Certificate Invalid

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: industry.socs.binus.ac.id

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version): CentOS , Apache 2.4.6 . PHP 5

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.31.0

2

You’ve got a valid Let’s Encrypt certificate on that hostname.

Could you please elaborate about the problem you’re having?

3

Hi @exalted

there are two new Letsencrypt certificates ( https://check-your-website.server-daten.de/?q=industry.socs.binus.ac.id ):

CRT-Id Issuer not before not after Domain names LE-Duplicate next LE
1359724251 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-04-07 03:43:15 2019-07-06 03:43:15 industry.socs.binus.ac.id duplicate nr. 2
1359700927 CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US 2019-04-07 03:28:34 2019-07-06 03:28:34 industry.socs.binus.ac.id duplicate nr. 1

But you don't use one of these, instead there is a self signed certificate:

E=root@localhost.localdomain, CN=localhost.localdomain, 
OU=SomeOrganizationalUnit, O=SomeOrganization, 
L=SomeCity, S=SomeState, C=--
	07.04.2019
	06.04.2020
expires in 365 days

The certbot command you have used would be helpful.

4

How did you get that? Because my OpenSSL command returns a valid LE cert:

openssl s_client -connect industry.socs.binus.ac.id:443 -servername industry.socs.binus.ac.id | openssl x509 -noout -text

5

I've startet the first check 10:20 - https://check-your-website.server-daten.de/?i=3137f9c7-b947-4ac3-9795-c93cbebb13ec - there was the self signed certificate.

Now - 10:44 - rechecked the domain - https://check-your-website.server-daten.de/?i=1351a8ca-9c77-4550-b85d-d89992962fcb - now there is the new Letsencrypt certificate:

CN=industry.socs.binus.ac.id
	07.04.2019
	06.07.2019
expires in 90 days	industry.socs.binus.ac.id - 1 entry

and a Grade B (checking the redirects).

That domain has a curious problem: The certificate has

Signatur: SHA256 With RSA-Encryption

but my tool reports Sha1 as Hash algorithm. Few days earlier, a user reportet that as bug.

Searching - the reason: The tool opens a tcp connection, adds a SSL stream, then checks the properties of that stream to find Tls.1.0, the key exchange and the cipher. If SHA1 is reportet, there must be an older component (an old firewall or something else) that can't handle SHA256. So this old component produces a downgrade.

6

I'm pretty sure this thread isn't the right place for debugging your tool. But SHA1/SHA2 is also used in the cipher used by TLS. If you see -SHA on the end of a cipher suit, it uses SHA1. SHA256 or SHA384 means SHA2 is used.
SHA1 certificates (besides root certs) can't be used since 2017.

@exalted Seems to me your issue is fixed currently, right?

7

sorry for the trouble

after i checked it , my ssl.conf still using the localhost

so i had to change it manually , and for now the issue has been resolved.

thankyou very much

2 Likes
8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.