2

I am running into a weird problem. We just took our SSL-enabled site live. But when I went to the site, it was given the "SEC_ERROR_UNKNOWN_ISSUER" error. When I then look at the certificate detail or the SSL Checker on sslshopper.com, it shows a weird set of CSR information:

(Web browser certificate)

But when I ran the CSR decoder on the CSR file on my server, it is showing proper common name and organization information, which is different than the ones shows in the website certificate detail (in the screenshot above):

(Server CSR screenshot)

I also ran a certificate key matcher (https://www.sslshopper.com/certificate-key-matcher.html) using the crt, key and csr file on server, the certificate matches the private key on the server AND the certificate matches the csr as well.

So I am confused as to why the website is returning a different certificate content (common name, etc) and giving out the error.

Gerald Schneider
  • 23,274
  • 8
  • 57
  • 89
Judy
  • 23
  • 2

1 Answers1

2

The screenshot for SSL checker shows an IP address of 162.209.88.109 (i.e. hosted at Rackspace) for this site and an issuer of "helotes" for the certificate - which suggests that some self-issued certificate was used here.

But, the current DNS lookup shows an IP address of 50.56.149.253 (hosted at Liquidweb) and the SSLLabs analysis shows a properly setup publicly trusted certificate for this site.

My guess is that not only a new certificate was created but that the site was also moved to a different provider. But, changes on the DNS setup are not reflected immediately (can take hours or even a day, depending on the setup of the DNS records) which means that SSL checker still showed the older setup.

Steffen Ullrich
  • 13,227
  • 27
  • 39
  • Hi, Steffen, First thank you for your help. Sorry for the confusion, but we actually had to move the DNS back to the previous server (50.56.149.253) after the SSL failed earlier. That's why the DNS look up is different than the screenshot of SSL checker. My confusion is if the crt, csr and the bundle crt file on the new server (162.209.88.109) all shows proper issuer and common name if I run the decoder individually, why would the SSL checker shows different issuer when I ran the SSL check on the domain name? – Judy Dec 21 '17 at 19:32
  • @Judy: If checks on the individual __files__ are fine but checks on the __server__ are not then I would suggest that the files are not properly installed at the server: maybe some previous configuration has preference, maybe the wrong server was configured, maybe ... . It is actually impossible to say since information about your setup (both intended as actual) are not known. – Steffen Ullrich Dec 21 '17 at 20:42
  • Hi, Steffen, You are absolutely correct. It turns out the website was still pulling the default certificate file and not the site specific certificate file. I adjusted server setting and everything is working now. Thank you so much for your help. – Judy Dec 21 '17 at 22:39