Ownership, nginx / firefox

DavidBruchmann · October 17, 2017, 8:55am

In firefox I get shown:

Website: barlians.com
Owner: This website does not supply ownership information.
Verified by: Let's Encrypt

The site is running on nginx-server and SSL is configured like this:

ssl_certificate /etc/letsencrypt/live/barlians.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/barlians.com/privkey.pem;

Before I got a blocking warning by firefox (current of ubuntu 16.04), that strangely disappeared without any changes on the server and I can at least access the site.

A related strange thing is that the site https://www.whynopadlock.com/check.php is reporting

URL/Domain invalid. Please go back and verify the secure URL.

So at least with that site I can't verify any issues.

So I'd like to know why the ownership is shown like mentioned above and why the site might be blocked because of it. I checked some resembling issues but never found an applying answer. An answer to the issue with whynopadlock.com would be great additional.

Thanks in advance,
David

bytecamp · October 17, 2017, 9:01am

I don’t see something unusual with the certificate. The issue with whynopadlock seems to be a mistake in entering a correct url. What exactly did you enter there?

DavidBruchmann · October 17, 2017, 9:02am

I did enter https://barlians.com on https://www.whynopadlock.com/check.php

bytecamp · October 17, 2017, 9:06am

Please try to enter the url on https://www.whynopadlock.com/

DavidBruchmann · October 17, 2017, 9:09am

Same issue on the page. No changes by using the form on the main-page.

DavidBruchmann · October 17, 2017, 9:13am

For my webmin installation I get at least a result shown, the meaning and solution are still miracles for me and I'd appreciate some help there too:

Domain Name: barlians.com
URL Tested: https://barlians.com:10000
Number of items downloaded on page: 11
SSL verification issue (Possibly mis-matched URL or bad intermediate cert.). Details:
ERROR: cannot verify barlians.com's certificate, issued by '/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3': Unable to locally verify the issuer's authority.

As explanation: For webmin I always chain the certificates in one file, that's common procedure in webmin and described in the FAQ: FAQs | Webmin -> "My browser complains about the Webmin certificate when in SSL mode"

Patches · October 17, 2017, 9:36am

This just means you do not have an extended validation (EV) certificate that supplies information about who owns the site. You'll notice Firefox says the same thing about the certificate for www.google.com.

https://barlians.com appears to be configured correctly.

https://barlians.com:10000 is missing the intermediate certificate. Are you sure you've configured it with fullchain.pem and not cert.pem?

bytecamp · October 17, 2017, 9:38am

I see the same issue for your website, but I cannot say why there is an error. Besides, what did you want to test with that tool? If you have a green icon or at least not a yellow one next to the website's address in firefox, everything is fine.

MitchellK · October 17, 2017, 9:45am

Your configuration for webmin to use LE’ SSL Certs should look as follows, and also make sure your /etc/hosts is configured correctly with your IP address and the hostnames you are using.

DavidBruchmann · October 17, 2017, 9:45am

@Patches
Thanks, the point with google.com is quite interesting and calming me down a bit.
Concerning the webmin-page I will check, but I’m quite sure that I did it right.

@bytecamp
I saw the test-site mentioned on another page and wanted primary mention that I checked with that tool already to shorten some ways of thoughts, but then I got the unexpected result.

DavidBruchmann · October 17, 2017, 9:49am

Thanks, I see that page the first time. or at least recognize that it’s related to webmin itself.
Curious if I can forget then about combining certificates manually …
Will check it out!

MitchellK · October 17, 2017, 9:50am

I run 6 webmin servers all configured this way and they work perfectly.

DavidBruchmann · October 17, 2017, 9:52am

Yeah good hint. Combining manually is always a bit a hassle after renewing the certificates.

Patches · October 17, 2017, 10:08am

I checked with openssl directly since most online tools don’t support custom ports.

Notice how this command which connects over the default port 443 displays the intermediate certificate and doesn’t show a verification error:

$ openssl s_client -connect barlians.com:443 -servername barlians.com
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = barlians.com
verify return:1
---
Certificate chain
 0 s:/CN=barlians.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
<snip>
subject=/CN=barlians.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 3132 bytes and written 468 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 73A2E698D61E170D6A9396D69287AA2875B1DA45C9713DC24BD699C56BE7BF7B
    Session-ID-ctx: 
    Master-Key: 96EDEBA27E50197DB7F8640D71E72086FC0D46BBCF75EBD529173A9664BC17BBE33077A4FD2DE2E4570C949B1165BE59
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1508234221
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
^C

But this command uses port 10000, and the output doesn’t list the intermediate certificate and displays a verification error:

$ openssl s_client -connect barlians.com:10000 -servername barlians.com
CONNECTED(00000003)
depth=0 CN = barlians.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = barlians.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=barlians.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
Server certificate
<snip>
subject=/CN=barlians.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
---
SSL handshake has read 1740 bytes and written 628 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-GCM-SHA384
    Session-ID: 017AE0FFB5BF7BBD9C6957A685D02D0757ABCD0FE5F823ED1CEC0A0B4E03DDA9
    Session-ID-ctx: 
    Master-Key: 7A98EFC9F253B0A80B2113F90DFA0E9006D90E94C8C91ABFDF64B0C86CA86ABA9B2AE984A060B6025D8ED1576FCB7AB2
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket: <snip>

    Start Time: 1508234254
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
^C

MitchellK · October 17, 2017, 10:10am

That’s why the webmin config must specify the certificates correctly.

DavidBruchmann · October 17, 2017, 10:13am

Thanks a lot, commandline is often more reliable than klick-and-go, good to know the right way to control it.

system · November 16, 2017, 10:13am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.