SSL not safe on subdomain (other server)

bdevroey · August 16, 2017, 7:24pm

Hi,

Got a problem

I have 2 servers, one main server urbex.social.
and the second where the subdomain points to…

The main certificate on server one is working perfect.
I asked for a new one on the second server sdk.urbex.social.
but it gives an error in the browser (unsafe).

Is there some solution to get it working?

kind regards
Bart

jared.m · August 16, 2017, 8:00pm

You’re not using Let’s Encrpyt certificates on either of these domains. urbex.social has a certificate from GlobalSign, and sdk.urbex.social has a self-signed certificate. Are you sure your web server is set to use these, and that you reloaded its configuration to have the Let’s Encrypt certificate take effect on them?

bdevroey · August 16, 2017, 8:03pm

Thank you for your reply,

Normally yes i think… they were generated in /etc/letsencrypt/live/urbex.social
To be shure i also restarted the vps…

bdevroey · August 16, 2017, 8:06pm

I also checked the main domain
https://sslanalyzer.comodoca.com/?url=urbex.social
Issuer Name
commonName=Let’s Encrypt Authority X3
organizationName=Let’s Encrypt
countryName=US

This was the command i used on the vps.
letsencrypt-auto certonly --webroot --webroot-path /var/www/html -d sdk.urbex.social -d www.sdk.urbex.social

openssl x509 -in /etc/letsencrypt/live/urbex.social/cert.pem -text -noout returns
Issuer: C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3
Validity
Not Before: Aug 15 13:16:00 2017 GMT
Not After : Nov 13 13:16:00 2017 GMT
Subject: CN=sdk.urbex.social
…

Authority Information Access:
OCSP - URI:http://ocsp.int-x3.letsencrypt.org
CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

        X509v3 Subject Alternative Name:
            DNS:sdk.urbex.social, DNS:www.sdk.urbex.social
        X509v3 Certificate Policies:
            Policy: 2.23.140.1.2.1
            Policy: 1.3.6.1.4.1.44947.1.1.1
              CPS: http://cps.letsencrypt.org

schoen · August 16, 2017, 8:10pm

When you use "certonly", that means "only obtain the certificate, don't install it". That means that it obtained the certificate (in that PEM file that you saw) but it didn't do anything to tell any software on your system to use the new certificate.

jared.m · August 16, 2017, 8:10pm

Hm, something strange happened in my test environment’s DNS for this - you’re right that urbex.social has a Let’s Encrypt certificate.

jared.m · August 16, 2017, 8:12pm

You definitely have a self-signed certificate in place for sdk.urbex.social, though. Schoen already mentioned the need to explicitly install this certificate to your webserver, not just having it present there.

bdevroey · August 16, 2017, 8:19pm

Yes, stupid from me!!

certbot-auto --apache -d www.sdk.urbex.social -d sdk.urbex.social
it’s working

Certificate Details
Common Name sdk.urbex.social
Alternative Names
Click a Name to crt.sh (search) for all publicly logged certificates
sdk.urbex.social
www.sdk.urbex.social
Subject Name
commonName=sdk.urbex.social
Serial Number 032AC9DAB6C5C1A0A215E41B15021B87F2BF
Fingerprint (SHA-256) E6C5442669F168EA9C110AAB92F1CCB075731E7169DF85B3A994E689C11EFC65
Valid From Tue, 15 Aug 2017 13:16:00 GMT
Valid To Mon, 13 Nov 2017 13:16:00 GMT (Expires in 88 days)
Key RSA (2048-bit)
Signature SHA-256 / RSA
Issuer Name
commonName=Let’s Encrypt Authority X3
organizationName=Let’s Encrypt
countryName=US

Issuer Brand Let’s Encrypt
Validation Type Domain Validated (DV)
Trusted by Microsoft? Yes
Trusted by Mozilla? Yes

Thank you!

system · September 15, 2017, 8:19pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.