Certificate error on redirect from non-www to www

papalii · October 4, 2021, 8:29am

Hi, I have an Apache webserver hosting 3 different domains, 2 have LE certificate, the other has a Sectigo certificate.
The mylift.site domain with LE certificate has been configured (I think ...) to work with both www and without www.
Now when you log into the domain with https://www.mylift.site everything is OK, but when you log into the domain with https://mylift.site an error comes up on Chrome that says: NET :: ERR_CERT_COMMON_NAME_INVALID, but the certificate with which the match seems to be made is that of altea.net (Sectigo certificate).

Your connection is not private
Malicious users could be able to steal your information from mylift.site (e.g. passwords, messages or credit cards).
NET :: ERR_CERT_COMMON_NAME_INVALID
Subject: * .altea.net

Issuer: Sectigo RSA Domain Validation Secure Server CA

This server could not have mylift.site; its security certificate comes from * .altea.net. This could be due to a misconfiguration or an attacker intercepting your connection.

Continue with mylift.site (not sure)

If I click on "continue with mylift.site", it goes to https://www.mylift.site.

The LE certificate for mylift.site is a cerbot-auto generated certificate for the domain www.mylift.site (with www)

What could be the problem?

Does altea.net appear to be the default domain?

Thanks for any help.

rg305 · October 4, 2021, 8:48am

The problem is within the Apache vhost config - which probably doesn't have both names in it.

Compare:
SSL Server Test: mylift.site (Powered by Qualys SSL Labs)
SSL Server Test: www.mylift.site (Powered by Qualys SSL Labs)

See outputs of:
openssl s_client -connect mylift.site:443 -servername mylift.site
openssl s_client -connect www.mylift.site:443 -servername www.mylift.site

papalii · October 4, 2021, 9:56am

The output are:

openssl s_client -connect mylift.site:443 -servername mylift.site

140319501752128:error:0200206E:system library:connect:Connection timed out:crypto/bio/b_sock2.c:110:
140319501752128:error:2008A067:BIO routines:BIO_connect:connect error:crypto/bio/b_sock2.c:111:
connect:errno=110

openssl s_client -connect www.mylift.site:443 -servername www.mylift.site

CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = www.mylift.site
...
...
...
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)

I added to the vhost config file for mylift.site the second line:

ServerAlias www.mylift.site
ServerAlias mylift.site

Now it seems to work, the above commands give the same result now, but...
checking with https://www.ssllabs.com still gives error

rg305 · October 4, 2021, 10:01am

You removed the most important part.

It seems the tools I gave you haven't helped you resolve the problem...
Let's start to unravel this together with the output of:
sudo apachectl -t -D DUMP_VHOSTS

rg305 · October 4, 2021, 10:04am

@papalii
Hold everything!

You need to get a cert that has both names on it.

papalii · October 11, 2021, 10:04am

I re-created the certificate with both names.
It worked!

Thanks @rg305 !!!

system · November 10, 2021, 10:04am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.