Incorrect certificate because this client doesn't support SNI

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:dgcm.it

I ran this command:all commands from step by step:

It produced this output:
Congratulations! You have successfully enabled https://dgcm.it
You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=dgcm.it

My web server is (include version): Apache/2.4.18 (Ubuntu)

The operating system my web server runs on is (include version):Ubuntu 16

My hosting provider, if applicable, is:ovh

I can login to a root shell on my machine (yes or no, or I don’t know):yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):certbot 0.31.0

Hi there all,
there is some weeks that my site certificate is not work.
Google Chrome give me in english something like: the connection to this site is not protected.

I reinstall all new thinks step-by-step from the site:

But if I go to https://www.ssllabs.com/ssltest/ to test the site I take some errors like:
Incorrect certificate because this client doesn’t support SNI
Alternative names - INVALID
Trusted No NOT TRUSTED
[IE 8 / XP] Server sent fatal alert: handshake_failure
…etc…

Can anybody please help me ?
Thanks a lot
Denis

Hi @denisj

there are some checks of your domain - https://check-your-website.server-daten.de/?q=dgcm.it

Your non-www works

your www not. Reason:

Your certificate

CN=dgcm.it
	13.05.2019
	11.08.2019
expires in 90 days	dgcm.it - 1 entry

has only one domain name, the www version is missing. So create one certificate with both domain names and use that.

Typical

-d www.dgcm.it -d dgcm.it

and all other parameter.

The second problem - it's simple: Ignore it.

Do you have an own ip? If not, this ip is shared, so a lot of domains use the same ip. That requires SNI support. Browsers without SNI are too old, nobody should use XP and IE6 to visit websites.

The server-daten.de domain uses a wildcard certificate. There are some other domains. If I check one of these other domains via Ssllabs, there is the same message: "Wrong certificate", because browsers without SNI see the server-daten.de certificate.

So this "problem" isn't really a problem.

Dear Juergen,
thanks a lot for your help.

I have missing the "ServerAlias www.dgcm.it" in my apache2 conf file
and now I add it. It was "ServerAlias *.dgcm.it"
Then I make also a certificate for the www.dgcm.it ... and all was ok.

I must wait in order to make this efect please ?
I ask because when i go to www.dgcm.it I still have an error on chrome.
And the site https://check-your-website.server-daten.de/?q=dgcm.it still give me error like:
Certificate error: RemoteCertificateNameMismatch

Thanks a lot again
Denis

You have to recheck the domain.

I've created the last check - 13.05.2019 20:58:53 - didn't see you have already tested the domain.

I will work more tomorow morning… maybe something will change.
For now thanks a lot for your help
Denis

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.