Certificate with wrong IP permits domain from going green


#1

I tried to regenerate my ssl cert by using letsencrypt-auto because today is Dezember the 13. and my guess was that some issues will be removed at that point. But my new ssl-cert was not generated for my serves ip. Here are some test results.: https://www.ssllabs.com/ssltest/analyze.html?d=golden-griffons.de

Can anyone help me out with this issue or is it just because neither the domain nor the server is in the use or canada?

Thank you in advance!


#2

You generated a certificate that’s only valid for www.golden-griffons.de, it’s not valid for golden-griffons.de. You should generate a certificate that’s valid for both golden-griffons.de and www.golden-griffons.de by supplying both to the client.


How to check if 7 day lock is over - Strange error message
#3

Thank you for you replay

I followd your advice and have just added a server alias for www.golden-griffons.de and switched server name to golden-griffons.de.

I restarted the servicce rerunned the lestencrypt auto command and got both domains in the dialog window. But the Ips the certificate is for are still

2.23.140.1.2.1
1.3.6.1.4.1.44947.1.1.1

but not my own servers one


#4

seem to work for www now. Thank you so far


#5

These don’t look like IP addresses, where are you getting these numbers from?


#6

The cert display in crome

But you’re right would have to use -d option. it seems I tried it to aoften and I don’t know when I can try regeneration again. Here is the command line output:

./letsencrypt-auto -d golden-griffons.de -d www.golden-griffons.de
Updating letsencrypt and virtual environment dependencies…
Running with virtualenv: sudo /home/drupal/.local/share/letsencrypt/bin/letsencrypt -d golden-griffons.de -d www.golden-griffons.de

┌──────────────────────────────────────────────────────────────────────┐
│ You have an existing certificate that contains a portion of the │
│ domains you requested (ref: │
│ /etc/letsencrypt/renewal/www.golden-griffons.de.conf) │
│ │
│ It contains these names: www.golden-griffons.de
│ │
│ You requested these names for the new certificate: │
golden-griffons.de, www.golden-griffons.de. │
│ │
│ Do you want to replace this existing certificate with the new │
│ certificate? │
│ │
│ │
│ │
│ │
│ │
├──────────────────────────────────────────────────────────────────────┤
│ │
└──────────────────────────────────────────────────────────────────────┘

An unexpected error occurred:
There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for: golden-griffons.de
Please see the logfiles in /var/log/letsencrypt for more details.

https://www.golden-griffons.de/ is fine so now it seems i actually need to know how to get rid from the blacklist to be able to re-run the command.


#7

You hit the rate limit in your experiments, you have to wait for 7 days until you can try again to request a valid certificate.

I don’t use Chrome so I have no idea what you’re talking about regarding the numbers, a screenshot might help to clarify.


#8

I have made a temporary redirect now and will just regenerate the cert in a week That will fix it. Because I redirected the site I have no chance to make a screenshot but the numbers may be the dummy ip adresses from the cert template fro non-authorised sites.

You did great support here. Thanks a lot!


#9

Those aren’t ip addresses at all. those are SSL issuance / usage policies.


#10

X.509v3 policies to be exact:

https://www.openssl.org/docs/manmaster/apps/x509v3_config.html


#11

And your certificates are only issued against what you type after the option -d in your command line. So it wouldn’t be ip and domain name for example. It would be considered valid for your issued against domain(s) no matter the ip.

And just as a tip:

IP v4 is 32 bits, 4 octets / groups of numbers between 0-255: xxx.xxx.xxx.xxx

And IPv6 is 128 bits, addresses are represented as eight groups of four hexadecimal digits with the groups being separated by colons.

So those #'s you noted shouldn’t be confused with ip addresses.


#12

I just found this post:

So this also means you couldn’t request a cert from LE for an IP address anyway. Other CA’s do/may allow this though.