Err: Your Connection is not private

Hi.
I have been using Let’s encrypt since the start of the year. So far so good.
Only that something weird happened today.

I could not access the site (temporarily) due to issue: “Your Connection is not private”.
We have tried to browse the site with different latest (todate) browsers: Chrome, Firefox, Opera, Edge, Safari. The issue was the same in all those browsers.

After like 15mins, the error was gone and till now no issue.

I would like to understand why that error could have happened? Any hints?

PS: the website: https://aesm.mu

My first guess would be your site or server host getting its cables crossed.
Ask them if they know of any network glitch and give them the time you saw the warning.

If you care to post the site url here, you’ll quickly have many people also able to test it for you, all around the globe.

Meanwhile…

The php site in your profile is yours, it is perfectly viewable by me from Asia using Safari on a Mac.

Sure the website: https://aesm.mu

That Aeronautical site is also viewable from here right now too.

And that glimpse of a BN Islander brought back memories of P1 allowing me to land one (as a lowly ppl) in Montego Bay in the 1980s.

What does your host have to say about the glitch?

We can’t speculate much about past events without more information.

On the other hand, https://www.aesm.mu/ (with “www”) is misconfigured right now. While a valid “aesm.mu, www.aesm.mu” certificate still exists, the site is currently using a certificate for “aesm.mu”, so it doesn’t work.

The www should redirect you to the main domain aesm.mu - do you see this behaviour?

I’m not sure why the www is misconfigured? I have it as an alias in the server vhost.
At domain level, www is a CNAME pointing to aesm.mu
Can you tell me more please?

You cannot redirect https://www.aesm.mu to aesm.mu when there is no valid certificate for www.aesm.mu installed.

Ah, that's the issue! Your sentence made it more clear.
There's a loophole in the way I generated the certificate.
Please can you or anyone assist me on the below:

STEPS:

• 1. I generated a private key
• 2. I then created a CSR file from the key, example below:

Country Name (2 letter code) [AU]:MU
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) :
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) :
Common Name (e.g. server FQDN or YOUR name) :aesm.mu
Email Address :test@7php.com

• 3. I use certbot to then generate the certificate from the CSR file

So I guess the issue is at STEP 2 > Common Name ?

How can I specify all domains: aesm.mu + www.aesm.mu + *.aesm.mu ?

Why don't you use certbot to do the whole job? There is no need to use the openssl tools to create the private key and csr by hand.

Why don’t you use certbot to do the whole job? @bytecamp

1. I do not want certbot to touch any of my server configurations.
   certbot --[server] certonly still touches the configuration and then does a revert - which I do not want

2. Also another reason because I need to regenerate the certificate with the same CSR each time - HKPIN stuffs

So how can I improve my initial steps?

You have to create a simple configuration file for openssl to include both domain names as SAN hosts:

RANDFILE = /dev/urandom

[ req ]
default_bits = 2048
prompt = no
distinguished_name = req_distinguished_name
req_extensions = req_ext

[ req_distinguished_name ]
CN = aesm.mu

[ req_ext ]

subjectAltName = @req_alt_names

[ req_alt_names ]
DNS.1 = aesm.mu
DNS.2 = www.aesm.mu

save this as openssl.conf somewhere.
Then create the CSR:

$ openssl req -new -key privkey.pem -sha256 -reqexts req_ext -config openssl.conf

For what it's worth, you can use other options like "certbot certonly --webroot" that don't modify the web server configuration at all.

Again, if I let certbot do things, it will generate another private key…etc for the renewal.
But I want to stick with the same key each time so that my HKPIN remains consistent.

And on a personal side of things, I like doing all the process manually to help me better understand things and concepts. For example this time I learned about the SAN Mechanism thanks to @bytecamp - which otherwise I would never have learned if I relied of certbot to do it automatically.

@bytecamp you ROCK!
I have done everything. Please can you check again for www.aesm.mu

To my good satisfaction, HKPINs were not affected at all during the whole process - I took care using same key…etc

QUESTION:

I see varying usage of req_extensions = req_ext and req_extensions = v3_req
I am not sure why each of these versions. Any comment on the above for my own learning side.

Dude, you have been a real saviour! THANK YOU SO MUCH!!

The right hand side just defines the configuration block in which the extensions should be looked up. The name can be chosen freely, AFAIK. This has to be the same value as the parameter -reqexts in the call to the openssl tool.

@bytecamp 2 last questions:

1. what's the line RANDFILE = /dev/urandom for?
2. I noted that wildcard domain was not allowed in the SAN, e.g: DNS.3 = *.aesm.mu. Is this achievable in another way or just not possible with letsencrypt?

1. you can leave that out, if you wish
2. wildcard certificates are currently unavailable via Let’s Encrypt

very interesting and promising.
Thanks for the share @mnordhoff

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.