It produced this output:
Untrusted Reasons The certificate doesn’t match hostname Common Name netbrackets.com Key Type/Size RSA 2048 bits Signature Algorithm sha256WithRSAEncryption Subject Alternative Names DNS:netbrackets.com, DNS:www.netbrackets.com Transparency Yes Validation Level DV CRL http://crls.ssl.com/SSLcomRSASSLsubCA.crlOCSPhttp://ocsps.ssl.comOCSP Must-Staple No Supports OCSP Stapling No Valid From November 25th 2018, 14:36 CET Valid To September 1st 2019, 15:36 CEST
My web server is (include version):
Server version: Apache/2.4.38 (Unix)
Server built: Feb 10 2019 02:48:38
The operating system my web server runs on is (include version):
Mac OS 10.14.2
I can login to a root shell on my machine (yes or no, or I don’t know):
yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.32.0
Is this service meant to be accessible to the public? I tried to access it via your link, but I got a connection refused (distinct from the error that you reported above).
Hi @shoen,
Sorry, I was mucking with it, it should be operational now. However, NOW it seems to be working. I’ve been working on the error for 4 hours at least, and now it starts to work. No idea what I did except restart apache for the umpteenth time.
Wow, now that test is working for me too. Is there a trick to refreshing it? I just put the URL in and clicked the right arrow for the last two hours today and got errors every time.
Anyway it was acting very strange picking up a certificate that wasn’t even loaded on that machine, it’s on another one. I have not changed the domain A record in days.
I don't know about this particular scanner, but some of the online testing tools do cache their results and don't re-perform the test automatically when you ask about the same site later on.
Yeah, the certbot wouldn’t create a certificate until after I added the ipv6 address for this domain, even though it made the other certs fine without it on their domains. Should I remove the ipv6 IP from that domain? Would I need to re-make the cert if I do?
You don't need to recreate the certificate if you have a valid one; the certificate doesn't mention any IP addresses at all, only domain names.
If you advertise an IPv6 address in DNS, your server has to actually listen in IPv6. It looks like currently you do advertise an IPv6 address with an AAAA record, but your server isn't currently reachable that way.
Adding the IPv6 “just to get a cert” really makes no sense to me.
I don’t even know how to comment on that…
Other than if you don’t need it, then don’t use it.
[but you kind of just said that you do need it…]
Ha, me either. Maybe it was coincidence, but I tried and tried to create a cert for that domain and kept getting errors (sadly I can’t remember exactly what it was). I then added the record, and it worked. Strange things seem to be occurring all around on this machine
It could be that you had a firewall blocking some connections to the IPv4 address but not corresponding connections to the IPv6 address, for example. (I don’t have any evidence of this, but that’s just an example of why adding an IPv6 address might make something work that failed in IPv4.)