Question

Getting: NET::ERR_CERT_COMMON_NAME_INVALID after moving hosting from Netlify to my Droplet.

Posted February 8, 2020 1.2k views
NginxLet's EncryptUbuntu 18.04

I’m in the process of moving all my Netlify domains into my DigitalOcean Droplet and wanted to make this the main one (the rest as subdomains). I already have a Node API hosted on the default sites-available.

I follwed this tutorial: https://linuxize.com/post/how-to-set-up-nginx-server-blocks-on-ubuntu-18-04/

In my /var/www/ I have a folder called repetitio.co.uk which is the domain name. Within this has public_html and contains index.html and the rest of the static site pulled via Git. My API code is hosted in my Home directory under RepetitioServer.

Within my /etc/nginx/sites-available is repetitio.co.uk which has my server file which contains:

server {
    listen 80;
    listen [::]:80;

    root /var/www/repetitio.co.uk/public_html;

    index index.html;

    server_name repetitio.co.uk;

    ssl_certificate /etc/letsencrypt/live/repetitio.co.uk/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/repetitio.co.uk/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/repetitio.co.uk/chain.pem;

    access_log /var/log/nginx/repetitio.co.uk.access.log;
    error_log /var/log/nginx/repetitio.co.uk.error.log;

    include snippets/ssl-params.conf;
    location ~ /.well-known {
       allow all;
    }

    location / {
        try_files $uri $uri/ =404;
    }
}

I ran certbot and got the OK and copied the certs URL as shown above. Running sudo nginx -t returns
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Now when I navigate to repetitio.co.uk I get

Your connection is not private
Attackers might be trying to steal your information from repetitio.co.uk (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_COMMON_NAME_INVALID

My default server file looks like:

server {
    listen 80;
    listen 127.0.01;
    listen [::]:80 ipv6only=on;
    return 301 https://$host$request_uri;
}
# HTTPS — proxy all requests to the Node app
server {
    # Enable HTTP/2
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name ww2.zone;

    # Use the Let’s Encrypt certificates
    ssl_certificate /etc/letsencrypt/live/ww2.zone/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/ww2.zone/privkey.pem; # managed by Certbot

    # Include the SSL configuration from cipherli.st
    include snippets/ssl-params.conf;

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://localhost:5000/;
        proxy_ssl_session_reuse off;
        proxy_set_header Host $http_host;
        proxy_cache_bypass $http_upgrade;
        proxy_redirect off;
    }

}

Should also mention that I updated my CNAME records and have my domain in DigitalOcean Dashboard pointing to my droplet.

Any help is greatly appreciated.

Harry

edited by MattIPv4

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
1 answer

Hi @hbendixlewis,

It seems like there is something wrong with your SSL certificate. I’ll recommend you to check the certificate from here :

ssl_certificate_key /etc/letsencrypt/live/ww2.zone/privkey.pem; # managed by Certbot

And verify it actually works properly (here)[https://www.sslshopper.com/certificate-decoder.html].

If the Certificate and the Key do not match, I’ll recommend reissuing the certificate.

Regards,
KDSys

  • How can I install a Let’s Encrypt using Nginx?

  • Here’s the response:

    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                03:71:af:81:0c:d8:09:09:a3:6b:6b:e2:9e:cf:d8:35:1a:f3
            Signature Algorithm: sha256WithRSAEncryption
            Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
            Validity
                Not Before: Feb  5 21:06:28 2020 GMT
                Not After : May  5 21:06:28 2020 GMT
            Subject: CN = ww2.zone
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    RSA Public-Key: (2048 bit)
                    Modulus:
                        00:e3:e3:cb:1a:22:a0:e0:d7:9e:91:f8:56:cc:e6:
                        67:5c:f6:91:dd:f1:b3:14:75:36:84:23:59:cc:ff:
                        58:4e:6a:c5:be:60:d0:0f:8f:8d:d0:b5:81:bb:71:
                        d0:d1:cb:c0:46:3e:fe:99:f1:d4:22:6f:94:79:8f:
                        a1:e4:5e:00:62:9c:24:67:a4:c0:80:58:c8:91:7e:
                        c4:0c:27:83:c4:63:bb:73:de:5b:81:99:8e:08:9d:
                        54:9a:1e:11:14:0c:14:e0:97:bf:b6:2b:9f:0d:22:
                        cc:c9:84:51:66:af:65:ca:91:27:7e:74:65:b8:15:
                        2d:13:46:23:4e:93:e9:22:15:77:b7:5e:ab:e5:08:
                        3f:e7:da:4e:57:02:80:2f:0d:bc:b5:43:59:c8:a5:
                        54:5d:6a:18:ad:66:fb:b1:71:4c:33:96:0c:a9:6b:
                        53:d2:88:7e:41:9b:1e:f6:f0:e4:84:40:d7:1c:6a:
                        3a:b4:9b:3d:76:ce:31:72:4a:dc:af:c9:b1:01:8a:
                        29:d1:8e:7b:1d:5c:90:21:30:f3:04:7d:34:d5:2b:
                        1e:f3:f7:d9:0c:26:78:a7:4d:25:e0:26:a2:a4:e0:
                        b4:4b:0a:11:86:39:b6:cd:f0:a2:30:cf:c1:0b:1a:
                        b9:76:c8:92:3e:83:6e:72:ce:2d:29:07:ea:3f:9e:
                        24:5f
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Key Usage: critical
                    Digital Signature, Key Encipherment
                X509v3 Extended Key Usage:
                    TLS Web Server Authentication, TLS Web Client Authentication
                X509v3 Basic Constraints: critical
                    CA:FALSE
                X509v3 Subject Key Identifier:
                    D1:58:F3:57:D0:ED:B3:0B:FC:13:00:9D:BA:92:75:34:C5:10:40:D9
                X509v3 Authority Key Identifier:
                    keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
    
                Authority Information Access:
                    OCSP - URI:http://ocsp.int-x3.letsencrypt.org
                    CA Issuers - URI:http://cert.int-x3.letsencrypt.org/
    
                X509v3 Subject Alternative Name:
                    DNS:ww2.zone
                X509v3 Certificate Policies:
                    Policy: 2.23.140.1.2.1
                    Policy: 1.3.6.1.4.1.44947.1.1.1
                      CPS: http://cps.letsencrypt.org
    
                CT Precertificate SCTs:
                    Signed Certificate Timestamp:
                        Version   : v1 (0x0)
                        Log ID    : 07:B7:5C:1B:E5:7D:68:FF:F1:B0:C6:1D:23:15:C7:BA:
                                    E6:57:7C:57:94:B7:6A:EE:BC:61:3A:1A:69:D3:A2:1C
                        Timestamp : Feb  5 22:06:28.736 2020 GMT
                        Extensions: none
                        Signature : ecdsa-with-SHA256
                                    30:45:02:21:00:9A:23:6C:0A:40:2F:86:2C:94:47:7B:
                                    F9:13:A7:70:3E:16:10:A6:4F:3D:68:0D:CB:FF:0F:BA:
                                    20:25:DA:C0:CF:02:20:24:7D:B2:34:64:4E:23:FC:B6:
                                    1F:B9:44:C3:D0:7A:6D:8D:4E:BE:08:AD:D3:0B:0B:10:
                                    C8:81:B9:DE:AD:F2:17
                    Signed Certificate Timestamp:
                        Version   : v1 (0x0)
                        Log ID    : 5E:A7:73:F9:DF:56:C0:E7:B5:36:48:7D:D0:49:E0:32:
                                    7A:91:9A:0C:84:A1:12:12:84:18:75:96:81:71:45:58
                        Timestamp : Feb  5 22:06:29.212 2020 GMT
                        Extensions: none
                        Signature : ecdsa-with-SHA256
                                    30:45:02:21:00:85:D6:DD:FB:37:AA:6B:CE:97:1B:7D:
                                    C5:A2:77:01:06:33:97:D5:53:04:CF:2F:A2:E6:6A:1B:
                                    91:65:80:59:F5:02:20:61:8D:C6:B3:0C:30:AF:01:BB:
                                    C1:26:99:BB:68:61:E7:9F:6D:94:0F:2C:DF:99:54:19:
                                    2C:FB:F4:AA:C5:A9:2B
        Signature Algorithm: sha256WithRSAEncryption
             46:01:9e:2f:ff:54:6f:ae:ae:11:44:c6:c5:b8:10:97:2e:97:
             42:a5:59:3e:19:72:5a:fd:3b:28:f1:af:2e:80:8f:8f:28:5c:
             b0:72:18:3e:7c:86:32:34:44:e9:b7:ca:34:e8:68:c1:bd:ba:
             d7:1a:96:ab:59:f2:52:76:6e:2f:1c:60:28:34:f9:fd:56:b9:
             49:c1:2a:e1:ec:ad:eb:f6:69:1b:77:26:cb:2f:3c:ee:be:0e:
             8c:70:b8:5f:39:be:1e:91:a5:b6:8f:0b:a4:c0:7c:cf:22:c9:
             96:73:a9:46:a0:ac:72:59:0a:f2:ce:c9:5d:69:f1:54:c2:c5:
             79:47:79:4b:f2:48:d2:e7:6f:66:4c:98:70:13:39:c8:97:11:
             4f:3f:41:51:e0:02:62:8a:d2:8b:b5:1d:a3:84:4b:0b:ba:45:
             72:28:8e:a7:21:d6:e4:6b:37:2a:23:d8:a1:0e:15:c8:14:4c:
             91:55:8f:8b:de:3f:a2:32:9d:82:ef:f8:8b:1c:a2:62:f1:c7:
             68:b5:59:47:fb:0e:ca:27:e1:59:41:1d:6b:39:c0:11:c0:dd:
             20:89:9c:4e:51:0c:00:d3:2a:83:1a:b4:99:16:72:b1:e2:be:
             04:85:fe:19:0f:6a:30:02:47:cb:e4:6c:a9:cc:f2:45:9b:d2:
             41:a5:de:fb
    

    The API is all fine and I get no issues for ww2.zone, SSL or otherwise.

    Now when I navigate to repetitio.co.uk the certificate information references ww2.zone. Do you think this is due to ww2.zone being the default file? Do you recommend to remove the default server file and make a new one calledww2.zone as done for repetitio.co.uk? I’m trying to minimise downtime on my API so would like to know if you think this will work before I start messing around with the server files.

    Thank you KDSys.

Submit an Answer