I have set up SSL certificates for three subdomains of my domain. Initially, everything was working well, and the certificates were valid on both desktop and mobile devices. However, I recently started encountering SSL certificate errors on my PC browser, whereas they are working correctly on my mobile.
Status: Working as expected on both PC and mobile.
The operating system my web server runs on isUbuntu 18.04:
My hosting provider, if applicable, is: Linode
I can login to a root shell on my machine :
The version of my client is certbot 2.6.0
I would appreciate any guidance or suggestions to identify and resolve the SSL certificate issue on my PC browser for the subdomains "robert.salazarysalazar.com" and "avanza.salazarysalazar.com." Additionally, if there are any other potential causes I might have missed, please let me know.
This one is missing an intermediate chain. Your server looks like nginx so you maybe you used cert.pem instead of fullchain.pem for your ssl_certificate
See:
For domain #2, I don't see any problem using above SSL Checker. Can you show more details of the error you see?
You should restart that server. I think your Apache has a stuck worker process serving an older cert. Or, at least an invalid one.
Every other request uses a different cert. Use that same SSL Checker as above and just issue consecutive requests. You should sometimes see below error and other times it is fine.
Thank you for your prompt response. Following @MikeMcQ's feedback, I initiated an investigation into the issues related to our SSL certificates using the SSL Checker tool.
Interestingly, after conducting the investigation, I noticed that all functionalities have been restored without making any significant changes. This indicates that the problems we experienced might have been caused by an intermittent issue or the caching of certificates.
As for @rg305's answer, all 3 have the same A/AAAA Record configuration
You might have a firewall that runs Apache server for that domain before it reaches that nginx. Or, you have some kind of routing problem between your containers or something like that.
In any case, it is an Apache server sending the long-expired wildcard cert.
They may have just fixed it. Did you check the authoritives?
nslookup sigi.salazarysalazar.com ns1.linode.com
Address: 45.33.24.38
Address: 2600:3c00::f03c:91ff:fe02:2c1a
(my resolver does not even show the AAAA)
nslookup sigi.salazarysalazar.com
Address: 66.96.162.140
Yes, I was using my default [DNS service] for that output [ at the wheel].
Which using a DNS cleaning service...
Which must have heard a very long TTL [yesterday]; As it still has time left on that clock:
However, despite the absence of SSL certificate errors, the webpage for "sigi.salazarysalazar.com" is displaying an error.
And for some reason the Domain points to *.salazarysalazar.com
It's worth noting that the SSL certificate configuration appears to be correct for the other subdomains, as they point correctly to their respective destinations.
I also see something very unusual with your sigi.salazarysalazar.com domain
Sometimes HTTPS requests see your nginx server and work fine. But, other times an Apache/2 server replies with the expired wildcard cert you show.
I still believe that Apache response is some sort of firewall. From my own test server I was sometimes seeing the correct nginx response but sometime later the wrong Apache response.
I only saw the wrong response with IPv4 address. Your IPv6 seemed fine but I did not test it as thoroughly. You should check your hosting settings for any such firewall. Or, even ask Linode why Apache is intercepting some requests for your domain.
From just a few minutes ago
(IPv6 is correct)
echo | openssl s_client -6 -connect sigi.salazarysalazar.com:443 | head
---
Certificate chain
0 s:CN = sigi.salazarysalazar.com
i:C = US, O = Let's Encrypt, CN = R3
a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
v:NotBefore: Jul 29 16:58:18 2023 GMT; NotAfter: Oct 27 16:58:17 2023 GMT
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
IPv4 (-4) fails occasionally
Oddly, SSL Labs showed it working fine just before this
And, it worked fine from this same test server maybe 10 minutes earlier
echo | openssl s_client -4 -connect sigi.salazarysalazar.com:443 | head
depth=0 CN = *.salazarysalazar.com
verify error:num=10:certificate has expired
notAfter=Sep 17 16:49:03 2019 GMT
verify return:1
---
Certificate chain
0 s:CN = *.salazarysalazar.com
i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256
v:NotBefore: Jun 19 16:49:03 2019 GMT; NotAfter: Sep 17 16:49:03 2019 GMT
1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256