NET::ERR_CERT_COMMON_NAME_INVALID with ZeroSSL certificate

valmeras · January 4, 2017, 1:40pm

Please fill out the fields below so we can help you better.

I ran this command: https://ehonissa.com

It produced this output:
Your connection is not private

Attackers might be trying to steal your information from ehonissa.com (for example, passwords, messages, or credit cards). NET::ERR_CERT_COMMON_NAME_INVALID
Automatically report details of possible security incidents to Google. Privacy policy
Back to safetyHIDE ADVANCED
This server could not prove that it is ehonissa.com; its security certificate is from dnsme. This may be caused by a misconfiguration or an attacker intercepting your connection. Learn more.

Proceed to ehonissa.com (unsafe)

My operating system is (include version): Windows server 2012 R2

My web server is (include version): Apache 2.4

My hosting provider, if applicable, is: myself

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

I am also getting the message that my certificate I created with ZeroSSL is self-signed.
What can be the reason?

serverco · January 4, 2017, 2:41pm

For some reason you aren’t using the cert from ZeroSSL. You are using a self signed one by dnsme … do you know where that’s from ? is it something you generated before ? or is otherwise on your server ?

I suspect this is because you are using DNS made easy (dnsme) for your redirection to your website - and it’s going to their servers first, prior to redirecting to your server …

valmeras · January 4, 2017, 9:00pm

I have no idea what is dnsme,
I know for sure that the certificates and keys that I am using with my Apache server are from ZeroSSL and validated by Let’S Encrypt.
I think that you maybe right for the second point about my DNS provider which is DnsMadeEasy.
But I reported the issue to them and they said that the problem cannot be from them. According to them, it is certainly a configuration problem with my server.

serverco · January 4, 2017, 9:10pm

What is your setup ( in relation to servers / DNS ) ? If I check your DNS I get 4 IP addresses
96.45.83.143
96.45.83.27
96.45.82.194
96.45.82.84

which are all related to redirection.dnsmadeeasy.com are you using HTTP redirection ? in which case that will give issues for HTTPS

leader · January 4, 2017, 9:10pm

This is likely due to misconfiguration of the server. I have replied to your email with the recommendations regarding how the downloaded certificate can be set up for 2.4.8+ and for older versions. Hope that helps.

Also (and I know it sounds strange), I’ve seen people trying to set up SSL on one machine and then attempting to access the domain with the IP pointing to another server.

So double-checking IPs as @serverco suggested and ensuring that you have indeed set everything up on the same machine as the one you are accessing certainly makes sense.

P.S. As https://sslanalyzer.comodoca.com/?url=ehonissa.com shows, the certificate served is the one for “dnsme” common name indeed and the hostname is “redirection.dnsmadeeasy.com”. So you are definitely not connecting directly to your configured server. As some people mention on Stack Overflow for similar issues - “Since DNS Made Easy doesn’t have your SSL cert on their redirector servers, the domain doesn’t match.” So it looks like you may need to configure DNS to just have A records pointing to your domain rather than using redirects.

system · February 3, 2017, 9:11pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.