SSL Error hostname doesn't match error in LinkChecker


#1

My domain is:
austinpartners.org

I ran LinkChecker (v 9.3). Under URL Properties I see the following result:
Error: SSLError: hostname ‘austinpartners.org’ doesn’t match either of ‘*.websitehostserver.net’, ‘websitehostserver.net

My web server is (include version):
cpsrvd 11.68.0.28

The operating system my web server runs on is (include version):
|Apache Version|2.4.29|
|PHP Version|7.0.27|
|MySQL Version|10.0.34-MariaDB|
|Architecture|x86_64|
|Operating System|linux|

My hosting provider, if applicable, is:
greengeeks.com

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Yes, but I also have FileZilla for access.

How can I fix?


#2

Hi @encryptnip,

This error is caused by your LinkChecker software not supporting Server Name Indication (SNI). Your webhost is only returning the correct Let’s Encrypt certificate that covers austinpartners.org when the client sends an SNI value for austinpartners.org. Web browsers do this by default so the website works without error. Your LinkChecker does not, so it gets the wrong certificate back and causes an error.

You can see this with openssl on the command line. Here’s the result sending no SNI header:

$> openssl s_client -connect austinpartners.org:443 -verify_hostname austipartners.org </dev/null
CONNECTED(00000003)
depth=0 OU = Domain Control Validated, CN = *.websitehostserver.net
verify error:num=62:Hostname mismatch
verify return:1
depth=2 C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = AlphaSSL CA - SHA256 - G2
verify return:1
depth=0 OU = Domain Control Validated, CN = *.websitehostserver.net
verify return:1
---
Certificate chain
 0 s:/OU=Domain Control Validated/CN=*.websitehostserver.net
   i:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
 1 s:/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
   i:/C=BE/O=GlobalSign nv-sa/OU=Root CA/CN=GlobalSign Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE7zCCA9egAwIBAgISESHvB8Z1vCPMIg/phSZBLxjaMA0GCSqGSIb3DQEBCwUA
MEwxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSIwIAYD
VQQDExlBbHBoYVNTTCBDQSAtIFNIQTI1NiAtIEcyMB4XDTE1MTIwNzE2NTczMVoX
DTE5MDExMTIxMDUyN1owRTEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRh
dGVkMSAwHgYDVQQDDBcqLndlYnNpdGVob3N0c2VydmVyLm5ldDCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBALIh7sqcWw84XaKLfzY2Y8H/55S/qYLl/6it
hp1df93ENcab0tBdXFra8clDbX2kk7Jhy1XFECnzyNv8ezmFLN0s191WwqvRGWfy
opyh7LsroFcSwARsrFsn1EbPfubmnw5mCBPsAH4P0Zjoxf7HpmQYoR/jHD8WnmKh
I/zuVDPT+dkpGbyaG+b0yWai05k+v+0eL3WFU/OmpX4yEMmoYj5W9xUrZ+Z8GpXr
J19KtSAOspO+eeAxeim82prm/7GpPDpY3VpeNmdfAbFuwMQhO3c8kaMu3Nj+ZXUC
qxBBDCNmCqZYvvjJz3OCgzML6gQOuFMN04pMAi3rcBgB1N8gDJMCAwEAAaOCAdAw
ggHMMA4GA1UdDwEB/wQEAwIFoDBJBgNVHSAEQjBAMD4GBmeBDAECATA0MDIGCCsG
AQUFBwIBFiZodHRwczovL3d3dy5nbG9iYWxzaWduLmNvbS9yZXBvc2l0b3J5LzA5
BgNVHREEMjAwghcqLndlYnNpdGVob3N0c2VydmVyLm5ldIIVd2Vic2l0ZWhvc3Rz
ZXJ2ZXIubmV0MAkGA1UdEwQCMAAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUF
BwMCMD4GA1UdHwQ3MDUwM6AxoC+GLWh0dHA6Ly9jcmwyLmFscGhhc3NsLmNvbS9n
cy9nc2FscGhhc2hhMmcyLmNybDCBiQYIKwYBBQUHAQEEfTB7MEIGCCsGAQUFBzAC
hjZodHRwOi8vc2VjdXJlMi5hbHBoYXNzbC5jb20vY2FjZXJ0L2dzYWxwaGFzaGEy
ZzJyMS5jcnQwNQYIKwYBBQUHMAGGKWh0dHA6Ly9vY3NwMi5nbG9iYWxzaWduLmNv
bS9nc2FscGhhc2hhMmcyMB0GA1UdDgQWBBT8/JvTHMCvMPqXYV6ZuSE5Jsa02jAf
BgNVHSMEGDAWgBT1zdU8CFD5ak86t5faVoPmadJo9zANBgkqhkiG9w0BAQsFAAOC
AQEAkISNJch3k1nP0ZhiqZfgVrwYOq+JL2arb/3SxY5QGpEZSsyVLfzuSFnjJcFG
fEyPSKXqaqYCLNnzsXTpuSUW37PKle1TwQKQ4DNDvczyWjwSeYof2QPrUwtZf5Z4
RURn8ENFmdJDnC001jNZdq11YDwVMKcQIxYyguwJ6iQFFNv3aX/oce0lU8pDgDds
dXm1Rz90tWMP8VAbs9axqLcTfXDF/+szgCJEbbq6ve7gxE1GT0x7YiAa+FCP5i2L
V+8kmahJNsA4fgDTn9KTnqUgOZNfeco3JLxUYnolcfk91AYIYepPRsfYwnVfn7KE
aLzRgIx4lCs+DQXyNMG6hwz1sQ==
-----END CERTIFICATE-----
subject=/OU=Domain Control Validated/CN=*.websitehostserver.net
issuer=/C=BE/O=GlobalSign nv-sa/CN=AlphaSSL CA - SHA256 - G2
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3066 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 2D634B016E4D2D7DAF1DD938AAF6C6126F8371E934110E2787AC4E8112D315D5
    Session-ID-ctx: 
    Master-Key: 8C3CF855C6215AC9017F936B439B4F8307EF8E9DF51926B65855B2B1F0C05E67C2E6C8D23EA351B5DD0CC63A14032483
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 81 c2 be d6 5c 59 09 45-d1 bc a8 09 00 93 64 1b   ....\Y.E......d.
    0010 - be 0b a7 2f 2b 29 08 49-bc ff e1 5a e5 12 0d 44   .../+).I...Z...D
    0020 - 20 cf 31 a6 e9 a9 a7 97-1d 5a 6a dd 3c 22 de 08    .1......Zj.<"..
    0030 - 3d 75 23 b3 56 84 cf 90-f9 57 ad 7b 32 52 35 c1   =u#.V....W.{2R5.
    0040 - fb dd 94 3f ae 2e 36 0b-0b b4 dd 0c b3 d6 c1 a9   ...?..6.........
    0050 - a3 b6 60 4b d5 8b 33 78-b6 3f 48 fc c6 cb f1 29   ..`K..3x.?H....)
    0060 - 93 5d 9e d5 98 94 08 29-c5 29 38 a9 1a c9 b4 07   .].....).)8.....
    0070 - 13 78 41 4f cc 45 25 bc-67 aa 5f 15 47 f5 b5 6d   .xAO.E%.g._.G..m
    0080 - 91 95 8c 6a c4 e4 47 d5-4d 38 84 1d ef c1 00 3e   ...j..G.M8.....>
    0090 - be 85 90 7b fd 6b 1f e7-b7 ff 9d 09 93 04 87 97   ...{.k..........
    00a0 - cb 4f 67 b1 3a af 29 95-35 c8 ba 64 7f 37 78 f4   .Og.:.).5..d.7x.
    00b0 - 06 c1 1d 4b 48 fd 4f 44-f9 fd 3c 89 67 7e 78 68   ...KH.OD..<.g~xh

    Start Time: 1519419122
    Timeout   : 300 (sec)
    Verify return code: 62 (Hostname mismatch)
---
DONE

You can see in the above output that the certificate the webserver gives to s_client isn’t your Let’s Encrypt certificate.

Hre’s the result if you configure s_client to send the right SNI value:

$> openssl s_client -connect austinpartners.org:443 -verify_hostname austinpartners.org -servername austinpartners.org </dev/null
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = austinpartners.adoptaschool-austin.org
verify return:1
---
Certificate chain
 0 s:/CN=austinpartners.adoptaschool-austin.org
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFijCCBHKgAwIBAgISA9jd8xBdHuRB4jPbCzluEEcpMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODAxMTIyMDM2NDdaFw0x
ODA0MTIyMDM2NDdaMDExLzAtBgNVBAMTJmF1c3RpbnBhcnRuZXJzLmFkb3B0YXNj
aG9vbC1hdXN0aW4ub3JnMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
qwiTIORpNzxVCYNqhhIxuT0cTcj8dIFmCD/NxPopFXEbl/tJnVeIhLvan5KXYlwn
YF2AhTh3aFZ7rRoQmNpuXcqLs3s9Ds/3dfn4iZzigu5d2m4i6WHw1wY2C9HWjicR
hJJHJ9DHXxAAvgCsr2pGHYStVuaHtI35RI9wulvDQnZAbNPZJuvKSTeC282E8Cm+
PPx7ragEirkwidwhxTHoIzqjfAbGr+xF74T7mWyDQ6WY0GfHBbCJFPiFL2jIuurg
3J8/5OxWkv0L7GTYqMHt2RiqsXisqpj5QD6OCBFMEXnfioti9vOTekK9SKVTlEGF
Zbjbmbp8cDp7CjfqT1+jgwIDAQABo4ICgTCCAn0wDgYDVR0PAQH/BAQDAgWgMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1Ud
DgQWBBQwrMGfpX76etgOiCSdvDY9ix1YtjAfBgNVHSMEGDAWgBSoSmpjBH3duubR
ObemRWXv86jsoTBvBggrBgEFBQcBAQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9v
Y3NwLmludC14My5sZXRzZW5jcnlwdC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9j
ZXJ0LmludC14My5sZXRzZW5jcnlwdC5vcmcvMIGLBgNVHREEgYMwgYCCJmF1c3Rp
bnBhcnRuZXJzLmFkb3B0YXNjaG9vbC1hdXN0aW4ub3JnghJhdXN0aW5wYXJ0bmVy
cy5vcmeCKnd3dy5hdXN0aW5wYXJ0bmVycy5hZG9wdGFzY2hvb2wtYXVzdGluLm9y
Z4IWd3d3LmF1c3RpbnBhcnRuZXJzLm9yZzCB/gYDVR0gBIH2MIHzMAgGBmeBDAEC
ATCB5gYLKwYBBAGC3xMBAQEwgdYwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0
c2VuY3J5cHQub3JnMIGrBggrBgEFBQcCAjCBngyBm1RoaXMgQ2VydGlmaWNhdGUg
bWF5IG9ubHkgYmUgcmVsaWVkIHVwb24gYnkgUmVseWluZyBQYXJ0aWVzIGFuZCBv
bmx5IGluIGFjY29yZGFuY2Ugd2l0aCB0aGUgQ2VydGlmaWNhdGUgUG9saWN5IGZv
dW5kIGF0IGh0dHBzOi8vbGV0c2VuY3J5cHQub3JnL3JlcG9zaXRvcnkvMA0GCSqG
SIb3DQEBCwUAA4IBAQBMmqpWlKVuN899LFq1dWu/AZB9K/TF5aZwvcHJjmekfxK/
M4mgaTnw6rIRLGoiDKDF/o1GRS1+0R3mAI6kSB0hPvhPeNmHiXD0x6dyQe56gx/e
0wV28kvKoPauZFEtOCGllJU7uVBV3/iQt+DxPc/YVKqCAQa092ed93hOALlSOtYs
Z3Dlkgcw2ngJ+CadADUTWX+bRojWPOtUJOqv2ogfoEs+KvFlLpEDx21hLa7f2xK3
ncCS13Ot9n2G+N2HCYQdnI19OghMVmZKijPc6pmLoDMbhD45NGAbMMAGmIklnrZH
ENwEnrelAnT4bvZ5e2VWZW18qdWnoP19zh8j1sPW
-----END CERTIFICATE-----
subject=/CN=austinpartners.adoptaschool-austin.org
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3310 bytes and written 458 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES128-GCM-SHA256
    Session-ID: 014A503BDB6B56489706C376AFC8B22CA82C51BDDCB5E9E35FB234EC957BAD46
    Session-ID-ctx: 
    Master-Key: 319228EA6790398A01CF7F0D7E78AC044B31BD52DD1A5E3047BB095344571984100D4F8732F81AF7CF2E13333D73BFE8
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 81 c2 be d6 5c 59 09 45-d1 bc a8 09 00 93 64 1b   ....\Y.E......d.
    0010 - 6e 61 89 9f 1f e3 38 d7-4c 36 62 91 96 83 c5 4c   na....8.L6b....L
    0020 - 57 98 c5 b0 55 b1 05 50-f5 ef 04 83 f1 ca 8a b9   W...U..P........
    0030 - ee 00 e9 eb d4 7a a2 4c-96 36 36 62 84 70 25 a9   .....z.L.66b.p%.
    0040 - 3b 25 33 94 91 eb e8 a5-d2 2c 0f 70 0f d1 c3 16   ;%3......,.p....
    0050 - 6f 43 92 9a d2 5c a3 b9-2e 87 18 50 c6 29 d4 f8   oC...\.....P.)..
    0060 - c1 e5 d5 db 9e dd a1 9e-92 c5 4e 1b 3c db c6 99   ..........N.<...
    0070 - d3 99 99 a5 a8 bb 31 b4-07 e4 5e 25 97 75 c4 be   ......1...^%.u..
    0080 - b6 e0 80 e4 4b 86 e1 3c-d2 c8 cf b7 4c e6 ca 42   ....K..<....L..B
    0090 - 84 c3 2a 16 2c 1b 09 e7-fe f0 96 ab 8e 67 69 e4   ..*.,........gi.
    00a0 - 34 96 5d 3e bc a5 31 6a-1b 18 89 8d f4 35 59 13   4.]>..1j.....5Y.
    00b0 - 23 6f 6f e3 19 f9 ae 0d-11 6a 37 6e 51 df e7 bc   #oo......j7nQ...
    00c0 - 85 2f fe d9 bc a5 1b ba-36 44 e8 64 9e 13 82 65   ./......6D.d...e

    Start Time: 1519419149
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
DONE

You don’t have to worry about this error unless you care about very old software that doesn’t support SNI. If you do, you’ll have to ask your webhost to fix the problem, likely by providing you a dedicated IP to map your certificate to.

Hope that helps,


#3

The webserver responds with the correct certificate, when the client uses “Server Name Indication”, a special feature in TLS so multiple hostnames can be used with different certificates behinds a single IP.

Without the SNI feature in a client, a server responds with the “default” certificate, which in your case is the certificate LinkChecker got. I guess LinkChecker doesn’t use SNI.

SNI is supported in every modern browser, only ancient clients won’t support it.

See for more information: https://en.wikipedia.org/wiki/Server_Name_Indication


#4

Thank you cpu and Osiris for your answers. We are on a shared hosting web server as you might have guessed. Glad to see the error message is not an issue.


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.