SSL certificate shows warning SSL_ERROR_BAD_CERT_DOMAIN on some browsers and works on others after renewal

Help
1

Hello, my SSL certificate appears to be invalid on some systems and it is asking the user to accept the risk or go back

Note:
the date is correct and the browser is the latest version

xxxc
xxxc1536×937 86.7 KB

My domain is: https://breastcancerpayments.com/

I ran this command:

  1. sudo systemctl status certbot.timer - to confirm my auto renewal is working perfectly fine and the output came correct

  2. sudo certbot renew --dry-run - to simulate the auto renewal and the test went good

  3. sudo certbot --apache - to manually renew the SSL cert and it was successfully expanded

But the problem still persist on the systems

My web server is (include version): Ubuntu 18.04.2 LTS

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): I SSH using PuTTY

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.31.0

2 Likes
2

Hi @PeterChijioke11 and welcome to the LE community forum :slight_smile:

Does your renewal process include a restart, or reload, of the Apache service?

2 Likes
3

Yes, I have also done that manually.

2 Likes
5

Please show the output of:
certbot certificates

[I suspect you will find overlapping certs]

3 Likes
6

Yes, what @rg305 says but also did you try just restarting Firefox? Sometimes browsers cache prior cert chains. Based on your statement that you "expanded" the cert maybe you did not have the www name in your prior cert?

Right now your server is sending a cert with both apex and www names in the same cert using either domain name in the request - so all seems fine.

3 Likes
7

@rg305

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: breastcancerpayments.com
Domains: breastcancerpayments.com www.breastcancerpayments.com
Expiry Date: 2022-03-24 12:43:36+00:00 (VALID: 89 days)
Certificate Path: /etc/letsencrypt/live/breastcancerpayments.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/breastcancerpayments.com/privkey.pem

2 Likes
8

The problem appears to just occur on some systems, so some site visitors might not experience this, which makes it kind of hard to debug

2 Likes
9

Yes, it does make it harder. Can you be more specific on what oper sys and browsers you see the error? Also the version numbers of each. Do they show the same error that you show in your sample? Your sample screen was for Firefox (as best I could tell).

The error message you show indicates you requested the www.breastcancerpayments.com site in url but the cert was only for breastcancerpayments.com. As I note, right now your site sends a cert with both names for requests to either domain name.

You can see this yourself using a site like this - try both names:
https://decoder.link/sslchecker/www.breastcancerpayments.com/443
(look at SANs item)

3 Likes
10

Let me get the system and browser version details from my client

2 Likes
11

And exact error message please

3 Likes
12

For the exact error message, here is a screenshot

xxxd
xxxd630×787 56.6 KB

2 Likes
13

Ok, that's different than the one you showed earlier. We need to know the oper sys and browser version numbers to be more specific with advice. thanks

3 Likes
14

Please let your client check the date and time of their computer, as the certificate is perfectly valid.

4 Likes
15

Note: that's the screenshot before I did a manual renew to see if the issue will be resolved

As for the system and browser data
Chrome: 96.0.4664.110

Windows: server 2008 R2

2 Likes
16

Yes, it is working perfectly fine on all my browsers but the client is still experiencing the same issue.

2 Likes
17

Did your client already check their computers date setting?

3 Likes
18

Oh, a Windows Server 2008 client? It is probably objecting to the DST Root CA X3 in the "long chain" your server is using. Starting Oct 1 of this year Let's Encrypt now has two chains - a long and a short as the DST Root expired on Sept 30. This is probably the cause of the expired message from the Windows Server.

Can that client access this https://letsencrypt.org ? It uses the same cert chain as your site - it should fail with same error. If so, it confirms this as the problem.

Windows Server is funny about certs sometimes. There are some options but let's confirm this first.

3 Likes
19

Okay, I will give you a feedback shortly

2 Likes
20

Why would Windows say the end leaf certificate is invalid? That doesn't make any sense if it's a chain issue.. The error should make that clear.

4 Likes
21

No, it doesn't. But, I am pretty sure we have seen browsers show just the leaf in the Details page even for chain problem errors shown more prominently in the browser window.

The message on this detail page makes no sense for the leaf. Their clock would have to be off by days for the cert to be "not yet valid" and certainly is not expired. We will know more soon as we gather more info.

2 Likes