My cert isn't applying

[bgoosman]

Navigate to https://studiofinder.art

This server could not prove that it is studiofinder.art; its security certificate is from *.surge.sh. This may be caused by a misconfiguration or an attacker intercepting your connection.

To apply my .pem, I ran surge ssl:

surge ssl

         domain: https://studiofinder.art
       pem file: surge.pem
   Success - the pem file has been applied

before that I concat'ed my fullchain.pem to my privkey.pem

sudo cat /etc/letsencrypt/live/studiofinder.art/fullchain.pem /etc/letsencrypt/live/studiofinder.art/privkey.pem > surge.pem

before that I used certbot to manually verify my domain and provision a cert with letsencrypt:

sudo certbot certonly --manual --preferred-challenges dns -d studiofinder.art

What am I doing wrong?

[bgoosman]

Why is the server certificate using CN=*.surge.sh even after I applied my own cert?

curl https://studiofinder.art -k -I -v
*   Trying 45.55.110.124:443...
* Connected to studiofinder.art (45.55.110.124) port 443 (#0)
* ALPN, offering http/1.1
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS header, Finished (20):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS header, Finished (20):
* TLSv1.2 (IN), TLS header, Certificate Status (22):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=*.surge.sh
*  start date: Apr 18 00:00:00 2022 GMT
*  expire date: May 17 23:59:59 2023 GMT
*  issuer: C=GB; ST=Greater Manchester; L=Salford; O=Sectigo Limited; CN=Sectigo RSA Domain Validation Secure Server CA
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.

[bgoosman]

openssl reports correct CN of my surge.pem

openssl x509 -in surge.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            ...
        Signature Algorithm: ...
        Issuer: C = US, O = Let's Encrypt, CN = R3
        Validity
            Not Before: Nov 29 20:03:07 2022 GMT
            Not After : Feb 27 20:03:06 2023 GMT
        Subject: CN = studiofinder.art

[bgoosman]

Oh wait, after writing all of that out, I'm finally getting the correct cert. So it seems to take some time to take effect. I'm glad it worked 😄, but I wish the docs said that it might take some time. (speaking as an ssl beginner). Thanks for looking! 🙌

[bgoosman]

I'm running into this with another domain now. It's been two hours :/