Our domain is with a web service/website provider who messed up their SSL certificates


#1

This is probably outside the scope of the topics of this community, but I thought maybe you’d have some advice for me. Please feel free to ignore (or delete) if it doesn’t belong here. I know next to nothing about SSL certification, so hopefully some of this will make sense despite mangling the terms involved.

We recently had a storefront which we moved to a web + hosting service (rhymes with Icks). Unfortunately, once we built the website and transferred our domain to their service, we found that we (and addition to hundreds of other people) could no longer access the site through https:// (It’s only accessible if the www is included, e.g. https://www.)

Apparently Icks is “looking into it”, but after some research it seems like this issue has existed for several weeks now. What is especially upsetting is that we’re unable to transfer the domain again because of the 60 day limit on domain transfers. We’re looking at 2 months (and most likely more) of lost sales. The number of people who reach the site through www is miniscule compared to those who don’t.

Another customer of theirs suggested the issue may be that they didn’t set up their certificates and virtual host mapping properly. (I have no idea if this is correct, but leaving it here to provide more information.)

I’m wondering if trying to point the DNS to a copy of the website (possibly hosted by Squarespace or Wordpress) would solve our https:// issue while we wait out our 60 days of purgatory.

Is there a way I could get the SSL certificate myself, even though I have no access to their servers?

Maybe someone here has some insight into this situation? Or some other ideas. Thanks much, and sorry for the lengthy post.


#2

Hi,

It depends a little bit on what the actual issue is. Are you happy to provide your domain name for us to do some simple checks ?

You can move your site without needing to move the domain registrar ( so you can bypass the 60 day limit there).

One other thought is you could possibly set your DNS through cloudflare - and have them provide the SSL certificate (you can do it on a free account). That may resolve all your issues, depending on exactly what they are.


#3

Thanks for your reply!

This is the domain: https://obscurasoft.com.

It only functions if www is included: https://www.obscurasoft.com

(Warning: drawings of shirtless men.)

The provider doesn’t allow you to change the name server.


#4

I think the other customer is right “that they didn’t set up their certificates and virtual host mapping properly”. Notably, there was a big certificate that just expired a few days ago that covered both www.obscurasoft.com and obscurasoft.com, and the new certificate covers only www.obscurasoft.com and there is no current Let’s Encrypt certificate that covers obscurasoft.com.

If the domain registrar is separate from the hosting company and the domain registrar allows you to change the name server, you might be able to take some form of @serverco’s suggestion even if the hosting company doesn’t cooperate. But the hosting company itself also ought to be able to fix this if they have responsibility for certificates and web server configurations.


#5

@schoen, I think you’ve got it wrong. This certificate doesn’t expire until March 31, and includes obscurasoft.com. That’s also the certificate you get if you run:

openssl s_client -connect www.obscurasoft.com:443 -servername www.obscurasoft.com -showcerts </dev/null | openssl x509 -text -noout | less

The problem as I saw it was actually with name resolution. www.obscurasoft.com had a CNAME to e.obscurasoft.com, which had an A record. However, until a few minutes ago, obscurasoft.com itself had no A record.

$ dig www.obscurasoft.com
...
;; ANSWER SECTION:
www.obscurasoft.com.    3285    IN      CNAME   e.obscurasoft.com.
e.obscurasoft.com.      3285    IN      A       192.0.78.24
$ dig +short obscurasoft.com
$ 

However, during the time I was typing this post, I tried again and found that obscurasoft.com now has an A record and the HTTPS for that domain works correctly. Looks like the problem’s all fixed! @Sara_L, did you do that, or do you think it was the support team at your hosting provider?

Thanks all for helping debug.


#6

Thanks, I was apparently looking at the wrong certificate in crt.sh.


#7

We got desperate and just pointed the dns back to the old site. Thank you for your help everyone.

I’ve punched many walls over this.


#8

Addendum: I could also write a long summary of how the website/provider who rhymes with Icks completely screwed us over, but I won’t. It just makes me sad there are so many people who are currently signing up for their services who don’t realize their business will lose a lot of customers because google links won’t go to the www address, only the https:// one.

But thank you again, all!


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.