Web server certificate doesnot include an ID matching to the server name


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: int.chicagobusinessdirect.org

This is the error I am getting

This is how my chicagobusinessdirect.conf file is configured.

Any suggestions?


#2

It’s not an error, it’s a warning.

Do you actually have any troubles with your site?

(Besides not having a DNS record, so no one on the internet can connect to it…)


#3

is this an internal name? I am not able to resolve it to take a look at the certificate it’s serving. One concern is that you’re declaring your chain wrong, but that shouldn’t cause this kind of failure. Fullchain contains both the certificate and chain, so you’d be sending the certificate twice. You should use chain.pem for the chain file. I’m more of an nginx guy, but I think newer Apache can just take fullchain.pem as the certificate and not have a chain file line.

Anyway, could you connect with openssl s_client and paste what it returns? None of that information returned is confidential, but I’m specifically interested in everything preceding “SSL handshake has read N bytes and written M bytes”.

The command would be openssl s_client -connect int.chicagobusinessdirect.org:443


#4

Yes, This is an internal server. When I try the above command it say name or service not known.


#5

You’d need to do it from a machine that can resolve and connect to that server.

If you know the IP, you could instead run that command as:

openssl s_client -connect IP_ADDRESS:443 -servername int.chicagobusinessdirect.org


#6

I still can’t tell if there actually is an error.


#7

@Pradeep, I think that @Osiris is concerned about something like this:

If you use the name int.chicagobusinessdirect.org via HTTPS, you should probably get a certificate for it. The most commonly used methods of doing so with Let’s Encrypt require you to allow the public to connect to this server, which may not be possible if it’s a purely internal server that’s not accessible from the Internet. You can also use a DNS validation method to obtain the certificate, which usually requires having a DNS provider that can update your DNS zone via an API.

If you don’t use it, then you should probably remove it from your web server configuration.

If you do use it, but only from one specific web browser, and you’ve already told that web browser to accept the existing certificate, then the web server warning is probably not relevant to you at all.


#8

I’m actually more concerend about the possibility the site works perfectly for the topicstarter, but sees a warning as an error which has to be fixed. While in the mean time the site itself works nicely.

But we’re missing this information. Perhaps the site doesn’t work and we only get this warning. Which could or perhaps isn’t related to the fact the site doesn’t work.

I.e., I would like to know from @Pradeep what the actual problem is: is it just this warning? Or is it a site which isn’t working?


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.