Browser does not trust my site


#1

I have created and installed the letsencrypt x3 certificate using certbot and the step by step guide. https://puu.sh/ClivX/42143affe8.png
that screenshot is what I’m seeing when I try to navigate into my site. and I am viewing the certificate in the screenshot aswell. have I missed doing something?

My domain is: https://verramercantileco.com

I ran this command:

It produced this output:

My web server is (include version): Apache2 v2.4.18

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


#2

What browser is that? Can you show the address bar in the same screenshot as the error?

Your domain points to Cloudflare’s CDN currently, you shouldn’t even see that certificate when connecting to it in a browser.


#3

well since I’m on the same network as the web server I have to go by ip, so I do https://192.168.18.250 to reach the site, I’m using chrome. same goes for firefox, but I see now that the kaspersky logo shows in the bottom left. https://puu.sh/Cllev/ada0e962d4.png
is kaspersky to blame for this?
it is important to have the certificate working even if cloudflare protects the site from outside, I use the certificate when sending emails from the site aswell


#4

There’s two things going on:

  1. As you have identified, yes, Kaspersky is intercepting all of your network connections and altering them. This is not great, as it indicates that they’ve installed a root certificate on your system and are forging certificates from the anti-virus or whatever it is. This subverts the security of your entire system, because it replaces the established browser protections for SSL verification with it’s own crappy imitation that makes the root private key vulnerable to theft and forgery of certificates for any domain (like your banking).

  2. If you try to visit your site directly by IP address, then you will experience this error, even if you get rid of Kaspersky. This is because the certificate is not valid for an IP address. The solution to this is to use the real domain in your address bar, by either:

    a. Using a change to your system locally in /etc/hosts to point your domain to the LAN IP, or
    b. Using something like split-horizon DNS or reflected NAT so that everybody on your network can access the domain directly (but using LAN) without the /etc/hosts change


#5

Hi @azurl2

there is an additional error: You have a direct loop:


Domainname Http-Status redirect Sec. G
http://verramercantileco.com/
104.18.62.106 301 https://verramercantileco.com/ 0.030 A
http://verramercantileco.com/
104.18.63.106 301 https://verramercantileco.com/ 0.017 A
http://www.verramercantileco.com/
104.18.62.106 301 https://www.verramercantileco.com/ 0.013 A
http://www.verramercantileco.com/
104.18.63.106 301 https://www.verramercantileco.com/ 0.013 A
https://verramercantileco.com/
104.18.62.106 301 https://verramercantileco.com/ 1.283 L
https://verramercantileco.com/
104.18.63.106 301 https://verramercantileco.com/ 1.170 L
https://www.verramercantileco.com/
104.18.62.106 200 1.446 B
https://www.verramercantileco.com/
104.18.63.106 200 1.427 B

Both of your https + non-www (two different ip addresses) are redirected to the same address.

Your https + www is ok.


#6

uhm, that looping, is it cloudflare doing that? we just put in cloudflare today, I am very noobish with how that works. + it’s the owner of the domain name that did that. I only host the server


#7

If you don’t observe the redirect loop locally, it’s a pretty good sign that Cloudflare is responsible (or is interacting with your local redirect rules poorly).


#8

we pinned that down, should be good now. Thank you for the help :slight_smile:


#9

For those that may read this later…
Could you speak on what was changed to correct the problem?


#10

Certainly.
In Cloudflare config the redirect for * was set to 0.0.0.0 by standard, we set that to the same ip as the WWW, that removed the loops :slight_smile:


#11

Yep, your loop is gone. But your www has the wrong certificate.


Domainname Http-Status redirect Sec. G
http://verramercantileco.com/
37.123.132.77 301 https://verramercantileco.com/ 0.070 A
http://www.verramercantileco.com/
37.123.132.77 200 0.073 H
https://verramercantileco.com/
37.123.132.77 200 1.463 B
https://www.verramercantileco.com/
37.123.132.77 200 1.463 N
Certificate error: RemoteCertificateNameMismatch

Your certificate has only one domain name:

CN=verramercantileco.com
03.11.2018
01.02.2019
verramercantileco.com - 1 entry

Create one certificate with two domain names - verramercantileco.com + www.verramercantileco.com and use that.


#12

Can I modify the current certificate to include the www? or do I need to make a new entirely?


#13

It’s impossible to change a certificate.

But it’s no problem to create a new certificate. If you use Certbot, add two domains:

-d verramercantileco.com -d www.verramercantileco.com

#14

Thank you very much. I shall try this as soon as I am able.


#15

I have done it. or I believe I have done it. can you confirm?


#16

Yes, now your certificate is good:

Your four standard websites (http / https, non-www / www):

Domainname Http-Status redirect Sec. G
http://verramercantileco.com/
37.123.132.77 301 https://verramercantileco.com/ 0.074 A
http://www.verramercantileco.com/
37.123.132.77 200 0.070 H
https://verramercantileco.com/
37.123.132.77 200 1.707 B
https://www.verramercantileco.com/
37.123.132.77 200 1.460 B

Your certificate has now two entries:

CN=verramercantileco.com
22.12.2018
22.03.2019
verramercantileco.com, www.verramercantileco.com - 2 entries

PS: This is the output used my online tool https://check-your-website.server-daten.de/?q=verramercantileco.com - so you can check it again.

Perhaps add a redirect http + www -> https -> www and then from https + www -> https + non-www, so that every user sees https + non-www (if this is your preferred version).


#17

Thanks man! yeah I will have the http version removed once everything else is up and running. and redirect all http requests to https


#18

A post was split to a new topic: Browsers not accepting certificate