Site has security issue since changing from Comodo to LetsEncrypt

highlysceptical · July 28, 2021, 1:32pm

I replaced my Comodo certificate last week. Now, my primary website is deemed to have Social Engineering issues by Google. But nothing has changed in the last year.

SiteGuarding finds an error: TLS certificate does not match the host name
Google Search Console says there is 1 security issue but does not say what it is
Google Transparency Report says: Try to trick visitors into sharing personal info or downloading software

As the problem has only arisen since changing the certificate, and nothing else has changed, I am assuming the problem is with the certificate. But I don't know. How can I resolve this issue?

My domain is: www.acousticdesign.co.uk

I ran this command: I tried to load the site in Chrome

It produced this output: Deceptive Site Ahead

My web server is (include version): Apache 2.4.29

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: Own server

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.17.0

Thanks.

Rip · July 28, 2021, 2:27pm

@highlysceptical You are welcome here!

FIRST:

Google Search Console says there is 1 security issue but does not say what it is...

The certificate being served doesn't match the expected hostname.

Expected APEX hostname: = acousticdesign.co.uk
www.acousticdesign.co.uk and api.acousticdesign.co.uk are covered by your certificate but NOT your apex domain name.

You could "expand" your certificate to include your apex domain to resolve that part of the issue. (might also help with the branding placed on your site but frankly I dont really know for sure)

SECONDLY:

It is interesting how "big tech" is acting these days. And to no fault of your own I suppose (Mostly). I suspect the "classification" or "branding" you have been awarded may have something to do with the "first visit" pop up script in your top page.

Result from quick scan:

You can attempt to get reclassified here:

https://safebrowsing.google.com/safebrowsing/report_error/?hl=en

Hope this helps.

rg305 · July 28, 2021, 4:56pm

I'm not so sure that the APEX domain comes into play here (maybe).
Since I can't find a cert having been issued to cover the APEX.
Yes, that doesn't exclude the attempt at https://{apex.domain} to fail.
But is that what is really going on here?

highlysceptical · July 29, 2021, 9:14am

Thanks for all that information. When I ran Certbot, it did not give me the option to include the apex domain name, which is why it is not on the certificate. I suppose I could change that by editing the .conf file?

But I also discovered yesterday that api.acousticdesign.co.uk was being redirected to https://api.acousticdesign.co.uk. When I entered it into https://httpstatus.io/, I got a 301 redirect and a 401 warning. Since api.acousticdesign.co.uk is hosted on a different server that does not currently have an SSL certificate, and it asks for username and password, perhaps that was the root cause of the problem. It was only for internal use so it did not matter to us, but maybe it upset Google?

rg305 · July 29, 2021, 1:55pm

Did you spell that FQDN correctly?

system · August 28, 2021, 1:56pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.