Browsers and ssllabs disagree on certificate validity

Help
1

My domain are:
circleoflightandlove.com
andreas333.com
mijnbuurt1.nl
nulacomputers.com

and some others

Web server: Apache/2.4.18 (Ubuntu)

Operating system: Ubuntu 16.04.6 LTS

Hosting provider: Digital ocean

I can login to a root shell.

I do not use a control panel.

Certbot version: certbot 0.31.0

I have run into problems with letsencrypt certificates and browsers.

I have spend the last two days trying to figure out what the problem is.
It seems the problem is like this.

I have a number of domain names all as different virtual hosts
Until three days ago, I thought I had no problems. Everything seemed to work fine.

Friday I added a new domain mijnbuurt1.nl with a virtual host and created a certificate.
Firefox decided that my new website was a security risk.

I checked the certificate with https://www.ssllabs.com/ssltest/analyze.html
According to ssllabs the certificate is good.
But Firefox does not trust it.
Chrome and Brave trust it, but not the script subdirectory.

I checked a certificate of circleoflightandlove.com with ssllabs.
Ssllabs stated, that the certificate was wrong.
But all the browsers have no problem with this website.
I deleted the certificate with

certbot delete

Then I created a new certificate with

certbot --apache -d circleoflightandlove.com

Then I checked that domain again with ssllabs
ssslabs thinks my certificate is good.
But the browsers (Firefox, Chrome, Brave) do not handle my site well.
Firefox says:
ssl_error_bad_cert_domain

I deleted the new certificate and created again, this time with:

certbot --apache -d www.circleoflightandlove.com

(Difference: this time with www. )

Now ssllabs says:
Certificate name mismatch

But the browsers handle my site as they should.

When I tell ssllabs to ignore the name mismatch and proceed, ssllabs says:

Subject www.andreas333.com
Common name www.andreas333.com
Alternative names www.andreas333.com MISMATCH
Trusted no NOT TRUSTED

Qusetions:
How can I find out what goes wrong?
Where can I find more information?
Is there a way to read the certificate?

Thanks for the help you can give me.

2

Hi @nulacomputers

you are doing something wrong.

If you use two domain names - main domain and www-subdomain -, the easiest solution: One certificate with both domain names.

So if you create only certificates with one domain name, that’s wrong.

See your certificates - https://check-your-website.server-daten.de/?q=circleoflightandlove.com#ct-logs

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2020-06-06 2020-09-04 www.circleoflightandlove.com - 1 entries duplicate nr. 1
Let’s Encrypt Authority X3 2020-06-06 2020-09-04 circleoflightandlove.com - 1 entries duplicate nr. 1
Let’s Encrypt Authority X3 2020-04-08 2020-07-07 www.circleoflightandlove.com - 1 entries

Create one certificate with both domain names and use that.

If this is done: Additional problem: You have mixed content, see the #html-content part.

Fix that - http links must be https links.

3

Thanks for your answer JurgenAuer.

I am not certain what I should do.
I just did an experiment with domain andreas333.com
(Since I can only ask five times for a new certificate per domain.)

I had two DNS A-records:

www.andreas333.com and andreas333.com

I deleted www.andreas333.com
I deleted the certiciate
I created a new certificate with

certbot --apache -d andreas333.com

ssllabs says the certificate is good, but firefox and chrome say my website is a security risk.

I see three options.

One A record for domain.com (without www.)
and certificate with certbot --apache -d domain.com

This seems to be a problem.

One A record for www.domain.com (with www.)
and certificate with certbot --apache -d www.domain.com

Two A records for
domain.com
and
www.domain.com

and certificate with

certbot --apache -d domain.com -d www.domain.com

But I do not know what to choose. I opened a lot of pages found with google, but no clear answer.

What would you recommend?

4

I did some more testing.

When I use one A record like www.domainname.com
and I type in the url domainname.com in firefox
everything seem to work.
But when I type in the url domainname.com in brave or chrome (without www. before domainname)
I get the message: “This site can’t be reached”.

For the moment I assume, that two A records for a domain is what is required.

So now I use two A records for each domain: www.domain.com and domain.com

and certificate with

certbot --apache -d domain.com -d www.domain.com

As far as I can see at the moment, that works the best.

5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.