SSL certificate not working on safari

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: summercampstudios.ca

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version): Ubuntu

My hosting provider, if applicable, is: Hostinger

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Connections to summercampstudios.ca fail because your server sends out a cert that has only the www.summercampstudios.ca domain name in it.

You have a cert for both your www subdomain and your registered name. But, you use thec cert for www for connections to either name.

You need to get a new cert with both names in it. Or, reconfigure your server to use the correct cert for each name.

https://www.ssllabs.com/ssltest/analyze.html?d=summercampstudios.ca&hideResults=on

5 Likes

thank you so much for your response, I have tried fixing the issue, but the ssl server test still shows a mismatch.

I ran this code: sudo certbot --nginx -d summercampstudios.ca -d www.summercampstudios.ca

got this response: You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.

(ref: /etc/letsencrypt/renewal/summercampstudios.ca.conf)

What would you like to do?


1: Attempt to reinstall this existing certificate

2: Renew & replace the certificate (may be subject to CA rate limits)


which suggests I have one cert for both domain and subdomain, yet, it still doesnt work for safari.

also here is my nginx config for further context:

Not sure that's a fair conclusion. Unless you chose option #2 - Renew and Replace

What does this show

sudo certbot certificates
3 Likes

Found the following certs:
Certificate Name: summercampstudios.ca
Serial Number: 3137cdaa296fc6ffede9e5d785eede43f21
Key Type: ECDSA
Domains: summercampstudios.ca www.summercampstudios.ca
Expiry Date: 2024-11-05 18:35:23+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/summercampstudios.ca/fullchain.pem
Private Key Path: /etc/letsencrypt/live/summercampstudios.ca/privkey.pem
Certificate Name: www.summercampstudios.ca
Serial Number: 36d67a73cde9e2bf2871ebcb3ce8ab3c9d7
Key Type: ECDSA
Domains: www.summercampstudios.ca
Expiry Date: 2024-11-05 13:34:15+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/www.summercampstudios.ca/fullchain.pem
Private Key Path: /etc/letsencrypt/live/www.summercampstudios.ca/privkey.pem

i assume from this, that they are still two seperate certs, and they need to be combined still

No, the first cert looks good. It has both names on the "Domains" line which means the cert is good for both. And, that is the filename used in nginx

The second cert is probably not used anymore but before we delete that we should be sure nginx is using the right one.

Right now I cannot connect to your domain using any tool. Are you restarting it or something?

3 Likes

All looks good now. Your server uses that cert with both names for requests to either name.

Unless you need it for some other reason you can delete the 'www' cert like:

sudo certbot delete --cert-name www.summercampstudios.ca

That way you won't be trying to renew it "forever"

A reminder that if you gave your email address when setting up your ACME Account with Certbot that you will get an email in 70 days informing you that the 'www' cert was not renewed. That is normal.

If you get an email that shows both domain names and warns of expiration - that is not :slight_smile:

3 Likes

hello, I am not sure what I have done now, In an attempt to frantically resolve my issue, i might have messed up something. now when i go to my domain name online, i see the nginx welcome info instead of my site.

when i type this command: cat /etc/nginx/sites-enabled/summercampstudios

i get this:

server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name summercampstudios.ca www.summercampstudios.ca;

    ssl_certificate /etc/letsencrypt/live/summercampstudios.ca/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/summercampstudios.ca/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/summercampstudios.ca/chain.pem;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA256:!aNULL:!MD5:!DSS';
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 1h;
    ssl_session_tickets off;

    ssl_stapling on;
    ssl_stapling_verify on;
    resolver 8.8.8.8 8.8.4.4 valid=300s;
    resolver_timeout 5s;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options DENY;
    add_header X-XSS-Protection "1; mode=block";

    location / {
        root /var/www/html;
        index index.html index.htm index.nginx-debian.html;
    }
}

server {
    listen 80;
    listen [::]:80;
    server_name summercampstudios.ca www.summercampstudios.ca;
    return 301 https://$host$request_uri;
}

and when i type this:
ls -l /etc/nginx/sites-enabled/

i get this response:

total 4

-rw-r--r-- 1 root root 356 Aug 5 19:29 nextjs.conf
lrwxrwxrwx 1 root root 44 Aug 7 21:07 summercampstudios -> /etc/nginx/sites-available/summercampstudios

I can provide further information if you require, I am really not sure, where my error is

Your most recent server block looks the same as in your post #3

If the site is showing the wrong page make sure the files in /var/www/html are as you expect. That is where the "home" page comes from. Check for an index.html file. That is the first default home page.

3 Likes

thank you soo much for your assistance Mike. everything works perfectly and the initial issue with safari is resolved. Thanks once again and have a good day.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.