Some users have cert issues while others do not


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: arundelnewsnet.com

I ran this command: I have users who are getting a cert issue and others who are not. When I check the report at ssllabs it says there are two certs one for arundelnewsnet.com and another one for web3.mikesdevhub.com. The latter is the actual hostname of whwere the virutal host is hosted.

It produced this output:

My web server is (include version): httpd-2.4.6

The operating system my web server runs on is (include version): CentOS Linux release 7.6.1810

My hosting provider, if applicable, is: Linode

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.29.1


#2

This is to be expected.

When the client supports SNI and requests the certificate for a specific domain, they receive that certificate. All modern browsers have supported SNI for quite a few years now.

When the client does not support SNI, it receives the default SSL certificate configured on your server.

That’s what you observe in the SSL Labs test. Totally normal for environments with multiple virtual hosts.

What is the domain that exhibits the issue for some of your users?

What is the actual issue? Can you get a screenshot of the error text?


#3

the domain that is causing us issue is arundelnewsnet.com I do not have the issue so please stand by further information in screenshots.


#4

Until further details arrive…
Perhaps it has something to do with ciphers/protocols.
Have you made any such changes recently?


#5

We did have issues earlier with the certs we revoked them and created new ones.


#6

Then maybe the complaints are stale and related to a problem(s) you already fixed.


#7

I also was thinking that but I had someone on the team that said i warned you not to post that we had a SSL cert and all of this. He is a teenager who thinks his stuff do not stink so I wanted to share with him hey I went to the people who handles LetsEncrypt and their community and this is what they said. Those people are now no longer reporting a bad cert so we will see.


#8

Hi @mikebrowntsbod

the reason is simple: Your certificate has only one domain name, it doesn’t work with the www - version ( https://check-your-website.server-daten.de/?q=arundelnewsnet.com ):

Your 4 standard urls:

Domainname Http-Status redirect Sec. G
http://www.arundelnewsnet.com/
45.33.78.146 301 http://arundelnewsnet.com/ 0.720 D
http://arundelnewsnet.com/
45.33.78.146 200 0.780 H
https://www.arundelnewsnet.com/
45.33.78.146 301 https://arundelnewsnet.com/ 2.500 N
Certificate error: RemoteCertificateNameMismatch
https://arundelnewsnet.com/
45.33.78.146 200 2.716 B

Your certificate:

CN=arundelnewsnet.com
	26.01.2019
	26.04.2019
	arundelnewsnet.com - 1 entry

Some users may have visited your domain earlier, now they add www, a dns entry is defined.

But the certificate doesn’t has the www - name, so the connection isn’t secure.

Create one certificate with two domain names.

Browsers cache redirects http -> https and www -> non-www, so it’s not really possible to check such things with a browser.


#9

Hello @_az

Here is the issue. I think that this was something that I missed.


#10

Hi @JuergenAuer

How can I do that for letsencrypt? It pulls the stuff from the virtualhosts. I just created a cert for www.arundelnewsnet.com this morning. So technically I have two certificates.


#11

But this is again wrong, it has only the www - domain name. Now you have

Domainname Http-Status redirect Sec. G
http://arundelnewsnet.com/
45.33.78.146 301 https://arundelnewsnet.com/ 0.217 A
http://www.arundelnewsnet.com/
45.33.78.146 301 https://www.arundelnewsnet.com/ 0.216 A
https://www.arundelnewsnet.com/
45.33.78.146 301 https://arundelnewsnet.com/ 2.513 B
https://arundelnewsnet.com/
45.33.78.146 200 2.976 N
Certificate error: RemoteCertificateNameMismatch

so your www is ok, but your non-www is wrong.

And your certificate has only one domain name:

CN=www.arundelnewsnet.com
	26.01.2019
	26.04.2019
	www.arundelnewsnet.com - 1 entry

Looks like you have one vHost, so you must use one certificate. If you use certbot, use something like

certbot yourOtherOptions -d www.arundelnewsnet.com -d arundelnewsnet.com

to create the correct certificate.


#12

@jurgenhaas

thank you. When I run the command I get the following:

[root@web3 ~]# certbot -auto -d wwww.arundelnewsnet.com
An unexpected error occurred:
DistributionNotFound: boto3
Please see the logfile ‘/tmp/tmpRdTDU5’ for more details.


#13

I have another name.

There

is a space, your command is certbot-auto. And your domain doesn’t have 4 w, only three.


#14

@JuergenAuer

[root@web3 ~]# certbot --apache -d arundelnewsnet.com -d www.arundelnewsnet.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org


You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/arundelnewsnet.com.conf)

It contains these names: arundelnewsnet.com

You requested these names for the new certificate: arundelnewsnet.com,
www.arundelnewsnet.com.

Do you want to expand and replace this existing certificate with the new
certificate?


(E)xpand/©ancel: e
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for arundelnewsnet.com
http-01 challenge for www.arundelnewsnet.com

Waiting for verification…
Cleaning up challenges
An unexpected error occurred:
Error finalizing order :: Rechecking CAA: While processing CAA for arundelnewsnet.com: DNS problem: SERVFAIL looking up CAA for arundelnewsnet.com, While processing CAA for www.arundelnewsnet.com: DNS problem: SERVFAIL lookin g up CAA for www.arundelnewsnet.com
Please see the logfiles in /var/log/letsencrypt for more details.


#15

Looks like a temporary error, because unboundtest

https://unboundtest.com/m/CAA/www.arundelnewsnet.com/F256A5IA

doesn’t find an error, same with my tool.

Unboundtest uses the same configuration as Letsencrypt.

Perhaps create a CAA entry if this is possible.


#16

Name =
Tag = issue
Value = letsencrypt.org
TTL = 300

Does that look right? I have not done CAA records before


#17

Yes. (Probably.)

You shouldn’t have to create any CAA records, though. It normally works fine if you don’t. It seems like there was just a transient error.


#18

@mnordhoff and @JuergenAuer

Thank you for your help. Can you please verify one more time for me? I just recreated the certs and everything should be good now.

[root@web3 ~]# certbot --apache -d arundelnewsnet.com -d www.arundelnewsnet.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org


You have an existing certificate that contains a portion of the domains you
requested (ref: /etc/letsencrypt/renewal/arundelnewsnet.com.conf)

It contains these names: arundelnewsnet.com

You requested these names for the new certificate: arundelnewsnet.com,
www.arundelnewsnet.com.

Do you want to expand and replace this existing certificate with the new
certificate?


(E)xpand/©ancel: E
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for arundelnewsnet.com
http-01 challenge for www.arundelnewsnet.com
Waiting for verification…
Cleaning up challenges
Resetting dropped connection: acme-v02.api.letsencrypt.org
Deploying Certificate to VirtualHost /etc/httpd/sites-available/arundelnewsnet.com-le-ssl.conf
Deploying Certificate to VirtualHost /etc/httpd/sites-available/arundelnewsnet.com-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.


1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.


Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Redirecting vhost in /etc/httpd/sites-enabled/arundelnewsnet.com.conf to ssl vhost in /etc/httpd/sites-available/arundelnewsnet.com-le-ssl.conf


Your existing certificate has been successfully renewed, and the new certificate
has been installed.

The new certificate covers the following domains: https://arundelnewsnet.com and
https://www.arundelnewsnet.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=arundelnewsnet.com
https://www.ssllabs.com/ssltest/analyze.html?d=www.arundelnewsnet.com


IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/arundelnewsnet.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/arundelnewsnet.com/privkey.pem
    Your cert will expire on 2019-04-26. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le


#19

Your certificate is now ok.

But you have created the next problem you should fix. Now there are ipv6 addresses (that’s good):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
arundelnewsnet.com A 45.33.78.146 yes 1 0
AAAA 2600:3c03::f03c:91ff:fe54:d0c2 yes
www.arundelnewsnet.com A 45.33.78.146 yes 1 0
AAAA 2600:3c03::f03c:91ff:fe54:d0c2 yes

But your ipv6 isn’t defined:

Domainname Http-Status redirect Sec. G
http://arundelnewsnet.com/
45.33.78.146 301 https://arundelnewsnet.com/ 0.220 A
http://www.arundelnewsnet.com/
45.33.78.146 301 https://www.arundelnewsnet.com/ 0.213 A
http://arundelnewsnet.com/
2600:3c03::f03c:91ff:fe54:d0c2 -14 10.026 T
Timeout - The operation has timed out
http://www.arundelnewsnet.com/
2600:3c03::f03c:91ff:fe54:d0c2 -14 10.026 T
Timeout - The operation has timed out
https://www.arundelnewsnet.com/
45.33.78.146 301 https://arundelnewsnet.com/ 2.496 B
https://arundelnewsnet.com/
45.33.78.146 200 3.000 B
https://arundelnewsnet.com/
2600:3c03::f03c:91ff:fe54:d0c2 -14 10.026 T
Timeout - The operation has timed out
https://www.arundelnewsnet.com/
2600:3c03::f03c:91ff:fe54:d0c2 -14 10.027 T
Timeout - The operation has timed out

There are timouts. You see, your https connections + ipv4 has now no warnings. Check your vHost and add an ipv6 definition.

PS:

You can use the tool directly - https://check-your-website.server-daten.de/?q=arundelnewsnet.com

Now your certificate has two domain names:

CN=arundelnewsnet.com
	26.01.2019
	26.04.2019
	arundelnewsnet.com, www.arundelnewsnet.com - 2 entries

#20

I have added a definition for ipv6 and have restarted httpd but do I have to create new certs?