

    Barbara New Member HowtoForge Supporter

    Till:
    Looking at this issue too long and my head is spinning. Would you please take a look and tell me how to approach correcting this mismatch. I believe I have narrowed it down. Multiple VHOST domains each with their own LetsEncrypt Cert. Additional LetsEncrypt Cert added (server-8002.domain.us) for ISPConfig and PHPmyAdmin. Thank you. --Barbara--

    ##
    Self signed certificate generated for Ubuntu 14.04 NGINX server:
    server-8002.domain.us

    ISPConfig and PHPmyAdmin previously used self signed certificate. The exception error would pop in browser and it was accepted.

    Configured LetsEncrypt and PHPmyAdmin to use LetsEncrypt Signed Certificate
    server-8002.domain.us
    LetsEncrypt and PHPmyAdmin display the signed certificate, green bar and no error.

    When no port (8080, 8081) specified browser:
    https://server-8002.domain.us
    Previously presented the self signed certificate with the exception, as expected.

    Now browser ignores the overridden exception with error:
    server-8002.domain.us uses an invalid security certificate. The certificate is only valid for the following names:
    domain.com, www.domain.com
    (Error code: ssl_error_bad_cert_domain

    The Cert info is valid, not expired and the Subject Alternative Name is:
    DNS Name=server-8002.domain.us

    Confirm browser exception and the the browser url displays
    https://server-8002.domain.us/
    But
    resolves to the data within the domain:
    https://domain.com/
    along with the LetsEncrypt Certifcate for:
    domain.com
    even though the browser address is:
    https://server-8002.domain.us/

    Note: added the following to have PHPmyAdmin use the LetsEncrypt signed certificate for: server-8002.domain.us
    ISPConfig: Server Config / Web /
    Apps Vhost Settings:
    Apps-vhost port:
    8081 ssl; ssl_certificate /usr/local/ispconfig/interface/ssl/ispserver.crt; ssl_certificate_key /usr/local/ispconfig/interface/ssl/ispserver.key
    Apps-vhost IP: _default_
    Apps-vhost Domain: server-8002.domain.us
    Ref Link:
    https://www.digitalocean.com/commun...-ispconfig-3-nginx-not-apache-on-ubuntu-14-04

    The beginning of APPS.VHOST:
    server {
    listen 8081 ssl; ssl_certificate /usr/local/ispconfig/interface/ssl/ispserver.crt; ssl_certificate_key /usr/local/ispconfig/interface/ssl/ispserver.key;

    server_name server-8002.domain.us;

    root /var/www/apps;
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Check that the SSL cert /usr/local/ispconfig/interface/ssl/ispserver.crt is really for the domain server-8002.domain.us and not www.domain.us.
     
  3. Barbara

    Barbara New Member HowtoForge Supporter

    Till:
    Not that simple, checked all that. Note the difference with tld, even though the domain names are same (domain.us/.tv/.org/.com). The anomaly is very strange:
    When using port 8080 & 8081 at
    https://server-8002.domain.us:8080 / :8081
    the LetsEncrypt cert for server-8002.domain.us is used (no error) for ISPConfig & PHPmyAdmin.

    FYI, individual LetEncrypt certs have been applied and work for all website domains (6) on server.

    When no port specified (default 80) at
    http://server-8002.domain.us
    browser error (invalid security cert) is reported: certificate is only valid for the following names: domain.com, www.domain.com
    Cert viewed and confirmed it is for: domain.com, www.domain.com
    Confirm Exception and
    Browser URL displays: https://server-8002.domain.us/
    Contents of website: https://domain.com/ is displayed
    and (greenbar) Cert is for
    domain.com, www.domain.com

    http://server-8002.domain.us/
    is redirected to contents & cert for web5 (domain.com, www.domain.com)
    while URL displays
    https://server-8002.domain.us/

    A cool 14C last night in northern New York near the Canadian border on the Great Lakes. Hope all is well in your world. Thank you.

    --Barbara--
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Check the nginx vhost files for the ispconfig and apps vhost and see if the ssl directive sin them points to the right cert. Then it can be (if there is no ssl cert for a given domain on port 443 and you access this domain on port 443, then nginx will use the first website that it finds with ssl on this port. so your attempt to access the hostname of the server on port 443 can just mean that there is no default ssl vhost on port 443 (which is the default btw).
     

Share This Page