Ssl_error_bad_cert_domain

dzhus · September 20, 2023, 1:39pm

The operating system my web server runs on is (include version): DSM 7.2-64570 Update 3
I can login to a root shell on my machine (yes or no, or I don't know): yes

Problem:
Most applications, including PLEX, ... say that the certificate is not reliable or is self-signed, and it is not possible to continue working.
Basically I see the error "SSL_ERROR_BAD_CERT_DOMAIN".
or
"has a security policy called HTTP Forced Secure Connection (HSTS), which means that Firefox can only connect to it through a secure connection. You cannot add an exception to visit this site."
.....

Although I renewed the certificate several times and sent requests for certificate verification to letsencrypt.

I'm trying to understand what the problem is and how it can be solved.
This has never happened before and everything worked fine for several years.

9peppe · September 20, 2023, 1:54pm

I can open this just fine. SSL Server Test: dzhus.synology.me (Powered by Qualys SSL Labs)

My suspect is that somebody is messing with your internet connection. (Or NAT hairpinning doesn't work on your LAN, try accessing from mobile data)

dzhus · September 20, 2023, 2:43pm

Everything is fine with access to the site, the problem is mainly when working through applications that say that the certificate is not reliable. And they lose access.
I can’t open Plex at all, through the Firefox browser, it says has a security policy called HTTP Forced Secure Connection (HSTS), which means that Firefox can only connect to it through a secure connection. You cannot add an exception to visit this site" and there is no access.

orangepizza · September 20, 2023, 3:12pm

what cerifitace it sees when error is happening?
openssl s-client to there?

MikeMcQ · September 20, 2023, 3:29pm

What domain name are you using in the apps and Firefox? Because you used to get a wildcard cert that would cover many names but now only two names are in your cert - your dzhus.synology.me and the mail subdomain of that.

You need to use the wildcard cert if you will be using other subdomain names

https://tools.letsdebug.net/cert-search?m=domain&q=dzhus.synology.me&d=2160

dzhus · September 20, 2023, 7:06pm

Everything seems to be fine here, thank you.

dzhus · September 20, 2023, 7:09pm

Seems to have fixed all the problems.
The only problem left is with Plex, when I launch from my domain, all browsers write SSL_ERROR_BAD_CERT_DOMAIN

has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only go there using a secure connection. You cannot add an exception to visit this site.
Subdomains don't help

Ports are open.
Any ideas what can be done?

MikeMcQ · September 20, 2023, 7:17pm

You need to review your Plex config then because it is not using the Let's Encrypt cert. You could try the Synology forum

See the Plex cert with a site like this

If you don't want to use HSTS you can turn it off. That's totally up to you. It is not part of the cert and it is not part of DNS. It is set in the response headers for HTTPS requests.
I don't know how you configure Synology for that but in nginx you set response headers in the server block for the HTTPS port(s). After disabling it you would need to empty the HSTS cache in any browser.

dzhus · September 20, 2023, 7:34pm

Thank you very much, everything worked. I turned it on before but didn't clear the cache. I cleared the cache and everything worked. Thank you.

system · October 20, 2023, 7:34pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.