I'm using Heroku ACM and received an email that my domain (multiplexhomes.com) is considered unsafe.
Not sure why, it's intended to be a real estate website but hasn't been launched yet.
2 Likes
Your domain isn't configured to run HTTPS correctly. I don't see any certificate, and there are TLS errors early on. You'll need to reconfigure the HTTPS, and you should probably redirect http traffic to https as well.
The "unsafe" bit is just that some automated system picking up the site is http only and https is broken. It has nothing to do with the content or domain name, just the configuration.
2 Likes
ERR_SSL_UNRECOGNIZED_NAME_ALERT, cool, an error I haven't seen before!
The TLS actually does work for the apex domain (i.e.: without the www subdomain). Could this be a situation where the webserver refuses to do TLS when it encounters a certain hostname in the SNI extension and it doesn't like that hostname?
2 Likes
I haven't seen that either. When I put it in curl, it showed the error was early on and I had the same thought as you. I've never seen a server respond like this though.
iPod:~ jvanasco$ curl -vvv https://www.multiplexhomes.com
* Trying 54.209.91.188:443...
* TCP_NODELAY set
* Connected to www.multiplexhomes.com (54.209.91.188) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /Applications/MAMP/Library/OpenSSL/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS header, Unknown (21):
* TLSv1.2 (IN), TLS alert, unrecognized name (624):
* error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 unrecognized name
* Closing connection 0
curl: (35) error:14077458:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 unrecognized name
2 Likes
Hmm, no, no SNI issue. If you use the -servername option to force the apex domain when connecting to the www subdomain, you'll get the same error. However, I did notice a difference between the two:
osiris@erazer ~ $ dig multiplexhomes.com
; <<>> DiG 9.16.12 <<>> multiplexhomes.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;multiplexhomes.com. IN A
;; ANSWER SECTION:
multiplexhomes.com. 3600 IN A 18.235.13.77
;; Query time: 24 msec
;; SERVER: 194.109.6.66#53(194.109.6.66)
;; WHEN: Tue Aug 10 22:25:11 CEST 2021
;; MSG SIZE rcvd: 63
osiris@erazer ~ $ dig www.multiplexhomes.com
; <<>> DiG 9.16.12 <<>> www.multiplexhomes.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34614
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.multiplexhomes.com. IN A
;; ANSWER SECTION:
www.multiplexhomes.com. 3504 IN CNAME flat-fortress-hswxvageys4rh08nps16al97.herokudns.com.
flat-fortress-hswxvageys4rh08nps16al97.herokudns.com. 1 IN A 75.101.184.39
flat-fortress-hswxvageys4rh08nps16al97.herokudns.com. 1 IN A 54.204.238.15
flat-fortress-hswxvageys4rh08nps16al97.herokudns.com. 1 IN A 54.221.251.148
flat-fortress-hswxvageys4rh08nps16al97.herokudns.com. 1 IN A 54.209.91.188
;; Query time: 25 msec
;; SERVER: 194.109.6.66#53(194.109.6.66)
;; WHEN: Tue Aug 10 22:24:53 CEST 2021
;; MSG SIZE rcvd: 178
osiris@erazer ~ $
Entirely different IP addresses.
3 Likes
Thanks everyone - we use nakedssl for domain redirection since heroku doesn't support it. This is something we do commonly, nothing out of the ordinary. That's the reason the naked domain resolves to a different ip address.
2 Likes
Update, it's fine now. I deleted the domain in Heroku and added it again. Must have been a glitch with Heroku ACM.
3 Likes
FYI, you can do the domain redirection on cloudflare with a page rule too. I think you get 3 page rules per domain on their free plan.
2 Likes
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.