Issue with secure call to other website

Hi there,

I have a very strange issue. I provide a js code to my customers that creates a secure form on their pages to post to my server. All works fine, but my SSL is about to expire so I got one frmo let’s encrypt (thank you). Once I install it the form stops working on customer’s sites that are using let’s encrypt certificates as well. All others are working fine. If I revert my server to use my “old” certificate all is back to normal. What it looks like is that customer site is trying to use their let’s encrypt certificate and hence being rejected. I just ran the page in question against whynopadlock.com and it shows the following error:

Secure calls made to other websites:
s3.amazonaws.com is valid and secure.

MYSITE.com SSL verification issue (Possibly mis-matched URL or bad intermediate cert.). Details:
ERROR: no certificate subject alternative name matches

fonts.googleapis.com is valid and secure.

As I said when I return to my “old” SSL I’m getting

Secure calls made to other websites:
s3.amazonaws.com is valid and secure.

MYSITE.com is valid and secure.

fonts.googleapis.com is valid and secure.

Any help here is highly appreciated. Thank you!

~D

Hi @oslik, maybe you can tell us the domain name in question and an example customer site?

For certificate issues in particular, you can get a more detailed report from https://www.ssllabs.com/ (the whynopadlock site is great on mixed content issues but less detailed on certificate and cryptographic issues). It could be that you failed to set the intermediate cert which confirms that Let’s Encrypt itself is a trusted CA (which calls for using either chain.pem or fullchain.pem if you used Certbot).

Thank you, @schoen. Prefer not to share site details for privacy reasons. Hope you understand.
Let’s Encrypt SSL itself set-up correctly. When I go direct to MYSITE.COM - no issue and SSL in place etc.
It is just being confused when 2 Let’s Encrypt SSL are used on the same page if that make sense. Thank you!

~D

I’m sorry to say I don’t think we’ll be able to diagnose this easily without looking at it ourselves.

I do suggest running the SSL Labs test on both sites (you can indicate that it shouldn’t list them publicly). If there’s any certificate-related problem, it should be able to identify that for you.

Hi Seth,

Thanks again. But as I said I reverted back to “old” SSL so my customers
are not impacted, so even if I share you’ll see pretty much nothing there.
Let me try SSL lab when I have a moment to put Let’s Encrypt SSL back for a
few.

Any other ideas appreciated.

~D

Hi oslik

are you using some kind of HTTP public key pinning mechanisms

the symptoms you are describing make me suspicious that there is some affinity between your current cert and your domain

Does your script that you provide to customers verify the certificate in any way?

Is this issue happening for all your customers or just some?

any chance you can provide us your domain name so we can perform testing?

Andrei

So, thank you all for attempt to help. I finally got it to the resolution. My script calls “https://mysite.com”. Let’s Encrypt does not secure it, only “www.mysite.com”. I changed the call for my script to be “https://www.mysite.com” and everyting works just fine. The old certificate was securing both www.mysite.com and mysite.com so was not an issue on how I call it. Is that a bug with Let’s Encrypt? Though it should secure both, but apparently not.

~D

@oslik, the inclusion of the www. form in your cert isn’t automatic, but has to be explicitly requested. The way of requesting it depends on the software that you used to get the certificate.

@schoen the issue is revers. I have www. secured. When I do script src=“https://mysite.com/registration/form” it fails. The moment I change it to src=“https://www.misitec.om/registrtion/form” all is good. So, it looks like mysite.com is not secured, but www.mysite.com is.

I didn’t use any software to generate it. Just regular CSR and sslforfree.com. Thank you.

~D

I guess your CSR didn’t include the non-www form, in that case.

Don’t think that’s the case. I used the same CSR for my previous cert…

~D

Well, I’m happy to take a look at it if you can share the CSR and the actual domain name.

Thanks. Is there a way I can send it to you, without publishing here?

~D

hi @oslik

what is the actual error message you are getting as this is an indicator of what is not working with TLS

If it is: ERROR: no certificate subject alternative name matches then it’s definitely the way you have set up the CSR

Can your run both your sites (with new cert installed) through SSLLabs and paste the section below

Andrei

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.