Lets Encrypt cert says OK but next in path www.****.com says expired

Please fill out the fields below so we can help you better.
We have Office 365/SharePoint but our web site is hosted at Wix.
MS says it’s not their problem
My domain is:
www.critical2u.com but the problem is with Outlook on our office 365 account. Outlook now shows security alerts for it.
I ran this command:
MMC and found the Lets Encrypt cert
It produced this output:
It has the offending cert (www.critical2u.com) nested under: DST Root CA X3>Let’s Encrypt Authority X3>www.critical2u.com.
My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:
Wix
I can login to a root shell on my machine (yes or no, or I don’t know):
no
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

Hi @pjespersen,

You’re saying that Outlook currently says that your certificate for www.critical2u.com is invalid? Would you be able to share a screenshot of the error message that you get in Outlook for this certificate?

1 Like

Hi!

This is a real strange one for me.
I’m attaching a couple shots for the security warning and some of the cert info:

It was issued by Let’s Encrypt Authority X3 to www.critical2u.com on 4/25/17 and expired 7/24/17.
When ever we start Outlook now we get that Security alert about the cert.
We can still use Outlook but I just ran into an issue with setting up an iPhone where it refused to connect to the server because of the cert expiration.
I have no idea who to get to update it or if I can safely remove it.

Peter

critical2u.com and www.critical2u.com are separate domain names and—most importantly here—separate server certificate bindings.

Your certificate covers both and has been successfully renewed. However, the www.critical2u.com server binding is using the renewed certificate, while the critical2u.com server binding is still using the old expired certificate.

You can see this in a browser by checking the difference between

https://www.critical2u.com/
https://critical2u.com/

If the second one works for you, you might be getting tricked by a Chrome feature that automatically tries the www form of a site if there is an error with the non-www form. This has made site availability a lot better, but hidden a lot of configuration errors that might otherwise be noticed!

1 Like

How do I get critical2u.com to use the renewed certificate?

Well, you left these two blank:

If Wix is handling obtaining and installing certificates for you, then it would be their responsibility. If there's some other way that you install certificates, you'll have to tell us what that is. :slight_smile:

1 Like

Ya I left those blank due to a severe case of lackaknowledge. It’s a terrible disease. :slight_smile:
I’ve gone to Wix and they say it aint their problem and Microsoft told me to talk to you guys.
LOL! No I haven’t installed any. MS handles our email and storage and Wix does the Web thing.
I have no idea where this came from. UG!
Appreciate your help, Thanks!

I’m sorry about the run-around—I know I’ve gotten that from customer service people before! It really does need to be handled by Wix or whoever else is responsible for your web server (see below). Here’s what the server is showing right now, including the discrepancy:

$ openssl s_client -connect critical2u.com:443 -servername critical2u.com
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = www.critical2u.com
verify error:num=10:certificate has expired
notAfter=Jul 24 15:12:00 2017 GMT
verify return:1
depth=0 CN = www.critical2u.com
notAfter=Jul 24 15:12:00 2017 GMT
verify return:1
---
Certificate chain
 0 s:/CN=www.critical2u.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
$ openssl s_client -connect www.critical2u.com:443 -servername www.critical2u.com
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = www.critical2u.com
verify return:1
---
Certificate chain
 0 s:/CN=www.critical2u.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---

That means that we gave you a new certificate for both names—you can also see it here.

https://crt.sh/?id=163963593

This new certificate which we gave you on June 28 is capable of covering both names (critical2u.com and www.critical2u.com), as can be seen from the “DNS:” items in the X509v3 Subject Alternative Name section, which states which domain names are covered by a certificate. But the server, when accessed as critical2u.com (which we don’t control and Wix does see other post below), is returning a different certificate from www.critical2u.com. The former is returning the old already-expired certificate

https://crt.sh/?id=128649148

while the latter is returning the new one. Only the server administrator can change the server’s behavior to remove this discrepancy!

Hey, the plot thickens!

Your servers for these two names are actually physically separate web servers which are hosted by different people. That might explain part of the run-around.

The (broken) critical2u.com server is at 23.236.62.147 and is not run by Wix, while the (working) www.critical2u.com server is at a bunch of Amazon IP addresses which I think are used by Wix. So in fact, the responsible parties for these two parts of your service are different!

Edit: The 23.236.62.147 address which is the broken server (using the old, expired certificate) is hosted at Google Cloud Services, but it could be hosted there by some other company which is providing services to you. So in order to learn who it is who’s responsible for this (I guess it’s not actually Wix after all, due to the discrepancy between hosting for the two names), we need to know why the name critical2u.com is pointed at this IP address and what company or entity that you have a relationship with operates that server or told you to point the domain name to that address.

Edit: The plot thickens again. I looked up a number of other web sites that are also using 23.236.62.147, and it looks like all of them are hosted by Wix. Therefore, this address might actually be run by Wix or by some business partner of theirs. Maybe you can ask Wix if the server in question is run by them. That is the server that needs to be updated with the new certificate. :slight_smile:

1 Like

SWEET!
Thanks for the great detective work!
I’m going to harass Wix tomorrow. I’ll let you know what they say.

hi @pjespersen

I think you missed out an important piece of the puzzle. How and by whom was the original certificate obtained.

Certificates don’t just magically appear out of thin air so someone had to use a client to request the certificate and install it on your OS.

When you say MMC do you have remote desktop access to your server and if so who else has remote access?

The second challenge is that someone has asked for a newer certificate for your domain and has passed the challenge successfully (the certificate that @schoen) mention above

This means they are running a client on your server that is able to prove that they own a domain. You need to get to the bottom of this fairly quickly as it seems someone has set up automation for you but hasn’t told you

Another thing to check is the task scheduler and see if there are any tasks around certificate renewals

This might tell you that there is a client installed on your server and that client may not be configured correctly to update the certificate in the SSL store

Andrei

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.