0

BACKGROUND

I have a website which is up and running and has a SSL certificate that I bought, I didn't know about Let's Encrypt at the time.

I am planning a re-write of the application. I'm moving it to ReactJS, so I am building a .Net Core API to drive that.

ISSUE

I wish the api to sit at https://api.bejebeje.com, so I went ahead and using Certify SSL Manager got myself an SSL certificate.

My bindings look like this:

enter image description here

I can access my site via https://api.bejebeje.com/api/artists/ but the SSL isn't green in Chrome or Firefox, it says I have a name mismatch.

Why is this happening and how do I fix it?

Any help would be greatly appreciated.

Gerald Schneider
  • 23,274
  • 8
  • 57
  • 89
J86
  • 401
  • 3
  • 8
  • 15

2 Answers2

1

In your server certificate, the CN (Common Name) value is "www.bejebeje.com":

Subject: OU=Domain Control Validated, OU=PositiveSSL, CN=www.bejebeje.com

The DNS Subject Alternative Names (SANs) are "www.bejebeje.com" and "bejebeje.com":

X509v3 Subject Alternative Name: 
    DNS:www.bejebeje.com, DNS:bejebeje.com

These names do not match the requested name of "api.bejebeje.com"; I suspect that's the mismatch. If you can, I'd recommend re-issuing that certificate with "api.bejebeje.com" added as a DNS SAN.

Castaglia
  • 3,349
  • 3
  • 21
  • 42
  • hmm but I'm wanting `api.bejebeje.com` to have its own separate certificate from `bejebeje.com`? – J86 Aug 18 '17 at 15:01
  • That's possible as well; it's a question of convenience for you, really (two different certificates _vs_ one certificate for the different sites). If you _do_ create a new separate certficate for `api.bejebeje.com`, just make sure that it has a DNS SAN for that name; having the CN have that name as well won't hurt. – Castaglia Aug 18 '17 at 15:04
  • Under my DNS settings, I am not seeing `SAN`? I have `A`, `AAAA`, `CNAME` and `MX` records with some more, but `SAN` isn't among them. – J86 Aug 18 '17 at 15:06
  • No no; "DNS SAN" refers to an [_attribute of the SSL certificate](https://en.wikipedia.org/wiki/Subject_Alternative_Name). There are multiple types of "Subject Alternative Names"; a _DNS_ name is just one of those types. – Castaglia Aug 18 '17 at 15:08
  • Also check the issuer; the cert I see (from 217.23.4.146) is Comodo (hence the PositiveSSL branding) not LetsEncrypt. Note this IPaddress is the same as for www and 'naked'; should it be? – dave_thompson_085 Aug 18 '17 at 15:25
  • @Castaglia thank you, I checked, and [here is what I see](https://www.screencast.com/t/9VF7K9XIAB). @dave yep **Comodo/PositiveSSL** for `bejebeje.com` and **Let's Encrypt** for `api.bejebeje.com` – J86 Aug 18 '17 at 18:31
  • @Ciwan: I see Comodo (and name mismatch) for api. and so do https://www.ssllabs.com/ssltest/analyze.html?d=api.bejebeje.com and https://www.sslshopper.com/ssl-checker.html#hostname=api.bejebeje.com . Is the address you resolve 217.23.4.146 for all three of api. www. and bejebeje.com as it is for me? – dave_thompson_085 Aug 19 '17 at 01:37
  • @dave_thompson_085 yes the server has one IP Address, and I'm pointing all to that IP Address. That is fine isn't it? – J86 Aug 19 '17 at 07:35
  • @Ciwan: sharing address (and port) should be fine if the server is configured with both certs (and matching keys) and knows when to use which one, but the evidence I and ssllabs and sslshopper got says that condition is not satisfied because the server is in fact giving us the Comodo cert not the LetsEncrypt one. AIUI current IIS with 'requre SNI' as you showed _should_ handle this, but I'm not an IIS expert and have no clue why it isn't doing so. – dave_thompson_085 Aug 19 '17 at 19:43
1

It turns out I didn't have Require Server Name Indication turned on for the other HTTPS domain!

I had it for api.bejebeje.com, but I did not have it on for bejebeje.com.

When I turned it on (in Bindings) for that and cleared my browser cache, the problem went away. I now do not get the browser warnings about the name mismatch.

Thanks.

J86
  • 401
  • 3
  • 8
  • 15