NET::ERR_CERT_AUTHORITY_INVALID on subdomains only using wildcard


#1

My domain is:
codehh.com

I ran this command:
https://news.codehh.com/bethel/

It produced this output:
Your connection is not private
Attackers might be trying to steal your information from news.codehh.com (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_AUTHORITY_INVALID

I ran this command
echo | openssl s_client -connect rara.gr:443 -servername rara.gr 2>/dev/null | awk ‘/Certificate chain/,/—/’

which produced this output
Certificate chain
0 s:/CN=rara.gr
i:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
1 s:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3

I ran sudo /home/ec2-user/certbot-auto certificates
which produced this output
Found the following certs:
Certificate Name: codehh.com
Domains: codehh.com *.codehh.com
Expiry Date: 2018-09-08 15:26:27+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/codehh.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/codehh.com/privkey.pem

My web server is (include version): linux apache

The operating system my web server runs on is (include version): aws linux apache

My hosting provider, if applicable, is: aws

I can login to a root shell on my machine yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no


I used letsencrypt and a wildcard to create a certificate for codehh.com.

on the root, codehh.com, it works great!

However, on the subdomains, (news.codehh.com) it produces the error: NET::ERR_CERT_AUTHORITY_INVALID

Any hint on why this could be happening?

Thanks,
Ken


#2

But that’s a totally different domain than the URL you’re describing above your post.

news.codehh.com is sporting a self signed certificate, NOT a Let’s Encrypt certificate.

Are those separate VirtualHost sections in your Apache configuration? If so, does the news.codehh.com HTTPS VirtualHost section have the relevant SSLCertificate and SSLCertificateKey directives set?


#3

Sorry, I had the wrong url posted, but it still checks out fine
This is what the virtual host looks like:

<VirtualHost *:80>
DocumentRoot “/var/www/html”
ServerName “codehh.com
ServerAlias “www.codehh.com

I have a similar setup with another server using a wildcard, and that is working without the wildcard in VirtualHost, so I do not think it is necessary.

Ken

echo | openssl s_client -connect codehh.com:443 -servername codehh.com 2>/dev/null | awk ‘/Certificate chain/,/—/’
Certificate chain
0 s:/CN=codehh.com
i:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
1 s:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3


#4

Hello @hamlethub

your certificate from codehh.com is correct:

Nicht kritisch
DNS-Name: *.codehh.com
DNS-Name: codehh.com

This is a correct wildcard-certificate, Issuer is Letsencrypt. So you don’t need to send a new command to Letsencrypt.

But you must use this certificate local

https://news.codehh.com/bethel/

Using wildcard-certificates on different websites may be outside the options of Letsencrypt-clients.


#5

I am sorry, but can you explain that? Both of these urls point to the same server.


#6

a) This is the non-HTTPS VirtualHost (see the “:80" part). You’ll need to search for the VirtualHost containing ":443”, which would be the HTTPS VirtualHost section(s).
b) That VirtualHost is only for codehh.com and www.codehh.com, NOT for news.codehh.com. You’ll need to search for the VirtualHost containing news.codehh.com in a ServerName or ServerAlias directive.


#7

Can I put a wildcard there, such as ServerAlias “*.codehh.com”?


#8

You can find the answer to that (and many, MANY more) question in the Apache documentation.


#9

Thank you for that, it is very helpful. Do you know if there is any way to determine what file it is using for ? Right now I can only see it in /etc/httpd/conf.d/ssl.conf. However, it is commented out? Maybe it does not need it for the default (codehh.com)?

General setup for the virtual host, inherited from global configuration

#DocumentRoot “/var/www/html”
#ServerName www.example.com:443

Ken


#10

I don’t quite understand. Using for what exactly?


#11

I meant to pinpoint exactly where it was reading the information inside of <virtualhost…

However I just found it! I changed the file to read the below,It works!
<VirtualHost *:443>
DocumentRoot “/var/www/html”
ServerName “codehh.com
ServerAlias www.codehh.com *.codehh.com
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/codehh.com/fullchain.pem
SSLCertificateKeyFile /etc/…


#12

Now

https://news.codehh.com/bethel/

is working. But there are errors, you should fix them.

Use FireFox or Chrome, check webmaster tools / Developer Tools, there is mixed content.

http://calendar.hamlethub.com/connect/js/min/all.js

You should change such adresses to https after checking, if the subdomain is save.

PS: There

https://calendar.hamlethub.com/connect/js/min/all.js

is an Amazon-Certificate.


#13

This is a dev server. But thank you, I should change them even on this server!

Ken


#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.