Self signed SSL/TLS certificate issue

My domain is: pretparkdeals.be

My hosting provider, if applicable, is: Combell.com
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Plesk

I got an alert from Google Search Console:

Google has detected that the SSL/TLS certificate used on https://www.pretparkdeals.be… is self-signed, which means that it was issued by your server rather than by a Certificate Authority. Because only Certificate Authorities are considered trusted sources for SSL/TLS certificates, your certificate cannot be trusted by most of the browsers. In addition, a self-signed certificate means that your content is not authenticated, it can be modified, and your user’s data or browsing behavior can be intercepted by a third-party. As a result, many web browsers will block users by displaying a security warning message when your site is accessed. This is done to protect users’ browsing behavior from being intercepted by a third party, which can happen on sites that are not secure.
Recommended Action:

Yet, I am using Let’s Encrypt on other domains as well and it’s working okay there. Any idea what the issue might be?

I really don't see any issue here, certificate is fine.

Hi @loyens,

It looks like connecting to pretparkdeals.be without sending a SNI value in the TLS handshake results in an expired self-signed certificate being returned. You can see this behaviour yourself using openssl s_client.

If you do send an SNI value (Like web browsers do) then you get the correct cert. This is why @bytecamp wasn't able to reproduce - they likely tested with a client that sent an SNI header. Most modern TLS clients do this by default.

$> openssl s_client -connect pretparkdeals.be:443 -servername pretparkdeals.be </dev/null
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = pretparkdeals.be
verify return:1
---
Certificate chain
 0 s:/CN=pretparkdeals.be
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFGTCCBAGgAwIBAgISBIARQ/BaJgjEUk6KAkLq+idUMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzEyMTgxMTQ1NDFaFw0x
ODAzMTgxMTQ1NDFaMBsxGTAXBgNVBAMTEHByZXRwYXJrZGVhbHMuYmUwggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC1F0ZvXAi6tprAqjAuhcDkeN7pOxXS
Ma4bTqxwfGMwc9YegkYtW4QRRqB85hqkvuxnNgPIDW6/S1YFUooo2qZs3RpORLpz
BslpSxyRjZHEE/yG4+Y+zF4zTuqYvfSv7tzPwYI0Aue85/vjjVzMLruClJij8V6h
Hn+qWjkidKIRs8cgSaXRVpjKY5NXRPjoqzfcSF7gKZrira0EPRysEJwWGpjFsUf7
6CGWKLsJj3R/GR592N6OAx8yEiSPWyY4B+5G5XvmjeQIoqKRaQuuUc3lxFVE7dt0
E+l5RmSper0tV7Cu65+h7xelQG1bEZv/kDLXbRdc/czQMnmzm04xZdS/AgMBAAGj
ggImMIICIjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFHCVtjSF1NMkB9Z5b2cAygwl
vmyMMB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsGAQUFBwEB
BGMwYTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNyeXB0
Lm9yZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0
Lm9yZy8wMQYDVR0RBCowKIIQcHJldHBhcmtkZWFscy5iZYIUd3d3LnByZXRwYXJr
ZGVhbHMuYmUwgf4GA1UdIASB9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEB
MIHWMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYI
KwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGll
ZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNl
IHdpdGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xl
dHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAkxxq
kPQfDeiv150gtS6h58cu9+PGtwUP1HywjTHluoE5nku6Tza0JvJM6Q80vyQhndWE
9OUAI5+8zZ2XqWYSz02RUfhHCEWKrunFrldoKiKf8jvCofCDvMPzdZ+MXteMy98X
/GQ1DHYwnpLBYmt+JHUkSk/9oLvzZ0FfZo9DQzL+74R3TitdIVeBIrubcPHq6lwF
XYrKFWi1s4OgmfCGZ07FVlHu9r486cuVCcDf3fsIL/U5OAVtp1VhWvoQdjP52ZPO
Vym8ITdxK/XgoSt5mG+jTQn/MDdbRzN6cruNuBjWfhHxLeow9RQB133p9ZO3kkip
WxANg1zDwOaGHVQphQ==
-----END CERTIFICATE-----
subject=/CN=pretparkdeals.be
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3197 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: D7408E82085430CFF5C064A5F98099E19386C99E93334236FA83CB5063CD382E
    Session-ID-ctx: 
    Master-Key: CF58FA98EA440F53C8D5BB9C50150E2E7C84D968810556E284C60993CBA07890475F82DC450ED4A8490420A47EE96451
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - b4 d8 b5 f1 b4 a5 07 d3-8d c1 02 fe 9e b6 dc 13   ................
    0010 - 69 aa 8d b3 02 56 d3 61-b2 b0 6e f7 5b b2 7c 8b   i....V.a..n.[.|.
    0020 - cd 3a 89 1d 0c c9 3f e7-2c 75 73 75 7e 53 8b b7   .:....?.,usu~S..
    0030 - 53 c5 27 27 51 b0 bf 89-59 53 b2 3d e9 02 56 2d   S.''Q...YS.=..V-
    0040 - 0f ca 84 ba 09 45 d5 87-d8 f7 6e 95 44 e6 6e 04   .....E....n.D.n.
    0050 - da d4 34 d2 02 fd fe 97-1c b1 bc 9a 2d 63 21 e6   ..4.........-c!.
    0060 - 30 c0 e9 9b fa 86 c7 71-6e 5b 5c e8 5c 99 7d e1   0......qn[\.\.}.
    0070 - 2d 72 d3 a1 49 3e 60 9e-7d 38 e5 b1 9a 8c fd 16   -r..I>`.}8......
    0080 - e4 80 a2 41 82 4f 82 2c-3f 33 e0 b7 ae 46 fe 34   ...A.O.,?3...F.4
    0090 - 2a 1d dd 9f 36 dc fc 0b-57 1b bf 87 c6 29 3c 1e   *...6...W....)<.
    00a0 - 49 85 2b 5b eb 23 ff 55-d0 d7 d9 85 f7 25 c7 de   I.+[.#.U.....%..
    00b0 - d6 69 06 24 82 90 27 93-de 81 99 5a 8b f1 da e5   .i.$..'....Z....
    00c0 - 94 07 4b d4 d9 a7 07 81-4a 6f bb 10 dc b4 3f 0f   ..K.....Jo....?.

    Start Time: 1513608854
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
DONE

If you don't send SNI you get the expired & self-signed cert:

$> openssl s_client -connect pretparkdeals.be:443 </dev/null
CONNECTED(00000003)
depth=0 C = US, ST = Washington, L = Seattle, O = Odin, OU = Plesk, CN = Plesk, emailAddress = info@plesk.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = US, ST = Washington, L = Seattle, O = Odin, OU = Plesk, CN = Plesk, emailAddress = info@plesk.com
verify error:num=10:certificate has expired
notAfter=Nov  2 09:33:13 2017 GMT
verify return:1
depth=0 C = US, ST = Washington, L = Seattle, O = Odin, OU = Plesk, CN = Plesk, emailAddress = info@plesk.com
notAfter=Nov  2 09:33:13 2017 GMT
verify return:1
---
Certificate chain
 0 s:/C=US/ST=Washington/L=Seattle/O=Odin/OU=Plesk/CN=Plesk/emailAddress=info@plesk.com
   i:/C=US/ST=Washington/L=Seattle/O=Odin/OU=Plesk/CN=Plesk/emailAddress=info@plesk.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDfTCCAmUCBFgZstkwDQYJKoZIhvcNAQELBQAwgYIxCzAJBgNVBAYTAlVTMRMw
EQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQHDAdTZWF0dGxlMQ0wCwYDVQQKDARP
ZGluMQ4wDAYDVQQLDAVQbGVzazEOMAwGA1UEAwwFUGxlc2sxHTAbBgkqhkiG9w0B
CQEWDmluZm9AcGxlc2suY29tMB4XDTE2MTEwMjA5MzMxM1oXDTE3MTEwMjA5MzMx
M1owgYIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApXYXNoaW5ndG9uMRAwDgYDVQQH
DAdTZWF0dGxlMQ0wCwYDVQQKDARPZGluMQ4wDAYDVQQLDAVQbGVzazEOMAwGA1UE
AwwFUGxlc2sxHTAbBgkqhkiG9w0BCQEWDmluZm9AcGxlc2suY29tMIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2q6ulHj8oSOmYoDFtwSVg/7BUkc/R+S0
oMeYI0ob1f74wwO1pq/VfcHcAqNqFo2T9OeEJjG9M4AQqczG23WyF9sPNnchWz0U
O7AlDg/dJlG4gLV4el+q59ZK660pfEcNFtq7KxaIK6TD25ny/blUT4HdMbrurJWl
lbJ59Jyiiwl/bztCHPcohqkCam+PbP6QSfYj4IdZpfAVSKlw190jleYPhTAHF+SX
PhA0zseGREQAL7urzQNOYeXwm62q052UeXUQjNidjHDJ02a4IExpAGGnKy4DMYhC
ct3G6WqKQJ03EZ5WDgPG2Vf5xMvsGDHx14CB9sUOV+4CeqjmDnqGTQIDAQABMA0G
CSqGSIb3DQEBCwUAA4IBAQBpBPy2Dger4KFWzF5PzwsbnDT9/M27T1kQjyGuOWHr
9kTQLGsIkxKx+UBSazgAg0JjCCZYpTy2ElycTI2L0F0w1zIeXqKFn17/YHvgLLwd
zb2DfvB05JDV/0rG1CerDtpvaAolNUd3yRGHnxq5TcoC7Js6bKVNX/uxXuRV1KHb
8G1kA/j8QzGeNpN5q55FXvmT/2M4D+qOp+rPKsUy6hP8Bo5lGZhrCkQJ0XsKbhgY
YctluQOEr64MwaIL84RYUKNJbT+QrPmMYTqzodWIIlOeenTpVsuqghyhTkGTjbWV
DjwDx24hQfLdAlQLHOEK/OyQ0ZoTCELrHJ2v8auv3dwv
-----END CERTIFICATE-----
subject=/C=US/ST=Washington/L=Seattle/O=Odin/OU=Plesk/CN=Plesk/emailAddress=info@plesk.com
issuer=/C=US/ST=Washington/L=Seattle/O=Odin/OU=Plesk/CN=Plesk/emailAddress=info@plesk.com
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1588 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 439D9B85437B21BC4DF2B972DCC9AD465459EB290E1E7F24139D3D5AD35D0AE5
    Session-ID-ctx: 
    Master-Key: 4153118B5EED169F95165E04D87756127D0C7D3A8399429AE9314A9425C643CE757FAF4D32F58CB4B2C49BA5561C3B61
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - b4 d8 b5 f1 b4 a5 07 d3-8d c1 02 fe 9e b6 dc 13   ................
    0010 - 35 72 5e ed f1 bc e2 fe-86 37 47 11 e2 00 55 6c   5r^......7G...Ul
    0020 - 27 49 97 0a ed 3d aa 19-0d b1 de 17 e0 2f a5 bf   'I...=......./..
    0030 - dd fa f7 33 65 9f d6 62-c4 7e 01 1b 41 25 9f 2a   ...3e..b.~..A%.*
    0040 - 28 6d 59 36 78 16 c8 97-5a 27 cf 1a 24 fd 47 96   (mY6x...Z'..$.G.
    0050 - 95 0a 22 d8 a7 8a 61 26-87 72 72 67 95 aa 24 1d   .."...a&.rrg..$.
    0060 - a5 28 9c 3d 4d 2c 79 d2-f2 86 3f 22 dd 20 58 be   .(.=M,y...?". X.
    0070 - 03 86 18 66 91 a6 88 7d-8a 1c 83 fb 58 cd 07 78   ...f...}....X..x
    0080 - dc 2d 45 47 69 31 77 ab-d5 df 1e aa ca f5 1f e6   .-EGi1w.........
    0090 - 93 3b 1f 83 0d 25 75 87-02 6b a8 55 b2 50 cb c4   .;...%u..k.U.P..
    00a0 - 61 4e eb 88 2a 6a c2 5f-3f 8a d0 e1 fd c0 02 46   aN..*j._?......F
    00b0 - e5 29 a7 f7 31 79 e4 dd-be c5 69 b4 3b ab 16 31   .)..1y....i.;..1

    Start Time: 1513608908
    Timeout   : 300 (sec)
    Verify return code: 10 (certificate has expired)
---
DONE

You may need to contact your hosting provider to get this problem resolved. Your server configuration needs to be updated to return a valid certificate when no SNI value is provided if you want to support older TLS clients and avoid this error from the Google Search Console.

Hope that helps!

1 Like

Unfortunately, that option most likely isn’t available for shared hosting, as the virtualhosts probably share the same IP address. So unless the provider is willing to get a single certificates covering all the FQDN’s on the shared hosting IP address, it’s not gonna happen.

Things are different of course for shared hosting with many IP addresses, one for each customer. But I recon that is highly unlikely.

If it’s a VPS with a single, separate IP address, then of course it’s very much possible :slight_smile:

2 Likes

Many websites require SNI, though. It’s often not a problem, unless you have an unusual need for compatibility with obsolete clients.

You don’t have to fix Google’s warning message.

Or maybe switching the expired, self-signed certificae for a valid but mismatching one would also satisfy Google.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.