Let's Encrypt Valid certificate error in Ezoic <!-- x509: cannot validate certificate for xxx.xxx.xx.xxx because it doesn't contain any IP SANs -->

My domain is: foodsreborn.com

My web server is (include version): nginx/1.21.2

The operating system my web server runs on is (include version): Ubuntu 20.04.3 LTS

My hosting provider, if applicable, is: UpCloud

I can log in to a root shell on my machine (yes or no, or I don't know): Yes.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.18.0

Hi all,

I have successfully set up my domain SSL certificate via certbot and its Cloudlfare plugin (dns-cloudflare). I obtained SSL for the root domain and wildcard (for domain.com *.domain.com) . This certificate expires on 2021-11-23.

I use the Ezoic advertising network. They are working as a proxy for my site (Cloudflare>Ezoic>Mysite).

In Cloudflare, I use the "Strict" option for SSL certificates.

When I use their SSL settings, SSL Type as "Strict", it shows the following error in HTML source.

<!-- x509: cannot validate certificate for xxx.xxx.xxx.xxx because it doesn't contain any IP SANs -->

However, if I use SSL Type as "Full" there is no issue. In Ezoic SSL full mode, Ezoic does not verify the validity of the SSL certificate.

As per the Ezoic support if I want to use the strict options I have to use a "fully valid SSL certificate and in keeping with all regulations.".

How do I fix this issue?
Are there anyway to manually verify the Let's Encrypt certificate validity?

Welcome to the Let's Encrypt Community :slightly_smiling_face:

Let's Encrypt only issues domain validated (DV) certificates, which can only contain domain names (and thus not IP addresses) in the set of subject alternative names (SANs).

If you are trying to access your website through Cloudflare using its IP address rather than its domain name and are using the Full (strict) SSL option, which does verify the certificate received from your origin webserver, you will rightfully receive an error because your certificate does not contain your website's IP address in its SAN set. If instead you are using the Full SSL option, which does not verify the certificate received from your origin webserver, you will not receive an error.


2 Likes

You can find the SANs of your recent certificate under X509v3 Subject Alternative Name here:

https://crt.sh/?id=5150678539


You can find your complete certificate history here:

https://crt.sh/?q=foodsreborn.com

1 Like

As mentioned, you would have to use the FQDN in the connection from Cloudflare to your server (not to your IP). And use the cert you say you obtained with certbot at that secure vhost for that server name.

There are several aspects that might be included in "validity".
And I suspect that you are referring to the cert on your server (not the one being used by Cloudflare).
But since your server is behind Cloudflare CDN, it won't be possible to use simple only tools to check it.
You could, however, check it manually, from inside or maybe even outside your network, with something like:
openssl s_client -connect real-server-ip:443 -servername FQDN -showcerts
[which should show you all the certs being presented by your server]
From there you can better determine its' "validity".

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.