A different kind of Sectigo AutoSSL error: wrong subject name (from "primary" account)

swbrains

Well-Known Member
Sep 13, 2006
264
37
178
I have been experiencing the "Sectigo currently can't accept requests..." error for a several months, but it seems that eventually Sectigo does issue the certs in my experience. But last night I had a different (but somewhat related) issue that I noticed while creating a new account and running the AutoSSL check on that account to request/install an SSL certificate for it. Eventually (about 30-40 minutes later after several pollings according to the AutoSSL log), Sectigo does issue the certificate, and says it's successful. But when the cert is installed, the site cannot be reached and my browser shows the message: ""NET::ERR_CERT_COMMON_NAME_INVALID - This server couldn't prove that it's newaccount1.example.com; its security certificate is from *.default.example.com. This may be caused by a misconfiguration or an attacker intercepting your connection."

Upon further examination of the certificate in my browser (Edge), the certificate's Subject name is incorrect.

In my case, I am creating sites under subdomains of my main domain (newaccount.example.com). The server is a dedicated server with a shared IP for all hosted accounts. There is a "default.example.com" account marked as the "primary" in "Manage SSL Hosts" in WHM. That account currently has a valid non-expired certificate with the Subject name "*.default.example.com" issued by Lets Encrypt.

But when AutoSSL (using Sectigo) runs a check on a new account and issues a certificate for it, for example: "newaccount1.example.com", the AutoSSL log eventjually says it was successful (after several retries including some "currently not accepting requests..." messages. But when accessing the site using https://newaccount1.exam ple.com, the browser issues the error: "NET::ERR_CERT_COMMON_NAME_INVALID - This server couldn't prove that it's newaccount1.example.com; its security certificate is from *.default.example.com. This may be caused by a misconfiguration or an attacker intercepting your connection." When I view the certificate details in my browser for that site, it indeed shows a subject name of "*.default.example.com" which is not the site applied for when running AutoSSL. Somehow the server has installed the wrong certificate.

But when I view the SSL hosts for the domain in WHM or the account's cPanel, it does not show the invalid certificate for *.default.example.com" as being installed for that account -- it shows the correct one listed as "newaccount1.example.com". I can delete it and retry, but get the same bogus Subject Name in the newly-issued cert again.

Switching providers to Lets Encrypt and running the AutoSSL check on that account does issue a valid certificate with the correct subject name and the site is properly accessible, so this does appear to be a Sectigo-specific issue.
 
Last edited by a moderator: