Certificate not valid for domain name

[Alexander1974]

Hello, I hope you can help me out.
I'm stuck since yesterday.

I have serveral domainnames on ns1.aalex.org and ns2.aalex.org
I have a certificate of let's certify on several subdomains of aalex.org

I added a new domainname (aalex.net) and made a certificate and for https it's working fine but there are troubles with TLS.
I checked on serveral sites and they all give me the errror: Certificate not valid for domain name.

On another site i get the error:
Cert Hostname DOES NOT VERIFY (mail.mijneigendomeinnaam.nl != anderedomeinnaam.org | DNS:anderedomeinnaam.org | DNS:ftp.anderedomeinnaam.org | DNS:mail.anderedomeinnaam.org | DNSop.anderedomeinnaam.org | DNS:smtp.anderedomeinnaam.org)
so email is encrypted but the host is not verified

What am I doing wrong?
|

 

[Alexander1974]

Sorry I made a copy/paste error with the last text:
the error message is with my own domains the following.

Cert Hostname DOES NOT VERIFY (mail.aalex.net != aalex.org | DNS:aalex.org | DNS:ftp.aalex.org | DNS:mail.aalex.org | DNSop.aalex.org | DNS:smtp.aalex.org)
so email is encrypted but the host is not verified

 

[zEitEr]

Make sure to restart Apache/nginx. Even with kill and start it again.

 

[Alexander1974]

I did that and even restarted the server serveral times but that did not help.

 

[zEitEr]

I see the domain fails to resolve properly:

[root@server ~]# nslookup aalex.net 8.8.8.8
Server:         8.8.8.8
Address:        8.8.8.8#53


Non-authoritative answer:
*** Can't find aalex.net: No answer

[root@server ~]# nslookup aalex.net ns1.aalex.org
Server:         ns1.aalex.org
Address:        94.75.217.68#53


*** Can't find aalex.net: No answer


[root@server ~]# nslookup aalex.net ns2.aalex.org
Server:         ns2.aalex.org
Address:        94.75.217.108#53


*** Can't find aalex.net: No answer

It seems you have no records A-type for the domain aalex.net with and without www, other records seem to be fine:

;; ANSWER SECTION:
aalex.net.              14400   IN      SOA     ns1.aalex.net. hostmaster.aalex.net. 2017100805 14400 3600 1209600 86400
aalex.net.              14400   IN      NS      ns2.aalex.net.
aalex.net.              14400   IN      NS      ns1.aalex.net.
aalex.net.              14400   IN      MX      10 mail.aalex.net.
aalex.net.              14400   IN      TXT     "v=spf1 a mx ip4:94.75.217.68 ~all"


;; ADDITIONAL SECTION:
ns1.aalex.net.          14400   IN      A       94.75.217.68
ns2.aalex.net.          14400   IN      A       94.75.217.108

 

[Alexander1974]

I removed the domain aalex.net and add it again to directadmin.
I tried a lot yesterday so want to make sure I didn't take any mistakes with the new try.

Now i stil got the same message about the certificate.
I made it bold in the text.
I used https://www.checktls.com/perl/live/TestReceiver.pl


looking up MX hosts on domain "aalex.net"

mail.aalex.net (preference:10)
Trying TLS on mail.aalex.net[94.75.217.68] (10):

seconds test stage and result
[000.114] Connected to server
[000.228] <-- 220 server.aalex.org ESMTP Exim 4.87 Sun, 08 Oct 2017 21:09:48 +0200
[000.228] We are allowed to connect
[000.228] --> EHLO checktls.com
[000.341] <-- 250-server.aalex.org Hello www4.checktls.com [216.68.85.112]
250-SIZE 20971520
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250-STARTTLS
250 HELP
[000.341] We can use this server
[000.342] TLS is an option on this server
[000.342] --> STARTTLS
[000.464] <-- 220 TLS go ahead
[000.464] STARTTLS command works on this server
[000.723] SSLVersion in use: TLSv1.2
[000.723] Cipher in use: ECDHE-RSA-AES128-SHA256
[000.723] Connection converted to SSL
[000.725]
Certificate 1 of 3 in chain:
serialNumber= 31:dd:17:71:3e:60:00:59:5a:2e:b1:72:f0:89:e2:fb:ee:9
subject= /CN=aalex.org
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
[000.726]
Certificate 2 of 3 in chain:
serialNumber= a0:14:14:20:00:00:15:38:57:36:a0:b8:5e:ca:70:8
subject= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3
[000.727]
Certificate 3 of 3 in chain:
serialNumber= 44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b
subject= /O=Digital Signature Trust Co./CN=DST Root CA X3
issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3
[000.727] Cert VALIDATED:
[000.727] Cert Hostname DOES NOT VERIFY (mail.aalex.net != aalex.org | DNS:aalex.org | DNS:ftp.aalex.org | DNS:mail.aalex.org | DNSop.aalex.org | DNS:smtp.aalex.org)
[000.727] So email is encrypted but the host is not verified
[000.727] ~~> EHLO checktls.com
[000.841] <~~ 250-server.aalex.org Hello www4.checktls.com [216.68.85.112]
250-SIZE 20971520
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250 HELP
[000.841] TLS successfully started on this server
[000.841] ~~> MAIL FROM:<[email protected]>
[000.954] <~~ 250 OK
[000.955] Sender is OK
[000.955] ~~> RCPT TO:<[email protected]>
[001.165] <~~ 250 Accepted
[001.165] Recipient OK, email address proofed
[001.166] ~~> QUIT
[001.279] <~~ 221 server.aalex.org closing connection

 

[Alexander1974]

I removed the domain aalex.net and add it again to directadmin.
I tried a lot yesterday so want to make sure I didn't take any mistakes with the new try.

Now i stil got the same message about the certificate.
I made it bold in the text.
I used https://www.checktls.c o m /perl/live/TestReceiver.pl


looking up MX hosts on domain "aalex.net"

mail.aalex.net (preference:10)
Trying TLS on mail.aalex.net[94.75.217.68] (10):

seconds test stage and result
[000.114] Connected to server
[000.228] <-- 220 server.aalex.org ESMTP Exim 4.87 Sun, 08 Oct 2017 21:09:48 +0200
[000.228] We are allowed to connect
[000.228] --> EHLO checktls.com
[000.341] <-- 250-server.aalex.org Hello www4.checktls.com [216.68.85.112]
250-SIZE 20971520
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250-STARTTLS
250 HELP
[000.341] We can use this server
[000.342] TLS is an option on this server
[000.342] --> STARTTLS
[000.464] <-- 220 TLS go ahead
[000.464] STARTTLS command works on this server
[000.723] SSLVersion in use: TLSv1.2
[000.723] Cipher in use: ECDHE-RSA-AES128-SHA256
[000.723] Connection converted to SSL
[000.725]
Certificate 1 of 3 in chain:
serialNumber= 31:dd:17:71:3e:60:00:59:5a:2e:b1:72:f0:89:e2:fb:ee:9
subject= /CN=aalex.org
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
[000.726]
Certificate 2 of 3 in chain:
serialNumber= a0:14:14:20:00:00:15:38:57:36:a0:b8:5e:ca:70:8
subject= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3
[000.727]
Certificate 3 of 3 in chain:
serialNumber= 44:af:b0:80:d6:a3:27:ba:89:30:39:86:2e:f8:40:6b
subject= /O=Digital Signature Trust Co./CN=DST Root CA X3
issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3
[000.727] Cert VALIDATED:
[000.727] Cert Hostname DOES NOT VERIFY (mail.aalex.net != aalex.org | DNS:aalex.org | DNS:ftp.aalex.org | DNS:mail.aalex.org | DNSop.aalex.org | DNS:smtp.aalex.org)
[000.727] So email is encrypted but the host is not verified
[000.727] ~~> EHLO checktls.com
[000.841] <~~ 250-server.aalex.org Hello www4.checktls.com [216.68.85.112]
250-SIZE 20971520
250-8BITMIME
250-PIPELINING
250-AUTH PLAIN LOGIN
250 HELP
[000.841] TLS successfully started on this server
[000.841] ~~> MAIL FROM:<[email protected]>
[000.954] <~~ 250 OK
[000.955] Sender is OK
[000.955] ~~> RCPT TO:<[email protected]>
[001.165] <~~ 250 Accepted
[001.165] Recipient OK, email address proofed
[001.166] ~~> QUIT
[001.279] <~~ 221 server.aalex.org closing connection

 

[zEitEr]

I see you have a cert:

Common name: aalex.org
SANs: aalex.org, ftp.aalex.org, mail.aalex.org, pop.aalex.org, smtp.aalex.org
Valid from October 8, 2017 to January 6, 2018
Serial Number: 031dd17713e6000595a2eb172f089e2fbee9
Signature Algorithm: sha256WithRSAEncryption
Issuer: Let's Encrypt Authority X3

and you probably don't use SNI in Directadmin: https://www.directadmin.com/features.php?id=2019

 

[Alexander1974]

Thanks zEitEr, that solved my problem.
I am very grateful