1

Starting a few days ago some users have reported that they're getting errors on a client's site saying the "certificate is not trusted because it is self-signed" and it goes on to say that "The certificate is only valid for asimov.sensoryworld.com". This only happens when accessing the site through https://sensoryworld.com, or when they reach the checkout page which uses SSL if they're just browsing on http:. To clarify, asimov is the hostname, not a subdomain the site is on.

I checked the SSL installation using https://www.sslchecker.com/sslchecker and it said the certificate provider is GoDaddy.com, Inc. I contacted GoDaddy and they said everything was set up properly. Just to be sure I re-installed the certificates and set the permissions on them again, then restarted the server.

This error does not happen for everyone. I'm able to access all parts of the site fine, as were the reps at GoDaddy and Linode, the host. It is, however, happening for enough people that I know it's not just an error on the user's end. One customer said they were able to access the site through https on their laptop at Best Buy, but when they returned home the error started appearing again.

Below is the content of my VirtualHosts file at /etc/apache2/sites-enabled/sensoryworld.com.conf:

# domain: sensoryworld.com
# public: /var/www/sensoryworld.com/public_html/

<VirtualHost *:80>
  # Admin email, Server Name (domain name), and any aliases
  ServerAdmin alex@rdccompanies.com
  ServerName  www.sensoryworld.com
  ServerAlias sensoryworld.com

  # Index file and Document Root (where the public files are located)
  DirectoryIndex index.html index.php
  DocumentRoot /var/www/sensoryworld.com/public_html
  # Log file locations
  LogLevel warn
  ErrorLog  /var/www/sensoryworld.com/log/error.log
  CustomLog /var/www/sensoryworld.com/log/access.log combined
</VirtualHost>

<VirtualHost 72.14.187.9:443>
     SSLEngine On
     SSLCertificateFile /etc/apache2/ssl/3ff9c9649d9bb98f.crt
     SSLCertificateKeyFile /etc/apache2/ssl/www.sensoryworld.com.key
     SSLCACertificateFile /etc/apache2/ssl/gd_bundle-g2-g1.crt

     ServerAdmin alex@rdccompanies.com
     ServerName www.sensoryworld.com
     DocumentRoot /var/www/sensoryworld.com/public_html/
     ErrorLog /var/www/sensoryworld.com/log/error.log
     CustomLog /var/www/sensoryworld.com/log/access.log combined
</VirtualHost>

If any other information needs to be provided I'll dig it up. Thanks for your time!

user3761261
  • 11
  • 1

1 Answers1

1

An analysis indeed shows that everything is set up properly:

  • The certificate contains sensoryworld.com and www.sensoryworld.com in the 'subject alternative name' fields.
  • SSL chain order is correct and complete.
  • The nameservers for the domain all return the same IP address and there are no multiple A or AAAA records.

I would search for any and all certificates on the server and see if any match asimov.sensoryworld.com. Perhaps you have some stray virtual host responding to it? I don't see how, but it's worth a look.

Would you be in a position to look at a computer that can reproduce the problem? I wonder if you really do end up at the correct IP address.

BTW, checkout is HTTPS, yet people can log in over HTTP?

Halfgaar
  • 8,084
  • 6
  • 45
  • 86
  • How would I go about searching for certificates in that way? I don't have access to any devices that are experiencing the problem. And I want the entire site over https but the client has asked that http be used for everything but checkout for the time being. – user3761261 Nov 05 '15 at 20:57
  • You can just grep for `----------BEGIN CERTIFICATE` or whatever is exactly at the top of one. – Halfgaar Nov 05 '15 at 22:31
  • Thanks, I'll see if I can find anything as soon as I get a chance. – user3761261 Nov 06 '15 at 15:10