Site is not safe

Blisk · September 16, 2019, 8:47am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://www.povej.net/

I ran this command:
I still have this error site not safe

Certificate is one month old
It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version): centos 7.6

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
certbot 0.36.0

JuergenAuer · September 16, 2019, 9:10am

Hi @Blisk

if you use the ip address, your site is always not safe.

Use your domain name. Letsencrypt certificates have only domain names, so that can't work with an ip address.

Checking your domain there are other errors - https://check-your-website.server-daten.de/?q=povej.net

There are some certificates

Issuer	not before	not after	Domain names	LE-Duplicate
Let's Encrypt Authority X3	2019-09-16	2019-12-15	www.povej.net - 1 entries	duplicate nr. 1
Let's Encrypt Authority X3	2019-09-14	2019-12-13	snorby.povej.net - 1 entries	duplicate nr. 1
Let's Encrypt Authority X3	2019-09-11	2019-12-10	povej.net - 1 entries	duplicate nr. 1
Let's Encrypt Authority X3	2019-09-10	2019-12-09	muzika.povej.net - 1 entries	duplicate nr. 1
Let's Encrypt Authority X3	2019-09-10	2019-12-09	files.povej.net - 1 entries	duplicate nr. 1

but you use the wrong certificate:

CN=muzika.povej.net
	10.09.2019
	09.12.2019
expires in 84 days	muzika.povej.net - 1 entry

So first step: Create one certificate with both domain names (non-www and www) and use that.

Blisk · September 16, 2019, 10:34am

thank you for detail answer.
ecerything works except www.povej.net
don’t know where is a problem I already renewed certificate but get the same error.

Phil · September 16, 2019, 3:48pm

Hi @Blisk,

Checking the certificate for povej.net shows that it only has a SAN for povej.net when in reality you want the SANs to be www.povej.net and povej.net

$ echo | openssl s_client -connect povej.net:443 -servername povej.net -verify_hostname povej.net 2>/dev/null | openssl x509 -noout -text | grep -oP '(?<=DNS:)[^,]+'
povej.net

Here’s the same test checking for www.povej.net

$  echo | openssl s_client -connect www.povej.net:443 -servername www.povej.net -verify_hostname www.povej.net | grep -i Verification
Verification error: Hostname mismatch

$ echo | openssl s_client -connect www.povej.net:443 -servername www.povej.net -verify_hostname www.povej.net 2>/dev/null | openssl x509 -noout -text | grep -oP '(?<=DNS:)[^,]+'
povej.net

If you used certbot, you could use this example to try issuing for multiple domains.

Blisk · September 17, 2019, 7:47am

Thank you for your help.
I did some more research and found out I have wrong settings in apache, now it works.

system · October 17, 2019, 7:47am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.