Certs showing up as invalid in old browsers/OS


#1

Hi, my host used the centbot to install cert for multiple domains on the same IP address and it appears to be working perfectly. If I visit the sites on my desktop I get a secure connection on all browsers, also works fine on mobile. My host recommended I test the certs on old browsers, so I tried serveral programs including browserstack and browserling that emulate legacy versions of, for example, Windows XP using IE 6.0.

On these older browsers I get errors on the cert saying that the domains do not match. Is this a problem with the emulators themselves or do I possibly have something setup incorrectly. I tried multiple OS and browser combinations and the oldest ones all gave the same results with an error. I suspect that the problem lies with the emulator as I found the error on some other sites, including 1 with a godaddy cert, but I don’t want to just assume that

I’ve only setup certs on a few sites to start but had hoped to add them to around 200 (including subdomains). I don’t want to have a separate IP for each domain because that would be too costly (my host charges a monthly fee for each additional domain)

Thank you in advance for your help


#2

The built-in SSL implementation on Windows XP didn’t understand a technology called SNI which is used to do virtual hosting with HTTPS. Because your site has several DNS names on a single IP address, Internet Explorer can’t cope. Firefox on XP should work fine if you have XP customers who need to access the web site securely because Firefox uses its own SSL. Changing certificate provider won’t change whether XP works correctly.

It might be possible to arrange to have one certificate from Let’s Encrypt which lists all your names, and provide that for all the sites. This setup could work with IE on XP using a single IP address. But this is an unusual setup, your host might not want to set things up this way.


#3

Note that Let’s Encrypt also has a limit on the number of names that can be included on a single certificate, which I believe is currently 100. So if you want 200 domains set up this way you’ll need at least 2 IP addresses.


#4

Thank you both, and I forgot to mention, yes I fully expect to use serveral IPs, that’s no problem, I just can’t afford 200 IPs

You say “It might be possible to arrange to have one certificate from Let’s Encrypt which lists all your names”, I’m pretty sure that’s how they did it, one cert with multiple names. I’ll send them what you wrote and double check though


#5

My host just sent me this reply

“I did have to use a different cert for a couple of the sites because would not generate the cert without using different verification options. They will all be able to use the same ip though.”

So it sounds like he put multiple certs on the same IP, was this a bad way of doing it? What would you recommend to correct it

Thank you again


#6

It’s only “bad” in the sense that it’s not compatible with some very old browsers.

How to correct it? I’m not really sure what’s the best approach here. First, a word of warning: if you (or your host) simply try again to issue a single certificate for all names, it might seem to work, as the verification results are remembered for a period of time after the verification is performed. However, that will likely complicate things for renewal, as those verifications may have expired by then.

The ideal solution would be to fix whatever problem prevented all the sites from using the same verification options.

Alternatively you could go ahead and get a second IP address, and put the second certificate on that.

The other option is to just accept that obsolete browsers are obsolete, and decide not to support them…


#7

This might already be clear to you from the @jmorahan’s posted explanation, but if you have 200 sites, you can handle that—even for obsolete browser compatibility—with just 2 IP addresses, by getting 2 different certs for 100 names apiece, and then putting one cert on one IP address, and the other cert on the other. In that case clients do not have to say (via SNI) which site they’re looking for, because in any case that site will always be mentioned in the cert that the server sends back.

If you want to support clients that don’t understand SNI, then you do need at least 2 different IP addresses. You can put all of them on the same IP address (indeed, some hosting providers put thousands of sites on the same IP address), but then you’re sure to get this problem with some of the sites from obsolete clients like IE6 on XP. :slight_smile:


#8

How many of your sites need to support appallingly insecure and obsolete clients? Is their HTML, JavaScript and TLS configuration (cipher suites, etc.) even capable of it?

If it’s fewer than 101 of them, you could use one IP address, make one “terrible sites” certificate the default, and use SNI with as many certificates as you like for your other sites.

Also, it should be possible to make a Let’s Encrypt client that uses different validation methods for different hostnames. But it might be a little tricky or require some custom code.

Edit (14:15): I wrote “terrible sites” but i meant to write “terrible clients”. I’m sorry.


#9

Thank you for all the info, apparently my host was having trouble putting all the sites under one cert so they did multiple certs on the same IP. I’ll send them what you said, though, and see if it helps them

You’re right that it’s probably not worth worrying about. I was considering a redirect for the old browsers, but then I did the math on how many users are effected and it looks like less than 1%


#10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.