SSL Error

Hi,

I bought an SSL cert from cheapsslsecurity.com a few weeks ago.

I installed it and it has been working fine up until now.

I was on my site this morning and it was working fine, however all of a sudden when i visit it now i get the following message:

error
I have a dedicated IP address too, but maybe i don't think i listed it when i was buying / setting up the cert... is it possible to change that, if so can you advise how.

ip
Thanks in advance for your help
oo7mlAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Dave HoweConnect With a Mentor Software and Hardware EngineerCommented:
Oddly, when I went and fetched the certificate from the site I had no issues with the cert - the command:

openssl s_client -connect 46.22.134.64:443 -showcerts

got me the certificate, as expected, and inspection showed a AIA url of
http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt

which gave the correct intermediate (and testing showed a good signature chain all the way up to the AddTrust External CA Root). In your place I would suspect an intercepting proxy is in place, and is attempting to "spoof" the certificate, as indicated by the warning. Fetch the certificate again, and check it (and its public key thumbprint, which I see as 12 6f d3 9a 62 3f f3 41 24 34 f2 cc ec a2 42 65 4f 6f 84 a8 from here) against the issued cert you installed.
0
 
oo7mlAuthor Commented:
Thanks Dave, strangely enough... I refreshed my browser when I got home, and it was working fine again.

Any advice on specifying a dedicated IP?
0
 
Dave HoweSoftware and Hardware EngineerCommented:
You already seem to have one - if you see my notes from the testing, I specified an IP, not a domain name, when fetching your cert using OpenSSL - and got the right cert.
0
NEW Internet Security Report Now Available!

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out this quarters report on the threats that shook the industry in Q4 2017.

 
oo7mlAuthor Commented:
Thanks Dave, much appreciated.

On a separate note, why do most hosting companies charge on average €100 for an SSL cert when you can buy the for €7 on cheapsslsecurity.com?
0
 
Dave HoweSoftware and Hardware EngineerCommented:
Because the bigger names are still clinging to a pricing model that was valid back when there were only a handful of CAs, all based in the USA. A Verisign cert (for example) is no more or less valid than a GoDaddy one, but 10x the price.
0
 
oo7mlAuthor Commented:
Ah ok coo, thanks again for all of your help, much appreciated.
0
 
Dave HoweSoftware and Hardware EngineerCommented:
NP. With any luck, we will find something better in the future - there is no real reason why, once DNS is digitally signed, we should continue to pay a CA to demonstrate someone gave them money....
0
 
oo7mlAuthor Commented:
Yeah, the whole process seems a bit out dated. Surely everything website should be encrypted by now using a standardised system.
0
 
Dave HoweSoftware and Hardware EngineerCommented:
Nothing wrong with the underlying idea - using PKI to protect a session key, or in the case of DHE, protect the negotiation of a session key.  The issue is in
a) having to pay a CA to certify your key is your key
b) having to trust a CA does a good enough job of checking that for your $30 or whatever that you can rely on it for a $1M transaction...
0
 
oo7mlAuthor Commented:
Ok cool, thanks Dave, appreciate you coming back to explain all of that.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.