Hi.
I have been using Let’s encrypt since the start of the year. So far so good.
Only that something weird happened today.
I could not access the site (temporarily) due to issue: “Your Connection is not private”.
We have tried to browse the site with different latest (todate) browsers: Chrome, Firefox, Opera, Edge, Safari. The issue was the same in all those browsers.
After like 15mins, the error was gone and till now no issue.
I would like to understand why that error could have happened? Any hints?
My first guess would be your site or server host getting its cables crossed.
Ask them if they know of any network glitch and give them the time you saw the warning.
If you care to post the site url here, you’ll quickly have many people also able to test it for you, all around the globe.
Meanwhile…
The php site in your profile is yours, it is perfectly viewable by me from Asia using Safari on a Mac.
We can’t speculate much about past events without more information.
On the other hand, https://www.aesm.mu/ (with “www”) is misconfigured right now. While a valid “aesm.mu, www.aesm.mu” certificate still exists, the site is currently using a certificate for “aesm.mu”, so it doesn’t work.
The www should redirect you to the main domain aesm.mu - do you see this behaviour?
I’m not sure why the www is misconfigured? I have it as an alias in the server vhost.
At domain level, www is a CNAME pointing to aesm.mu
Can you tell me more please?
Ah, that's the issue! Your sentence made it more clear.
There's a loophole in the way I generated the certificate.
Please can you or anyone assist me on the below:
STEPS:
I generated a private key
I then created a CSR file from the key, example below:
Country Name (2 letter code) [AU]:MU
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) :
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) :
Common Name (e.g. server FQDN or YOUR name) :aesm.mu
Email Address :test@7php.com
I use certbot to then generate the certificate from the CSR file
So I guess the issue is at STEP 2 > Common Name ?
How can I specify all domains: aesm.mu + www.aesm.mu + *.aesm.mu ?
Why don’t you use certbot to do the whole job? @bytecamp
I do not want certbot to touch any of my server configurations. certbot --[server] certonly still touches the configuration and then does a revert - which I do not want
Also another reason because I need to regenerate the certificate with the same CSR each time - HKPIN stuffs
Again, if I let certbot do things, it will generate another private key…etc for the renewal.
But I want to stick with the same key each time so that my HKPIN remains consistent.
And on a personal side of things, I like doing all the process manually to help me better understand things and concepts. For example this time I learned about the SAN Mechanism thanks to @bytecamp - which otherwise I would never have learned if I relied of certbot to do it automatically.
@bytecamp you ROCK!
I have done everything. Please can you check again for www.aesm.mu
To my good satisfaction, HKPINs were not affected at all during the whole process - I took care using same key…etc
QUESTION:
I see varying usage of req_extensions = req_ext and req_extensions = v3_req
I am not sure why each of these versions. Any comment on the above for my own learning side.
Dude, you have been a real saviour! THANK YOU SO MUCH!!
The right hand side just defines the configuration block in which the extensions should be looked up. The name can be chosen freely, AFAIK. This has to be the same value as the parameter -reqexts in the call to the openssl tool.
I noted that wildcard domain was not allowed in the SAN, e.g: DNS.3 = *.aesm.mu. Is this achievable in another way or just not possible with letsencrypt?