10

I am provisioning my server on DigitalOcean, and although I am getting an A+ rating from ssllabs,

https://www.ssllabs.com/ssltest/analyze.html?d=zandu.biz

when I connect to my site, https://www.zandu.biz or https://zandu.biz, I get a unsecure notice inside Chrome.

How do I solve this?

Peter Mortensen
  • 2,318
  • 5
  • 23
  • 24
The Architect
  • 229
  • 2
  • 6

1 Answers1

48

This server could not prove that it is www.zandu.biz; its security certificate is from zandu.biz. This may be caused by a misconfiguration or an attacker intercepting your connection.

The name in your site's certificate is zandu.biz, which is not valid for a different name (www.zandu.biz). Moreover, you have a redirect from zandu.biz to www.zandu.biz, so if you use the name the certificate is valid for it redirects to the name that it isn't.

What you need is to get a certificate with both names.

zrm
  • 636
  • 6
  • 6
  • or Vetter a wildcard cert i. e. from Letsencrypt – djdomi Aug 14 '19 at 20:11
  • 4
    Wildcard certificates can be more convenient or necessary if the names you intend to use aren't actually known ahead of time. But they also increase your exposure if the associated private key is compromised because then the attacker can forge any name in your domain rather than only the ones that server was actually using. – zrm Aug 14 '19 at 22:37
  • Thank you @zrm. This was very helpful. I went from unsecure to not secure for some reason. It's a set in the right direction. Does this have to do with the fact that its not signed from a CA, just let's encrypt? – The Architect Aug 14 '19 at 23:26
  • 4
    Let's Encrypt is a CA. When they first started out they were [cross-signed by IdenTrust](https://letsencrypt.org/2019/04/15/transitioning-to-isrg-root.html) but that ends in 2020 because their own root certificate is now widely trusted. None of that has anything to do with your problem, which would have been the same either way. – zrm Aug 15 '19 at 00:35
  • 1
    @TheArchitect When you run lets encrypt, you should generate certificates for both www.zandu.biz and zandu.biz, then in your configuration reference the appropriate ones so they match which domain the user is loading – Ezekiel Aug 15 '19 at 04:20
  • 8
    **s/Common Name/Subject Alternative Name/** -- Chrome hasn't used Common Name _at all_ for 2 years; other browsers do so only if SAN is absent, which hasn't been true for any (EE) certs from public CAs since before 2010, although you can arrange it for test certs you create yourself. Which is exactly why you _can_ get one cert for multiple domains -- ancient certs using only Common Name couldn't do that. – dave_thompson_085 Aug 15 '19 at 05:40
  • 12
    @djdomi a wildcard certificate for `*.example.com` still doesn't cover the bare domain `example.com`. You still need two values in the SAN. – Michael - sqlbot Aug 15 '19 at 13:18
  • 4
    The bigger reason to avoid a wildcard certificate is that OP is using LetsEncrypt. While LetsEncrypt does support wildcard certificates, this requires a DNS challenge. Satisfying a DNS challenge is harder to automate. Also, automating a DNS challenge may mean that a compromised server will grant attackers access to your DNS. So, it's sufficient to use either a UCC certificate or two certificates (which approach doesn't matter much. Do whichever is easier). – Brian Aug 15 '19 at 14:01
  • @EzekielElin Let's Encrypt automatically provides a SAN for "www.[hostname]" and "[hostname]" without any additional work. – Christopher Schultz Aug 16 '19 at 01:08
  • @ChristopherSchultz I have LE site with no SAN listed ‍♂️ – Ezekiel Aug 16 '19 at 02:21
  • Or just get a cert from any other provider. Most do both the domain and www. when u enter the root domain by default. Just dont register it as www.domain.com – ldrrp Aug 16 '19 at 17:51
  • I also need to make sure i don't send requests for non HTTPS sites, chrome doesn't like that. – The Architect Aug 17 '19 at 14:02