A problem with access

My domain is:candy-cc.com

I ran this command: When you access my site.
Sometimes, the following messages may be shown when you visit my website.
(I translated the message displayed in Japanese in English.)
After a while, you will be able to access normal.

It produced this output: -Message-

Connection is not private.
This website may be “candy-cc.com” to steal your personal information or financial information.
Close this page, please.
If you have a certificate that the website is not valid, you will see a warning.
This may occur when the website has been set wrongly or more unauthorized intrudice to the attacker.
You can see the certificate in detail.
You can view this website if you understand the dangers associated with it.

My web server is (include version): Apache 2.4.37

The operating system my web server runs on is (include version): CentOS 8

My hosting provider, if applicable, is: Using No-IP to use DDNS.

I can login to a root shell on my machine (yes or no, or I don't know): no

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.14.0

1 Like

Do you have a screenshot of the certificate details, when this error happens?

That would give a hint about what exactly is going wrong. For example, knowing the domain name and issuer name from the "wrong" certificate, would be really useful.

1 Like

Hi @Candy, and welcome to the LE community forum :slight_smile:

It might have something to do with links to https://www.candy-cc.com/
[which doesn't have a proper cert: SSL Server Test: www.candy-cc.com (Powered by Qualys SSL Labs)]

1 Like

There are indeed no certificates for the www subdomain issued: crt.sh | candy-cc.com

If the references to the www subdomain are indeed the issue here, there are two solutions:

  • Most easy: change every reference from www.candy-cc.com to candy-cc.com, so the current certificate can be used without errors;
  • A little bit more work: include the www subdomain into the certificate too.

I think it's best for a site to have just a single hostname in use and doesn't combine a hostname with and without the www subdomain, so I'd want to suggest the first option :slight_smile:

2 Likes

Nice to meet you.
Thank you for your quick reply.

Well, it's a screen shot, but I don't know when this error will happen.
So, I'll take a screenshot at the timing of the error and post again.
Please help me again at that time.

Thank you very much.

1 Like

Nice to meet you.
Thank you for your quick reply.

Is it because I don't define the "www" sub domain?

Thank you for point to it.

2 Likes

Nice to meet you.
Thank you for your quick reply.

I may not understand, but should I set the following?

  • Define hostname on the site.
  • I will issue a certificate under the name of “www.candy-cc.com”.

If this is okay, I'll try it.

Thank you for point to it.

1 Like

Welcome to the Let's Encrypt Community, Tadahiro :slightly_smiling_face:

Your certificate only covers candy-cc.com instead of covering both candy-cc.com and www.candy-cc.com. Thus, anyone who visits www.candy-cc.com will be presented with an invalid certificate.

https://crt.sh/?q=candy-cc.com

1 Like

Something that can make this issue extra-confusing is that Google Chrome may accept these names as interchangeable, while other web browsers don't. So it might appear to work properly without issuing a certificate for both names, if you check only using Chrome, but it still might not work properly for people using any other software.

2 Likes

Nice to meet you.
Thank you for your quick reply.

You must be able to access the site correctly, even if the domain name has “www" is attached or "www" is not attached.
I interpreted it.
Is that correct?
Is it possible to set in "httpd.conf" and "ssl.conf"?
I think I could do that in my memory.
I will look into it again and check it.

Thank you for point to it.

2 Likes

Nice to meet you.
Thank you for your quick reply.

You must be able to access the site correctly, even if the domain name has “www" is attached or "www" is not attached.
I will look into it again and check it.

Thank you for point to it.

1 Like

I believe the situation is like this:

For users of Google Chrome, https://candy-cc.com/ and https://www.candy-cc.com/ are "the same site".

But for users of other browsers, they are "not the same site".

Google Chrome is more lenient in ignoring any certificate error in this case. Other browsers are stricter in not ignoring such errors.

This difference in behavior between browsers sometimes conceals problems.

2 Likes

certbot can surely obtain a cert with both names on it.

Step 1: DNS entries [these are already correct]
Step 2: HTTP config [you need to add an HTTP section for www name]
Step 3: Obtain cert with both names [ask for help here if you need it]
Step 4: Use new cert within both secure sections [redirect www connections to base domain]

1 Like

I added the following sentences.
Add “ServerAlias www.candy-cc.com” to httpd.conf.
Add “ServerAlias www.candy-cc.com” to ssl.conf.
From this result , the action is different in the browser.

iPhone Safari : OK
iPhone Documents : NG
PC Edge : OK
PC Firefox : NG
iMac FireFox : NG
iMac Chrome : NG
iMac Safari : NG

I thought this would give the right result.
But it seems that it is still insufficient.

Do you have the cert with both names on it?
Do you have a cert with the www.candy-cc.com name on it?

1 Like

Do I need a certification for both names?
As it stands, it's only "candy-cc.com".
In order to do that, do I have to run both at the Certbot?

If you want to redirect https://www.candy-cc.com/ to https://candy-cc.com/ then yes you do need a cert for each name (or one cert with both names on it).

Yes you have to run certbot and choose only www.candy-cc.com or choose both names.

1 Like

Now, when I run “-d www.candy-cc.com” on certbot, the browser which has been shown as errors ,It’s has become normal.

Thank you so much!

2 Likes

But I still don't see the www name using a correct cert :frowning:
Please show the output of:
certbot certificates

2 Likes

This is a screenshot of the results of the implementation "certbot certificates " as you said.

I think there's probably no problem.