Solved

SSL Error

Posted on 2015-02-18
10
105 Views
Last Modified: 2015-02-19
Hi,

I bought an SSL cert from cheapsslsecurity.com a few weeks ago.

I installed it and it has been working fine up until now.

I was on my site this morning and it was working fine, however all of a sudden when i visit it now i get the following message:

error
I have a dedicated IP address too, but maybe i don't think i listed it when i was buying / setting up the cert... is it possible to change that, if so can you advise how.

ip
Thanks in advance for your help
0
Comment
Question by:oo7ml
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
10 Comments
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 40617690
Oddly, when I went and fetched the certificate from the site I had no issues with the cert - the command:

openssl s_client -connect 46.22.134.64:443 -showcerts

got me the certificate, as expected, and inspection showed a AIA url of
http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt

which gave the correct intermediate (and testing showed a good signature chain all the way up to the AddTrust External CA Root). In your place I would suspect an intercepting proxy is in place, and is attempting to "spoof" the certificate, as indicated by the warning. Fetch the certificate again, and check it (and its public key thumbprint, which I see as 12 6f d3 9a 62 3f f3 41 24 34 f2 cc ec a2 42 65 4f 6f 84 a8 from here) against the issued cert you installed.
0
 

Author Comment

by:oo7ml
ID: 40617730
Thanks Dave, strangely enough... I refreshed my browser when I got home, and it was working fine again.

Any advice on specifying a dedicated IP?
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40618339
You already seem to have one - if you see my notes from the testing, I specified an IP, not a domain name, when fetching your cert using OpenSSL - and got the right cert.
0
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 

Author Comment

by:oo7ml
ID: 40618440
Thanks Dave, much appreciated.

On a separate note, why do most hosting companies charge on average €100 for an SSL cert when you can buy the for €7 on cheapsslsecurity.com?
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40618599
Because the bigger names are still clinging to a pricing model that was valid back when there were only a handful of CAs, all based in the USA. A Verisign cert (for example) is no more or less valid than a GoDaddy one, but 10x the price.
0
 

Author Comment

by:oo7ml
ID: 40618615
Ah ok coo, thanks again for all of your help, much appreciated.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40618651
NP. With any luck, we will find something better in the future - there is no real reason why, once DNS is digitally signed, we should continue to pay a CA to demonstrate someone gave them money....
0
 

Author Comment

by:oo7ml
ID: 40618676
Yeah, the whole process seems a bit out dated. Surely everything website should be encrypted by now using a standardised system.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40618982
Nothing wrong with the underlying idea - using PKI to protect a session key, or in the case of DHE, protect the negotiation of a session key.  The issue is in
a) having to pay a CA to certify your key is your key
b) having to trust a CA does a good enough job of checking that for your $30 or whatever that you can rely on it for a $1M transaction...
0
 

Author Comment

by:oo7ml
ID: 40619024
Ok cool, thanks Dave, appreciate you coming back to explain all of that.
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question