The problem of certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:speedtest1.gs.chinamobile.com

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):CentOS Linux release 7.9.2009

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
Hello guys,
I successfully renew my certificates , but the certificates was checked with error by speedtest , Error: SSL certificate problem: self signed certificate.

image1221×349 49.3 KB

1684381997229893×138 25.3 KB

I used crt.sh check , the organizationname is Let's Encrypt ，but I used openssl connect my domain, the organization is OoklaServer , and there is a verify error:num=18:self signed certificate.

image971×720 77.1 KB

16843821444281057×181 31.4 KB

how to solve this problem?
Thanks in advance,

Are you connecting to the same IP/system that the Internet does?
The Internet sees:

image715×487 17.8 KB

@msbaggio It is also possible that you're using an older version of openssl in which you need to explicitly specify -servername in order to send SNI. In newer versions, SNI is sent automatically based on the argument to -connect, but in older versions it has to be added with a -servername option, or else no SNI extension will be sent by the client.

Web browsers always send SNI, so the newer behavior (providing SNI) is more similar to the behavior that a user would encounter from a browser.

Yes, the certifacte of my domain is not self signed . but it was detected self signed certificate by speedtest.net. Why is this so ?

I would not know.
I can't replicate your finding.

The detection of htttps by speedtest.net is also 'self signed certificate', and the previous detection were all normal， the https of my domain is work normal

I'm confused...
What does this name:

have to do with this site?:

What version of OpenSSL do you have?

You can detect by openssl . the previous certificate is normal，but the latest certificate applied for is abnormal

I disagree:

openssl s_client -connect speedtest1.gs.chinamobile.com:443 -servername speedtest1.gs.chinamobile.com
CONNECTED(000001F4)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify error:num=20:unable to get local issuer certificate
Server did acknowledge servername extension.
---
Certificate chain
 0 s:/CN=speedtest1.gs.chinamobile.com
   i:/C=US/O=Let's Encrypt/CN=R3
 1 s:/C=US/O=Let's Encrypt/CN=R3
   i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
 2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---

Again:

openssl version

my domain is speedtest1.gs.chinamobile.com
my openssl version is OpenSSL 1.1.1q 5 Jul 2022
I need to use the application of speedtest.net （or OoklaServer），so the speedtest.net will detect the https of my domain, it used port 8080
if you detect the port 8080， the certificate is OoklaServer , not Let's Encrypt

16843942872041580×197 37.2 KB

Port 443 has the right cert.
Port 8080 has a self-signed cert.

How do you change the cert being used by port 8080?
I don't know; Check the OoklaServer documentation.

there is a mistake with OoklaServer‘s config, it is work normal now, Thank you for your help

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.