net::ERR_CERT_AUTHORITY_INVALID on .market domain


#1

My domain is: Wow.balance

My web server is (include version): Apache 2

The operating system my web server runs on is (include version): Ubuntu

My hosting provider, if applicable, is: VDS

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

I’ve got net::ERR_CERT_AUTHORITY_INVALID when using “certbot”


#2

For some reason I can’t phantom, you deleted the following questions from the questionair you got presented when you started this thread. Could you answer them? Without them, we can’t help you, because for some reason, your webserver doesn’t have the Let’s Encrypt certificate in use, but still uses a self signed certificate. This is most likely because of how you envoked certbot.

I ran this command:

It produced this output:


#4

Hmmm, I imagine you probably have another virtual host definition that is conflicting with this one somehow. Could you run something like this?

grep -r SSLCert /etc/apache2


#6

Interestingly, the site https://54040.ru/ presents the certificate for baikal.market (!!) while the site for https://baikal.market/ presents a self-signed certificate. I have not seen this particular error mode before.

Could you may run some other greps?

grep 443 /etc/apache2
grep -ir ssl /etc/apache2

#7
$ dig +short 54040.ru
185.5.251.11

$ dig +short baikal.market
198.71.248.67

$ dig +short www.baikal.market
185.5.251.11

Why do the domains appear to point to different servers?

https://www.baikal.market/ has a cert for baikal.market but not the www variant.


#9

Sorry, I mean grep -r 443 /etc/apache2


#11

I think @_az has probably found the most important problem, that the domain name might not be pointed at the right web server at all!


#13

One other thing, are the port 443 virtual hosts enabled?

ls -l /etc/apache2/sites-enabled


#14

Which IP address is correct for your web server?


#17

OK! So, you should make sure that your certificate covers both baikal.market and www.baikal.market (not just www.baikal.market) and change your DNS settings so that the baikal.market A record is pointed at 185.5.251.11.


#18

Great! Then that explains why the other site served the baikal.market certificate too. So I think if you reissue the certificate to cover both www.baikal.market and baikal.market and also update the DNS A record to point to the correct server, everything sohuld work properly.


#20

It looks like you’ve made certificates for both of them at different times:

https://crt.sh/?Identity=%baikal.market&iCAID=16418


#22

@schoen, thanks! The problem was on GoDaddy DNS Templates.


#23

We like to have old topics available because they might help other people with a similar situation. If you want to remove the particular domain names and IP addresses from the thread, that’s fine—you can edit your own posts and I can also edit other people’s posts to remove these identifiers if you’d like.


#24

I agree, sometimes I find older posts on this forum that end up helping me out a lot because I can see the issues that other people had with the error i’m having.


#25

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.