SSL problem in browser - wrong Common Name (Apache or Let's Encrypt issue?)


#1

Hi all

Some of my sites give a browser security warning ERR_CERT_AUTHORITY_INVALID.

In these cases the Common Name in the certificate is listed as the server domain not the actual site domain, i.e. servername.default.name.uk0.bigv.io instead of mysitename.com (according to certificate viewer in browser).

I have multiple sites on Symbiosis. Some of them load fine without errors or warnings, and for these each certificate has the correct Common Name mysitename.com

How can I fix the problem for the affected sites please?

There is mention of a similar problem on this forum but I’ve combed that and mine has not resolved itself overnight.

Let’s Encrypt itself seems to be working fine on all of them. It might be an Apache issue or related to ownership/permissions but I don’t know.

I am happy to paste logs/config files in here if that helps.

Thanks in advance for any help.


#2

Hi Carl

Presumably, more than one browser shows the problem.

I’d start by looking at symbiosis-ssl --list for the affected domains; does the ‘current set’ show “Let’s Encrypt” with a forward expiry-date?

Next, sudo symbiosis-httpd-configure --verbose my-wonkyssl-site.com. Is output different when tested against a working site?


#3

Hi alphacabbage1

Yes, several browsers on different devices show the problem (Firefox, Chrome and Chromium).

Output of symbiosis-ssl --list looks fine. All sites have forward expiry dates including the problem ones.

Comparison of output of symbiosis-httpd-configure --verbose my-wonkyssl-site.com for broken and working sites looks fine too!

Thanks for the tips - it’s really useful to rule out these possible causes.

The only differences I can see are in the browser(s):

  1. the certificate itself gives the following error:
    _This page is insecure (broken HTTPS)._

  2. and the Common Name (CN) is incorrect.

I don’t know properly how Symbiosis’ script which runs Let’s Encrypt gets the Common Name field for the certificate.

Some script or something appears to be giving Let’s Encrypt the name of the host domain not the website’s proper domain.


#4

It sounds like the letsencrypt side of things is working. To confirm, try something like;

openssl x509 -noout -issuer -subject -enddate -in "/srv/wonkyssl-site.com/config/ssl/current/ssl.combined"

If that checks out, and there’s nothing hyper-odd in the host/domain names, I guess it’s something to do with the apache setup. SNI sounds Ok as most sites work … and I’m probably going to run out of guesses fairly soon. :wink:


#5

Hi there,

It might be worth checking the following:

  1. Remove any .htaccess files you might have
  2. Have you moved the machine between groups using the control panel?
  3. Check for typos/permissions for the ssl* files in config

I’m also trying to spot a pattern for what went wrong with mine, before I ‘fixed’ it


#6

I’ve just migrated a wordpress site and have the same error. Anyone know of a quick fix?

In these cases the Common Name in the certificate is listed as the server domain not the actual site domain, i.e. servername.default.name.uk0.bigv.io instead of mysitename.com (according to certificate viewer in browser).

UPDATE
Beats me what caused the error BUT the solution to the problem turned out to be to run the following commands:

sudo symbiosis-ssl -v exampledomain.com
sudo symbiosis-httpd-configure -v exampledomain.com


#7

I’ve noticed either symbiosis-ssl or symbiosis-httpd-configure don’t run together/one after the other/etc, so sometimes you’ll see a valid cert in sym but not in the browser as apache isn’t yet configured correctly.

Any new site I add now I manually run those commands, then they tend to just work with updates going forward.


#8

I doubt this issue will ever be highlighted within the tech docs or fixed for that matter.


#9

Symbiosis is open source so it could be fixed.

I know there is a clone that has some active development.