i have a problem with new certificates which arent recognized by the browsers even though the old certificates are expired.
To specify the Problem:
I want to reach a server behind a firewall with static IPv4 adress(theres an Software running using webserver specifications).To reach it i use port 8443. First i tried to create a subdomain on the public webserver host im using with an DNS entry pointing on the local static IPv4 adress. The first certificate was fine and accepted, but after three months its was expired and the auto renew didnt work because off the DNS entry i needed. So i think about a different solution.
I configured a reverse proxy on a securepoint firewall, I added an acme challenge on the webserver host im using + including a DNS entry for the subdomain pointing on the local public IPv4 adress. The acme challenge and the certficate were created well ( so far i can guess cause the firewall says "OK" when i check the status)
But when i try to reach the adress the browser still give an certificate expired error message because its still using the one which is expired on 02.10.23 and not the new one i've created 16.10.23
When i check the domain certificate here https://crt.sh/?q=elo.rath-bau.de
it shows me of course all certificates i've every created and tried, but i dont know how to tell that the browser should use the new certificated created at 16.10.23
How can i solve this? I dont use certbot or other well known server programms scripts or software cause the firewall is doing the certificate and the renew.
It looks like your HTTPS service has faulty configuration for the certs.
On port 443 requests to that domain use a cert for the
mail.rath-bau.de and not
On port 8443 requests return a cert with the correct name but an incorrect sequence for the intermediates.
You can see what is happening using a site like below. This will give clearer picture than what a browser shows.
If you provide more details about exactly what service is using the cert on these ports maybe someone can give specific advice.
Hi @dietz-it, and welcome to the LE community forum
That's not where that happens.
There is no way to tell a browser which cert to use [outside of what is being served].
That is where you need to look for a fix.
I'd be asking for help from the firewall vendor.
The Issue with the Port 443 and the Port 8443 happened cause there are two Subdomains pointing on the local public Ip adress. The 443 is for the Mailserver (which has also an DNS entry on the Webserver host pointing to the local public IP) and the 8443 is for therReverse proxy on the firewall.
The Problem is that the local "webserver" is not really a webserver. There are no services installed like Apache or else. On this Server there is running a DMS Software which is answering on the Port 13100. And over this you get Access to the rest of the DMS.
What i read and see is that actually the firewall with the reverse proxy is responsible for which certificate needs to be used? I will contact the firewall support and ask there what could be the issue.
Thanks for your help so far, i will let you know how its going on.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.