Invalid Security Certificate


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
patriotcreations.works

I ran this command:
nslookup

It produced this output:

Name: wolfnet.myds.me
Addresses: 2601:284:100:3240:211:32ff:fe8b:3565
76.120.8.16
Aliases: www.patriotcreations.works

My web server is (include version):
apache 2.4 php 7

The operating system my web server runs on is (include version):
linux synology dsm 6.2 on synology 918+

My hosting provider, if applicable, is:
in house

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
synology web station

Hello,
I’ve been trying to get a certificate to work for a few days. Let me explain the setup. My domain patriotcreations.works is configured using cname pointing to a synolgoy ddns host wolfnet.myds.me. Everything works correctly. The website, phpmyadmin, wordpress, etc. I have a certifcate for the ddns host wolfnet.myds.me and the certificate works correctly on the ddns host.

Let's%20Encrypt%20Certificate

I have set up virtual host and discovered that they are automatically to the certificate. I can see the domains in the certificate but they don’t work correctly.

The problem is I get invalid certificate when I try to use https from my domain. I have done a lot of research and cannot find what the issue is.

In Firefox I get this message.

ds.patriotcreations.works uses an invalid security certificate.

The certificate is only valid for wolfnet.myds.me

SSL_ERROR_BAD_CERT_DOMAIN

Microsoft Explorer and Edge give a similar message but give the error code
DLG_FLAGS_SEC_CERT_CN_INVALID

Any Help would be appreciated.


#2

Hi @Vornek

Can you please try to add the hostname (www.patriotcreations.works) to your Synology station & apply certificates for this?( Since there are no known certificate contains this hostname, which means no certificate has been issued)

Thank you


#3

IPv6 fails to connect…


#4

stevenzhu, please explain what you mean by add the hostname. If you look at the screen shot you will see that www.patriotcreations.works is included in that certificate. I have attempted to apply for a certificate for the domain but it fails with this error which I am assuming is due to the fact that it is included in the current certificate.

2018-07-22T20:26:26-06:00 WolfnetNAS synoscgi_SYNO.Core.Certificate.LetsEncrypt_1_create[6133]: certificate.cpp:1392 Failed to create Let’sEncrypt certificate. [200][challenge: unexpect httpcode.]

rg305, could you please elaborate on what you mean by IPV6 fails to connect as to what that means and possible resolutions. Thanks


#5

Hi,

Sure it is… But that screen means the certificate will be used in incoming requests toward these (the list) of domain names (hostnames)…
However, the certificate you have (obtained), only includes the wolfnet.myds.me host.

https://crt.sh/?q=www.patriotcreations.works
https://crt.sh/?q=wolfnet.myds.me

You still need to request a certificate for www.patriotcreations.works on Synology…

Thank you


#6

That means if you connect to your domain under ipv6, the website will not connect.

Take a look: https://letsdebug.net/www.patriotcreations.works/2779

If it truly failed to connect, you will need to remove the IPV6 address / fix it before request any certificate, since let’s Encrypt prefer ipv6 over v4 and doesn’t allow fall backs.

Thank you


#7

Ok. That helps. Thanks for the information. I might know why. I don’t think I have an AAAA record but I use network solutions as my registrar and they don’t have a direct option to edit AAAA records. I have to email them with a request. I don’t even have an A record. All I actually have is cname records. I don’t have a lot of experience using ddns service. I use synology’s ddns service and I haven’t been able to find out an ip or dns configurations for using synology’s ddns. I have been researching if I need a A record or need to point the dns to synology and how that will affect pointing my domain to the ddns. But so far my searches haven’t come up with information.


#8

Well, that means you will need to edit your AAAA record on the ddns instead of edit in networksolutions…

Or, more better, fix your server to make the DDNS IPV6 Works… Since IPV6 on Comcast doesn’t have any restrictions… (unlike some other ISPs who block port 80 on all IPs)

Thank you

P.S. For Comcast, IPV6 are changed without notice (since we are actually being alloted a IPV6 subnet instead of singular IPV6 addresses)(They will even chang without rebooting your router), you might need to make a script to check your server IPV6 address and constantly update them…


#9

Yeah. Thanks for the information. I haven’t installed the dns package yet but that might be an option to fix that issue. I will do some research. Thanks


#10

I just disabled ipv6 for now which works. Though it doesn’t work for the domain without a subdomain because it doesn’t have an A record which I am not sure how to resolve. I so something about ipv6 tunneling and may look into that as a possible solution to get ipv6 working later.


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.