Valid Cert replaced by Bad "SafeLinks" Cert?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: houseofprayer[.]org

I ran this command: Renewed existing Cert

It produced this output: A valid SSL Cert, then a few hours later SSL Cert changed (see image)


My web server is (include version): Bitnami LAMP stack

The operating system my web server runs on is (include version): Linux (debian 11)

My hosting provider, if applicable, is: Microsoft Azure

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): n/a

Using Windows 10 Chrome Version 121.0.6167.185 (Official Build) (64-bit) I see no issue

And using Windows 10 123.0 (64-bit) I see no issue

https://decoder.link/sslchecker/houseofprayer.org/443 show the certificate is fine.

Are you using Comcast and/or Barracuda?
Then maybe this helps: Comcast Business: problem with connecting to sites with SSL | Ars OpenForum

3 Likes

I just checked again in Chrome and the Original Cert is back. What would be causing this? As you can see the common name on the cert changed from houseofprayer[.]org to pxy.prd.live.c2szps.spcld[.]net. This happened within a few hours of renewing the cert both yesterday and today.

Thank you for the link to the ssl checker. I am currently using Charter Spectrum for ISP so I don't think Comcast is the issue.

1 Like

Hi @SilverCloud,

I see Server: Apache; has Apache been restarted?
Also try clearing the Web Browsers' Caches.

$ curl -Ii http://houseofprayer.org
HTTP/1.1 302 Found
Date: Fri, 01 Mar 2024 18:58:28 GMT
Server: Apache
Location: https://houseofprayer.org/
Content-Type: text/html; charset=iso-8859-1
$ curl -Ii https://houseofprayer.org
HTTP/1.1 200 OK
Date: Fri, 01 Mar 2024 18:58:35 GMT
Server: Apache
Link: <https://houseofprayer.org/wp-json/>; rel="https://api.w.org/", <https://houseofprayer.org/wp-json/wp/v2/pages/65>; rel="alternate"; type="application/json", <https://houseofprayer.org/>; rel=shortlink
Content-Type: text/html; charset=UTF-8

From here https://sitereport.netcraft.com/?url=https://houseofprayer.org
I see Hosting company Microsoft - US East (Virginia) datacenter;
you might want to check with them as well.

1 Like

From the machine/PC that got that bad cert, do you get that same problem going to any other site(s)?

This name looks much like a "proxy":
image

1 Like

I restarted apache and ran the commands you provided. Thank you

1 Like

To @rg305, I have not had a problem with any other sites. I did receive the bad cert on 2 different machines in 2 different locations, although I was using the same Chrome account on both machines. I do have another test website running the same Bitnami LAMP stack on MS Azure with a Lets Encrypt Cert and have not had any problems with that site. hoptest.org

h m m . . .

2 Likes

OK, here we go again. I just tried to access site with MS Edge and now getting security errors.
I also tried using a second Chrome account, Desktop and Mobile, same security error.


Has that site/server been compromised?
Who operates the server?

3 Likes

This site has never been compromised until yesterday. The site is hosted on Microsoft Azure. I operate the server.

Are those all on the same devices / local network? What happens from 3rd party testing sites when you see the wrong cert?

3 Likes

SSL checker says "its all good". SSL server Test scores an "A". I am not sure what you mean by 3rd Party testing sites?

If I assume this server is compromised, can I just move site to another server or will I still get the same errors? Is the security cert tied to the domain/common name or the physical server itself?

The devices I tested from were on 2 diffent local networks

Those are both 3rd party sites. What I meant is something may be interfering with your connections but not the public internet in general.

Testing from systems completely different than yours may help identify where the problem resides.

Some antivirus and firewalls intercept https traffic to inspect and protect - for example.

2 Likes

OK. I did find some malware on my PC, which I removed. The site appears to be working again. Since both of the 3rd party sites showed passing scores I will just assume the site is secure. Now that I think about it, I recently purchased a Cisco Meraki router and firewall and last week I finally activated the firewall features. Is it possible the firewall could be intercepting the website traffic and showing it as un secured? Although that does not explain my other work location showing security issues.

3 Likes

I was just trying to help isolate where this problem occurred. Just because it involved a faulty cert does not mean it is server related.

Often people think they are trying different things when they are not ... forgetting their devices may use the same antivirus or network firewalls and similar.

When I first looked at this problem right after you said it was failing I did not see anything wrong. Not from my own test servers or from those 3rd party sites. Which made me start thinking it was something unique to the devices you use and not the general public.

@stewe mentioned earlier about Barracuda / Comcast. There are many google hits of people with wrong DNS results for their in certain cases. I never saw the failure to be able to check that but if it recurs that is something to look at.

3 Likes