I have a domain, texashealthsurgerycenterrockwall.com, that was under another domain’s certificate, surgicalcenterofsandiego.com. I’ve been making new certificates for those domains and then deleting the one that had the group, but sometimes I get a certificate error, sometimes I get the error and the page reloads. Maybe it’s not a problem that I’m seeing this in the SSL Test but I’m still getting an error when I browse.
I thought I deleted using certbot delete --cert-name surgicalcenterofsandiego.com
If you have a lot of domains on the same ip, SNI (Server Name Indication) is required to send the hostname (your domain name) before creating a SSL-connection.
But if the browser is an IE / XP, then SNI isn’t supported.
CN=texashealthsurgerycenterrockwall.com
14.02.2019
15.05.2019
expires in 90 days texashealthsurgerycenterrockwall.com,
www.texashealthsurgerycenterrockwall.com - 2 entries
PS: My main project has *.server-daten.de as wildcard certificate, check-your-website.server-daten.de and other customers use this certificate. But there is a second domain sql-und-xml.de. Check that domain via ssllabs -> there is the same, Non-SNI -> *.server-daten.de -> Mismatch.
So it’s a general phenomen if one ip has a lot of domains with https.
Is there anything I can do? My project manager is getting the errors and she’s asking that I find the fix.
I’m using Chrome 72.0.3626.109 and I see the errors until I refresh or the browser redirects. Is it my cache? I’m imagining patients or the folks at the centers are getting the same error, no? Can I make a new certificate and use SNI or have both?
Is it ok to use your check-your-website domain page to check my domains? I’ve done that based on our other discussion.
This isn’t an error. Your project manager should learn the basics of SSL connections.
Earlier, before SNI was deployed, one ip address could only have one certificate. So https - connections were limited to banking companies, online shops etc.
Now it’s possible to have one ip with a lot of domains with https. But that requires SNI support.
Without SNI big hosters (one ip, more then 100.000 domains with this ip) couldn’t use https with these 100.000 domains.
Without SNI we would have perhaps 10 - 20 % https connections, not 60 - 70 %.
Currently, it’s only a cache problem. Ssllabs sees the correct certificate.
Yes, I’ve created the tool to make it easier to find configuration errors. And if users use the tool directly, I don’t need to check the domain, I can scan the results
Thanks for sharing the SNI information. To be honest, I didn’t quite get it either. I’m fairly new to server configuration and host management, my background is in design. I see how that’s making security possible for so many sites now.
Anything I can do to help get rid of that “Your connection is not private” error? I’m a little concerned that visitors to the site are seeing this as well.
I think there’s something odd going on because when I reload I get the valid certificate sometimes and then an expired certificate other times. (And it almost alternates so that the valid certificate often appears, followed by the invalid certificate, followed by the valid certificate.) Could there be some kind of load balancer or CDN involved somehow?
I’m still getting that same error and I cleared everything, shut down and waited a while, then rebooted my laptop.
I’ll try rebooting the server. I have made changes to my configs and usually use a2ensite, a2dissite and then I’ve really on run apache2 reload, so maybe the reload isn’t the same thing as a restart. I’m going to wait until later tonight, I’m on CST, and think I’d feel better if it was ‘after hours’ that I do that restart.
Making sure no apache2 / httpd processes are running and then starting Apache can clean this up.
Reloading is supposed to be enough. Restarting is supposed to kill all old processes.
None of this is supposed to go wrong, but apparently it is.
Stopping Apache and then using ps or whatever to see if there are any Apache processes still running causes downtime but is the simple and easy way to confirm whether that’s the issue.
(If any Apache processes do continue to run, you can kill them.)
To try to avoid downtime, you can restart Apache and then check if any of the processes are old, but that’s slightly more work.
Thanks again guys! I always learn a great amount here. I think the problem has been solved by a service apache2 restart, there was a short a pause then the beautiful [OK].
I did some some research about ps, definitely need to do more and mess around with my local development setup (I have a Vagrant - Fusion VMWare box pretty close to my production setup).
Hopefully I’m all set for a bit. Have a great day!