Net::err_cert_authority_invalid

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:sisa.unimetro.org

I ran this command: https://sisa.unimetro.org

It produced this output: NET::ERR_CERT_AUTHORITY_INVALID, Not always. Some time it works

My web server is (include version): Apache/2.4.29

The operating system my web server runs on is (include version): Ubuntu 18.04.2 LTS

My hosting provider, if applicable, is: Local Server

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

2

Hello @ditutala,

You domain sisa.unimetro.org points to two ips:

$ dig sisa.unimetro.org +short
196.29.193.131
69.16.204.89

Connecting to 196.29.193.131 the certificate served is issued only for sisa.unimetro.org

$ echo | openssl s_client -connect 196.29.193.131:443 -servername sisa.unimetro.org 2>/dev/null | openssl x509 -noout -text | grep 'DNS:' | sed 's/^ *//'
DNS:sisa.unimetro.org

Connecting to 69.16.204.89 the certificate served is issued for sisa.unimetro.org and www.sisa.unimetro.org

$ echo | openssl s_client -connect 69.16.204.89:443 -servername sisa.unimetro.org 2>/dev/null | openssl x509 -noout -text | grep 'DNS:' | sed 's/^ *//'
DNS:sisa.unimetro.org, DNS:www.sisa.unimetro.org

So I suppose you are having issues connecting to www.sisa.unimetro.org because it points to the server which only serves a certificate for sisa.unimetro.org.

You should review your DNS and Web Server conf.

Cheers,
sahsanu

1 Like
3

Hi @ditutala

your configuration is fatal buggy - see https://check-your-website.server-daten.de/?q=sisa.unimetro.org#url-checks

Two ip addresses of the non-www version:

Host Type IP-Address is auth. ∑ Queries ∑ Timeout
sisa.unimetro.org A 69.16.204.89 Lansing/Michigan/United States (US) - Liquid Web, L.L.C Hostname: cloud3.angoweb.biz yes 1 0
A 196.29.193.131
Camabatela/Cuanza Norte Province/Angola (AO) - NET No Hostname found yes 1 0
AAAA yes
www.sisa.unimetro.org A 196.29.193.131 Camabatela/Cuanza Norte Province/Angola (AO) - NET No Hostname found yes 1 0
AAAA yes

But the 69 - ip sends:

Certificate error: RemoteCertificateChainErrors
small visible content (num chars: 115)
Index of / Name Last modified Size Description Proudly Served by LiteSpeed Web Server at sisa.unimetro.org Port 443

The 196 ip sends your complete website.

And the 69 doesn't have a redirect.

So different servers -> different configurations.

May be remove the 69 ip.

4

Thank you for your hints. I'll try to make the suggested changes.

2 Likes
5

Thanks for your help and clear hints

2 Likes
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.