Ssl_error_bad_cert_domain on IE and FFox (Chrome works fine)


#1

Hello everyone

I was surprised how easy it is to configure the certbot :slight_smile: but for some reason Firefox and Edge rejects my certificate while it works perfectly with chrome

(I already enabled SSLv2 in ssl.conf but still the same problem)

Edge 11.0.9600.18537
FFox 50.1.0
debian 8.5
apache 2.4.10

domain name : https://www.edenred-qa.be/

<IfModule mod_ssl.c>

	<VirtualHost edenred-qa.be:443>
        ServerName edenred-qa.be
        
		ServerAdmin **********************

		DocumentRoot /var/www/html/****************

		ErrorLog ${APACHE_LOG_DIR}/error.log
		CustomLog ${APACHE_LOG_DIR}/access.log combined

		SSLEngine on

		SSLCertificateFile	/etc/letsencrypt/live/edenred-qa.be/fullchain.pem
		SSLCertificateKeyFile /etc/letsencrypt/live/edenred-qa.be/privkey.pem

		<FilesMatch "\.(cgi|shtml|phtml|php)$">
				SSLOptions +StdEnvVars
		</FilesMatch>
		<Directory /usr/lib/cgi-bin>
				SSLOptions +StdEnvVars
		</Directory>

		BrowserMatch "MSIE [2-6]" \
				nokeepalive ssl-unclean-shutdown \
				downgrade-1.0 force-response-1.0
		# MSIE 7 and newer should be able to use keepalive
		BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

	</VirtualHost>
    
</IfModule>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

please help :frowning:

thanks


#2

It looks as if you only obtained a certificate for edenred-qa.be ( and not for both edenred-qa.be and www.edenred-qa.be ) Since the name www.edenred-qa.be does not match edenred-qa.be then it is rejected by the browser.

The solution would be to generate a certificate for both domain names.


#3

If you’re curious why it’s working in Chrome: Chrome automatically switches to the non-www version of a domain when you visit a site via HTTPS and the site serves a certificate that’s only valid for the domain itself, but not the “www” subdomain. Other browsers don’t do this.


#4

wow that’s right it works if I remove www


#5

so I create a server alias and relaunch certbot ?

[edit : yess !!! it works]

thx everyone

I thought the domain name was edenred-qa.be for both


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.