Related

Tool NGINX Config Generator Tool
How install Varnish 6.1 With NGINX SSL Termination? Ubuntu 18.04 Question Question
Url:mal website blocking Question Question

Question

Getting: NET::ERR_CERT_COMMON_NAME_INVALID after moving hosting from Netlify to my Droplet.

Posted February 8, 2020 2.1k views
NginxLet's EncryptUbuntu 18.04

I’m in the process of moving all my Netlify domains into my DigitalOcean Droplet and wanted to make this the main one (the rest as subdomains). I already have a Node API hosted on the default sites-available.

I follwed this tutorial: https://linuxize.com/post/how-to-set-up-nginx-server-blocks-on-ubuntu-18-04/

In my /var/www/ I have a folder called repetitio.co.uk which is the domain name. Within this has public_html and contains index.html and the rest of the static site pulled via Git. My API code is hosted in my Home directory under RepetitioServer.

Within my /etc/nginx/sites-available is repetitio.co.uk which has my server file which contains: 

server {
    listen 80;
    listen [::]:80;

    root /var/www/repetitio.co.uk/public_html;

    index index.html;

    server_name repetitio.co.uk;

    ssl_certificate /etc/letsencrypt/live/repetitio.co.uk/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/repetitio.co.uk/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/repetitio.co.uk/chain.pem;

    access_log /var/log/nginx/repetitio.co.uk.access.log;
    error_log /var/log/nginx/repetitio.co.uk.error.log;

    include snippets/ssl-params.conf;
    location ~ /.well-known {
       allow all;
    }

    location / {
        try_files $uri $uri/ =404;
    }
}

I ran certbot and got the OK and copied the certs URL as shown above. Running sudo nginx -t returns
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Now when I navigate to repetitio.co.uk I get 

Your connection is not private
Attackers might be trying to steal your information from repetitio.co.uk (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_COMMON_NAME_INVALID

My default server file looks like: 

server {
    listen 80;
    listen 127.0.01;
    listen [::]:80 ipv6only=on;
    return 301 https://$host$request_uri;
}
# HTTPS — proxy all requests to the Node app
server {
    # Enable HTTP/2
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name ww2.zone;

    # Use the Let’s Encrypt certificates
    ssl_certificate /etc/letsencrypt/live/ww2.zone/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/ww2.zone/privkey.pem; # managed by Certbot

    # Include the SSL configuration from cipherli.st
    include snippets/ssl-params.conf;

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-NginX-Proxy true;
        proxy_pass http://localhost:5000/;
        proxy_ssl_session_reuse off;
        proxy_set_header Host $http_host;
        proxy_cache_bypass $http_upgrade;
        proxy_redirect off;
    }

}

Should also mention that I updated my CNAME records and have my domain in DigitalOcean Dashboard pointing to my droplet.

Any help is greatly appreciated.

Harry

Add a comment
hbendixlewis
By:
hbendixlewis
edited by MattIPv4
Add a comment

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

×
1 answer
KFSys February 9, 2020

Hi @hbendixlewis,

It seems like there is something wrong with your SSL certificate. I’ll recommend you to check the certificate from here :

ssl_certificate_key /etc/letsencrypt/live/ww2.zone/privkey.pem; # managed by Certbot

And verify it actually works properly (here)[https://www.sslshopper.com/certificate-decoder.html].

If the Certificate and the Key do not match, I’ll recommend reissuing the certificate.

Regards,
KDSys

Reply Report
  • Remdore February 10, 2020

    How can I install a Let’s Encrypt using Nginx?

    Reply Report
  • hbendixlewis February 10, 2020

    Here’s the response: 

    Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            03:71:af:81:0c:d8:09:09:a3:6b:6b:e2:9e:cf:d8:35:1a:f3
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
        Validity
            Not Before: Feb  5 21:06:28 2020 GMT
            Not After : May  5 21:06:28 2020 GMT
        Subject: CN = ww2.zone
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:e3:e3:cb:1a:22:a0:e0:d7:9e:91:f8:56:cc:e6:
                    67:5c:f6:91:dd:f1:b3:14:75:36:84:23:59:cc:ff:
                    58:4e:6a:c5:be:60:d0:0f:8f:8d:d0:b5:81:bb:71:
                    d0:d1:cb:c0:46:3e:fe:99:f1:d4:22:6f:94:79:8f:
                    a1:e4:5e:00:62:9c:24:67:a4:c0:80:58:c8:91:7e:
                    c4:0c:27:83:c4:63:bb:73:de:5b:81:99:8e:08:9d:
                    54:9a:1e:11:14:0c:14:e0:97:bf:b6:2b:9f:0d:22:
                    cc:c9:84:51:66:af:65:ca:91:27:7e:74:65:b8:15:
                    2d:13:46:23:4e:93:e9:22:15:77:b7:5e:ab:e5:08:
                    3f:e7:da:4e:57:02:80:2f:0d:bc:b5:43:59:c8:a5:
                    54:5d:6a:18:ad:66:fb:b1:71:4c:33:96:0c:a9:6b:
                    53:d2:88:7e:41:9b:1e:f6:f0:e4:84:40:d7:1c:6a:
                    3a:b4:9b:3d:76:ce:31:72:4a:dc:af:c9:b1:01:8a:
                    29:d1:8e:7b:1d:5c:90:21:30:f3:04:7d:34:d5:2b:
                    1e:f3:f7:d9:0c:26:78:a7:4d:25:e0:26:a2:a4:e0:
                    b4:4b:0a:11:86:39:b6:cd:f0:a2:30:cf:c1:0b:1a:
                    b9:76:c8:92:3e:83:6e:72:ce:2d:29:07:ea:3f:9e:
                    24:5f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                D1:58:F3:57:D0:ED:B3:0B:FC:13:00:9D:BA:92:75:34:C5:10:40:D9
            X509v3 Authority Key Identifier:
                keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

            Authority Information Access:
                OCSP - URI:http://ocsp.int-x3.letsencrypt.org
                CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

            X509v3 Subject Alternative Name:
                DNS:ww2.zone
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org

            CT Precertificate SCTs:
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 07:B7:5C:1B:E5:7D:68:FF:F1:B0:C6:1D:23:15:C7:BA:
                                E6:57:7C:57:94:B7:6A:EE:BC:61:3A:1A:69:D3:A2:1C
                    Timestamp : Feb  5 22:06:28.736 2020 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:9A:23:6C:0A:40:2F:86:2C:94:47:7B:
                                F9:13:A7:70:3E:16:10:A6:4F:3D:68:0D:CB:FF:0F:BA:
                                20:25:DA:C0:CF:02:20:24:7D:B2:34:64:4E:23:FC:B6:
                                1F:B9:44:C3:D0:7A:6D:8D:4E:BE:08:AD:D3:0B:0B:10:
                                C8:81:B9:DE:AD:F2:17
                Signed Certificate Timestamp:
                    Version   : v1 (0x0)
                    Log ID    : 5E:A7:73:F9:DF:56:C0:E7:B5:36:48:7D:D0:49:E0:32:
                                7A:91:9A:0C:84:A1:12:12:84:18:75:96:81:71:45:58
                    Timestamp : Feb  5 22:06:29.212 2020 GMT
                    Extensions: none
                    Signature : ecdsa-with-SHA256
                                30:45:02:21:00:85:D6:DD:FB:37:AA:6B:CE:97:1B:7D:
                                C5:A2:77:01:06:33:97:D5:53:04:CF:2F:A2:E6:6A:1B:
                                91:65:80:59:F5:02:20:61:8D:C6:B3:0C:30:AF:01:BB:
                                C1:26:99:BB:68:61:E7:9F:6D:94:0F:2C:DF:99:54:19:
                                2C:FB:F4:AA:C5:A9:2B
    Signature Algorithm: sha256WithRSAEncryption
         46:01:9e:2f:ff:54:6f:ae:ae:11:44:c6:c5:b8:10:97:2e:97:
         42:a5:59:3e:19:72:5a:fd:3b:28:f1:af:2e:80:8f:8f:28:5c:
         b0:72:18:3e:7c:86:32:34:44:e9:b7:ca:34:e8:68:c1:bd:ba:
         d7:1a:96:ab:59:f2:52:76:6e:2f:1c:60:28:34:f9:fd:56:b9:
         49:c1:2a:e1:ec:ad:eb:f6:69:1b:77:26:cb:2f:3c:ee:be:0e:
         8c:70:b8:5f:39:be:1e:91:a5:b6:8f:0b:a4:c0:7c:cf:22:c9:
         96:73:a9:46:a0:ac:72:59:0a:f2:ce:c9:5d:69:f1:54:c2:c5:
         79:47:79:4b:f2:48:d2:e7:6f:66:4c:98:70:13:39:c8:97:11:
         4f:3f:41:51:e0:02:62:8a:d2:8b:b5:1d:a3:84:4b:0b:ba:45:
         72:28:8e:a7:21:d6:e4:6b:37:2a:23:d8:a1:0e:15:c8:14:4c:
         91:55:8f:8b:de:3f:a2:32:9d:82:ef:f8:8b:1c:a2:62:f1:c7:
         68:b5:59:47:fb:0e:ca:27:e1:59:41:1d:6b:39:c0:11:c0:dd:
         20:89:9c:4e:51:0c:00:d3:2a:83:1a:b4:99:16:72:b1:e2:be:
         04:85:fe:19:0f:6a:30:02:47:cb:e4:6c:a9:cc:f2:45:9b:d2:
         41:a5:de:fb

    The API is all fine and I get no issues for ww2.zone, SSL or otherwise.

    Now when I navigate to repetitio.co.uk the certificate information references ww2.zone. Do you think this is due to ww2.zone being the default file? Do you recommend to remove the default server file and make a new one calledww2.zone as done for repetitio.co.uk? I’m trying to minimise downtime on my API so would like to know if you think this will work before I start messing around with the server files.

    Thank you KDSys.

    Reply Report
Submit an Answer

Related

Looking for something else?

Ask a new question Search for more help