Weird certificate problem


#1

Hello,

This is my certificate

Certificate Name: foro.losumo.com
Domains: foro.losumo.com www.foro.losumo.com
Expiry Date: 2019-06-01 08:20:10+00:00 (VALID: 75 days)
Certificate Path: /etc/letsencrypt/live/foro.losumo.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/foro.losumo.com/privkey.pem

This URL works fine https://foro.losumo.com

but this URL https://www.foro.losumo.com gives me this error

This site can’t provide a secure connection

What did I do wrong?

Thanks


#2

You probably forgot to include the www in the vhost config.
You should find lines like:
ServerName foro.losumo.com
ServerAlias www.foro.losumo.com


#3

Here is my virtual host

<Directory /var/www/html/losumo.com/public_html>
Require all granted
</ Directory>
<VirtualHost *:80>
ServerName foro.losumo.com
ServerAlias www.foro.losumo.com
ServerAdmin webmaster@localhost
DocumentRoot /var/www/foro.losumo.com/public_html

    ErrorLog /var/log/apache2/foro.losumo.com.error.log
    CustomLog /var/log/apache2/foro.losumo.com.access.log combined

RewriteEngine on
RewriteCond %{SERVER_NAME} =www.foro.losumo.com [OR]
RewriteCond %{SERVER_NAME} =foro.losumo.com
RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,NE,R=permanent]
</ VirtualHost>


#4

Or, since now I see that you are using CloudFlare, you may need to include the WWW in their configuration.

curl -Iki https://foro.losumo.com
HTTP/2 200
date: Sun, 17 Mar 2019 20:40:10 GMT
content-type: text/html; charset=UTF-8
set-cookie: __cfduid=d039532466cdcf62530df81c129ddf7b81552855208; expires=Mon, 16-Mar-20 20:40:08 GMT; path=/; domain=.losumo.com; HttpOnly
set-cookie: phpbb3_bkj55_u=1; expires=Mon, 16-Mar-2020 20:40:10 GMT; path=/; domain=foro.losumo.com; secure; HttpOnly
set-cookie: phpbb3_bkj55_k=; expires=Mon, 16-Mar-2020 20:40:10 GMT; path=/; domain=foro.losumo.com; secure; HttpOnly
set-cookie: phpbb3_bkj55_sid=dd39125225706a00e81f29ab92d2bb36; expires=Mon, 16-Mar-2020 20:40:10 GMT; path=/; domain=foro.losumo.com; secure; HttpOnly
cache-control: private, no-cache=“set-cookie”
expires: Sun, 17 Mar 2019 20:40:10 GMT
expect-ct: max-age=604800, report-uri=“https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
server: cloudflare
cf-ray: 4b91c7bf6b4ab955-MIA

curl -Iki https://www.foro.losumo.com
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure


#5

Name: foro.losumo.com
Addresses: 2606:4700:30::681c:aba
2606:4700:30::681c:bba
104.28.10.186
104.28.11.186

Name: www.foro.losumo.com
Addresses: 2606:4700:30::681c:bba
2606:4700:30::681c:aba
104.28.10.186
104.28.11.186


#6

losumo.com is using cloudflare, but not foro.losumo.com

Maybe I should add it too?


#7

Hi @fernandoch

the site use Cloudflare:

Host T IP-Address is auth. ∑ Queries ∑ Timeout
foro.losumo.com A 104.28.10.186 yes 1 0
A 104.28.11.186 yes 1 0
AAAA 2606:4700:30::681c:aba yes
AAAA 2606:4700:30::681c:bba yes
www.foro.losumo.com A 104.28.10.186 yes 1 0
A 104.28.11.186 yes 1 0
AAAA 2606:4700:30::681c:aba yes
AAAA 2606:4700:30::681c:bba yes

But the Cloudflare certificate is a wildcard without the www-version:

CN=sni.cloudflaressl.com, O="CloudFlare, Inc.", 
L=San Francisco, S=CA, C=US
	13.03.2019
	13.03.2020
expires in 362 days	sni.cloudflaressl.com, 
losumo.com, *.losumo.com - 3 entries

www doesn’t work:

SecureChannelFailure - The request was aborted: Could not create SSL/TLS secure channel.


#8

No, sorry, both are like that


#9

Hi @JuergenAuer

And do you know how to fix it?


#10

These may be your internal ip addresses.

But your public ip addresses are 104.28.10.186 etc.

If you want to use Cloudflare, you must have a complete certificate before you activate Cloudflare.

So first deactivate Cloudflare, so the 37… is your public ip address. Then create a correct certificate, then activate Cloudflare.

Or use the Cloudflare - integrated solution.

A few hours earlier I have updated the page

and added a link to the Cloudflare blog @schoen had shared.


#11

I had the complete certificate before activating cloudflare.


#12

Maybe. But we can’t check it. We see only Cloudflare.


Oh, wait. I can check it. But I need your complete ip.

Or check it direct using my tool - https://check-your-website.server-daten.de/

Yesterday I have added a new field - Hostname.

So it’s possible to add the ip address in the main field and the hostname in the extra field.

Then you can check it without having a dns A- or AAAA entry.

So you need two checks: Both with the same ip address and one time the non-www, the other time the www domain name in the hostname field.


#13

Just removed the certificate and created it again but now with cloudflare…

A bit lost in here, what to do? Should I remove cloudflare and stay without it?


#14

Recheck the domain to see if it works - https://check-your-website.server-daten.de/?q=foro.losumo.com


#15

You need to either disable Cloudflare’s proxy on https://www.foro.losumo.com/ or buy a Dedicated Certificate with Custom Hostname that matches that hostname from Cloudflare.


#16

I will disable cloudflare from all the domain I guess…


#17

With that https://check-your-website.server-daten.de/?q=foro.losumo.com what do we get?


#18

The last check is one hour old - (that post Weird certificate problem ).

If you have changed your configuration, then you can recheck your domain.


#19

But if I recheck, then what?

Is there a proper way to have a certificate with cloudflare? Or better to remove cloudflare?


#20

The tool is only an online tool to see the configuration. Without too much manual checks.

There are a lot of websites using Cloudflare. But I don’t know the details, I don’t use Cloudflare. You can use it with an own working certificate. But then you need first a working configuration, then activate Cloudflare.