why i get ssl misconfiguration error? - ssl

i installed the Ssl certificate on my server but i have this error
This server could not prove that it is spdns.ir; its security certificate is from vmi90749. This may be caused by a misconfiguration or an attacker intercepting your connection.
anyone can explain me what is the problem and how i should fix it ?
tnx

The error is quite self-descriptive. The certificate is issued to vmi90749 name, while you are trying to access a spdns.ir name. There is nothing common between them. You need to install a certificate that is issued to spdns.ir name and make sure it is issued by a trusted authority. Preferrably from a globally trusted CA vendor (there are CAs that issue certificates for free).
As aside note: when requesting new certificate for spdns.ir name, make sure that the name is added to Subject Alternative Names certificate extension. Google Chrome deprecated Subject field.

Related

SSL Certificate error : Invalid CA

Can someone explain why this site https://whatsmychaincert.com/?www.uts.edu.au gives an error in certificate chain:
An error occurred when building the chain for this certificate. The certificate might lack necessary meta-data or its certificate authority might be malfunctioning. Details:
The chain contains an untrusted certificate without standard CA issuer information (subject = "C=BM, O=QuoVadis Limited, CN=QuoVadis Global SSL ICA G3"; issuer = "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2 G3"; error code = 20)
But if I test the same thing on other verification sites like: https://www.sslshopper.com/ssl-checker.html & https://www.digicert.com/help/ there are no issues reported ?
Will appreciate any help here.
This site whatsmychaincert is not trusting the root certificate because, as said in the error message, it doesn't know the issuer "C=BM, O=QuoVadis Limited, CN=QuoVadis Root CA 2 G3"
However both other sites know this issuer and say the certificate is valid. When testing with SSL Labs that most people use to check that kind of things, it also says everything is ok ( https://www.ssllabs.com/ssltest/analyze.html?d=www.uts.edu.au ). SSL Labs gives lots of details, including all certificates sent by the web server, then you exactly see the behavior.

Would a wildcard SSL Certificate work without a sub-domain?

We have to update our SSL certificate for an other year with a new COMODORS certificate.
We've had a old certificate (GeoTrust) with *.domain.ch which is correct from the naming aspect but expired from the date.
Now we've falsely made one with *domain.ch without the first dot. This should be a wildchart certificate for our domain.ch.
Will this work or can this be the problem for server not starting after this SSL certificate update?
No it will not work. This certificate will match against wwwdomain.ch but not www.domain.ch. But, no public CA should issue such a certificate in the first place since you could this way impersonate foo-domain.ch etc, i.e. domains which don't belong to you.
If this certificate is in a pipeline to get issue then it won't get issued. If got issued erroneously then you have to re-issue the certificate from the vendor or the CA as the *domain.ch won't work.
can this be the problem for server not starting after this SSL certificate update?
Server won't start as there is a mismatch in the domain name

SSL Certificate error for mailserver

I have a vps with a shared IP. Now, I want use SSL/TLS for the mailserver. I was wondering what kind of certificate I need for the mailserver. So, do I need to issue a certificate on the hostname? because I get an untrusted error in Outlook, if I change the settings. I think this is the same issue as when I log in in the control panel of plesk, I get an error message, that the certificate is not trusted, because it not sign by a CA. I know that plesk issue a self signed certificate. So again. I don't know if I have to issue a certificate on the domain, however I think then i will get also an error, because hostname and domain name are not the same. Can somebody support me?
Yes, You will have to purchase SSL certificate for the hostname, so that your all client will be use your server hostname in mail client setting with the SSL connection

Does the certificate need to be official or self signed?

I am putting a web test up for clients that visit "https://oursite.com/poodlesecurityfailed.js"
Question,
Do I need a valid certificate even though its on a test domain for certificate negotiation? If client can visit it, they failed the poodle test. (SSLv3 is enabled) on that host.
Ideas?
Do I need a valid certificate even though its on a test domain for certificate negotiation? If client can visit it, they failed the poodle test. (SSLv3 is enabled) on that host.
Depends on the client.
If the clients is has enough knowledge to understand, that "invalid certificate" when accessing the site means in reality that the client has still SSL 3.0 enabled, then a self-signed certificate would be enough.
If you instead want to provide an explanation of the problem at this site and don't expect the client to explicitly accept an invalid certificate just to see this explanation, then you should better use a properly trusted certificate.

SSL Certificated Validity

I'm using an SSL certificate from geotrust. I just ordered and installed it this weekend.
However when I try to access my website using https, firefox (and the other browsers as well) the browser warns that the certificate expired a few days ago.
I guess there could be two reasons:
I made a mistake during the installation of the certificate
Geotrust did not sign the certificate properly.
First I want to rule out the second reason considering my browser tells me the certificate expired a few days ago. This does not make sense at all.
Is there a way to extract the expiration date from the certificate?
Thanks!
Sure.... check the certificate in the browser. Click on the not valid warning / broken SSL symbol in the address bar, it should give you an option to view the certificate ;)
TomTom's answer is right on!
Just about any browser will let you see the details of the certificate. There's always a Valid From field and a Valid To field describing the cert's validity period.
Also - check the subject DN and issuer DN. The Subject DN describes your server, the Issuer DN describes the signer. The issuer should be GeoTrust - if the issuer is not GeoTrust, you are not configured correctly, you are likely to be using the cert that came with the web server.