SSL Certificate doesn't work sometimes


#1

Hi there,

our monitoring service reports problems with a let’s encrypt certificate daily. It reports the following error and after a few minutes reports that everything is fine again:

##################################################

The following monitor failed on one or more recent checks.

Error: 3019 - HTTPS certificate could not be validated
Monitor: http://www.diakonie-ruhr-hellweg.de
URL: https://www.diakonie-ruhr-hellweg.de
Start of error: 18.02.2019 12:22 (View error: https://app.uptrends.com/Report/ProbeLog/Check/33303558500)
Consecutive errors: 3
Last checked: 18.02.2019 12:42
Last checkpoint: New York, NY, USA

Warnung

This is an automated message from Uptrends. Do not reply to this e-mail.

##############################################################

When there error doesn’t occur, the cert works just fine. Can you anyone help us with this?

greetings from germany

Fabio Stegmeyer


Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://www.diakonie-ruhr-hellweg.de

I ran this command:

It produced this output:

My web server is (include version): Apache 2.2.22

The operating system my web server runs on is (include version): Debian 3.2.88

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):


#2

Hi @fstegmeyer

there are different errors.

Ssllabs reports an incomplete certificate chain.

https://www.ssllabs.com/ssltest/analyze.html?d=www.diakonie-ruhr-hellweg.de&hideResults=on&latest

Extra download 	Let's Encrypt Authority X3
Fingerprint SHA256: 25847d668eb4f04fdd40b12b6b0740c567da7d024308eb6c2c96fe41d9de218d
Pin SHA256: YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=
RSA 2048 bits (e 65537) / SHA256withRSA 

That may be the problem uptrends reports. And you have SSL3 active, you should disable SSL3.

My own tool shows ( https://check-your-website.server-daten.de/?q=diakonie-ruhr-hellweg.de ), that your non-www connection isn’t secure. So you should create one certificate with both domain names (www + non-www) and use that. Now your certificate has only the www version.

CN=www.diakonie-ruhr-hellweg.de
	07.02.2019
	08.05.2019
expires in 78 days	www.diakonie-ruhr-hellweg.de - 1 entry

#3

The included report link (“https://app.uptrends.com/Report/ProbeLog/Check/33303558500”) requires a login; So we are maybe missing some important details about the detected failure.
If you can download that report and repost it here (or post an alternate working link to it), we may be able to better assist with a correction.


#4

The Error Code is this:

3019 - HTTPS Zertifikat kann nicht bestätigt werden
The remote certificate seems invalid. The certificate’s hostname is www.diakonie-ruhr-hellweg.de.

Not much more information available in the report…


#5

There are chain issues [and other unrelated issues].
See: https://www.ssllabs.com/ssltest/analyze.html?d=www.diakonie-ruhr-hellweg.de

You are probably using the cert.pem file and should be using the fullchain.pem file instead.
[the cert file is only the cert while the fullchain file is the cert plus the intermediate chain]


closed #6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.