Your connection isn't private

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: sonvpn.myddns.rocks

I ran this command: https://www.sonvpn.myddns.rocks/

It produced this output: Your connection is not private Attackers might be trying to steal your information from www.favabam.blogspot.com NET::ERR_CERT_COMMON_NAME_INVALID

My web server is (include version): Apache2

The operating system my web server runs on is (include version): Ubuntu 20.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.0.9

1 Like
  • How did you get the certificate?
  • Did you install the certificate into your webserver?
1 Like

Hi Osiris,
I used instruction from letsencript certbot to generate the certificate.
But when verifying the certificate https://www.sslshopper.com/ssl-checker.html#hostname=sonvpn.myddns.rocks
It came back with

  • The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. The fastest way to fix this problem is to contact your SSL provider.
  • None of the common names in the certificate match the name that was entered (sonvpn.myddns.rocks). You may receive an error when accessing this site in a web browser.

Thank you for your help.
Sony

1 Like

Which instruction specifically? Could you paste the URL you've used? There are thousands of guides on the internet.

1 Like

Hi Osiris,
Here is the link to the instruction

https://certbot.eff.org/lets-encrypt/ubuntufocal-apache

1 Like

Hi @sonydn

you have created some certificates. So that part has worked.

Did you restart your server?

If yes, what says

apachectl -S

PS: Your complete certbot command is required. Not a link to another domain.

1 Like

At step 7, which of the two options did you choose?

1 Like

Hi Osiris,
I chose "sudo certbot --apache"

My domain is ddns which I got from dynu ddns. Could ddns domain is a problem?

1 Like

Hi JergenAuer,
Here is the output of "sudo apachectl -S"

VirtualHost configuration:
*:443 sonvpn.myddns.rocks (/etc/apache2/sites-enabled/sonyvpn.myddns.rocks-le-ssl.conf:2)
*:80 sonvpn.myddns.rocks (/etc/apache2/sites-enabled/sonyvpn.myddns.rocks.conf:1)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex ssl-stapling: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name="www-data" id=33
Group: name="www-data" id=33

I created the certificate without seeing any errors in all the steps.
But when I verified it I got the following messages

  • The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. The fastest way to fix this problem is to contact your SSL provider.
  • None of the common names in the certificate match the name that was entered (sonvpn.myddns.rocks). You may receive an error when accessing this site in a web browser.
1 Like

That's

incomplete.

Checking your www version raw, there is a very slow answer, http and https. But there is no default vHost and there is no www version defined. So a no-answer (timeout) would be expected checking the www version.

Solution - see the check result https://check-your-website.server-daten.de/?q=sonvpn.myddns.rocks

You have ipv4 and ipv6. First works, second has a timeout. And there is a

E=admin@localhost.com, CN=*.device2031136.wd2go.com, OU=Branded Products, O=Western Digital, L=Mountain View, S=California, C=US
	24.01.2015
	24.01.2025
expires in 1523 days

certificate.

May be there is another Apache that answers.

What's the content of your 443 vHost? Is this device2031136.wd2go.com your router?

The content:


Forbidden

You don't have permission to access /UI on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.
1 Like

In case, it hasn't been made clear:

You would need to include the www in the vhost configs and also in a new (replacement) cert.

Once you have done both, you can check your work with:

1 Like

That's not the problem. There are a lot of certificates:

Issuer not before not after Domain names LE-Duplicate next LE
Let's Encrypt Authority X3 2020-11-22 2021-02-20 sonvpn.myddns.rocks, www.sonvpn.myddns.rocks - 2 entries duplicate nr. 1
Let's Encrypt Authority X3 2020-11-22 2021-02-20 sonvpn.myddns.rocks - 1 entries duplicate nr. 2
Let's Encrypt Authority X3 2020-11-21 2021-02-19 sonvpn.myddns.rocks - 1 entries duplicate nr. 1
Let's Encrypt Authority X3 2020-11-21 2021-02-19 www.sonvpn.myddns.rocks - 1 entries duplicate nr. 1
Let's Encrypt Authority X3 2020-11-20 2021-02-18 sonyblog.ddns.net, www.sonvpn.myddns.rocks - 2 entries duplicate nr. 1

So certificate creation has worked.

1 Like

Obtaining a cert and using a cert are not the same thing.
The site I reviewed had no www cert.
Right now the site is unreachable, so the OP may be making changes.

image

1 Like

As explained: The vHost definition has no www version and no default vHost. So the www version shouldn't answer.

But there is an answer -> looks like the wrong Apache (of the router with an /UI) answers.

So the "webserver vHost" may not be used -> general routing may be wrong.

2 Likes

Thank you JuergenAuer for helping me to resolve the problem that I was stuck for 2 days.
There was a routing problem on my network. The result from https://check-your-website.server-daten.de/?q=sonvpn.myddns.rocks helped me to realize that the WD NAS, which I enabled for remote management many years ago, was the culprit. Once I disabled it, everything works fine now. The IPv6 address still has unreachable but as long as IPv4 works, it should be okay.

Thank you everyone else to jump in and help. You guys are great.

Sony

2 Likes

That's not entirely true, unless I don't understand you very well. Apache will default to the first <VirtualHost> section if it doesn't find a hostname from SNI in a ServerName or ServerAlias directive. You can't have "no default vhost", as the first <VirtualHost> block will automatically be the default.

3 Likes

I think that JuergenAuer is probably meaning _default_.

1 Like

I think @Osiris is correct, even via http(s)://IP/ Apache will always return the first match, or _default_, or first similar config [http(s) will be assumed as the _default_ when none is explicitly defined].
It will always return something, so even when querying a name that doesn't exist there will be an answer.

1 Like

Indeed, even without SNI it will just answer with the default vhost, whether that is an actually set-as-default vhost (such as with _default_ indeed) or just "the first vhost Apache encounters in the configuration file(s)".

3 Likes

If you notice the output of apachectl -S, this behavior becomes clear.

1 Like