Solved

SSL Error

Posted on 2015-02-18
10
100 Views
Last Modified: 2015-02-19
Hi,

I bought an SSL cert from cheapsslsecurity.com a few weeks ago.

I installed it and it has been working fine up until now.

I was on my site this morning and it was working fine, however all of a sudden when i visit it now i get the following message:

error
I have a dedicated IP address too, but maybe i don't think i listed it when i was buying / setting up the cert... is it possible to change that, if so can you advise how.

ip
Thanks in advance for your help
0
Comment
Question by:oo7ml
  • 5
  • 5
10 Comments
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 40617690
Oddly, when I went and fetched the certificate from the site I had no issues with the cert - the command:

openssl s_client -connect 46.22.134.64:443 -showcerts

got me the certificate, as expected, and inspection showed a AIA url of
http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt

which gave the correct intermediate (and testing showed a good signature chain all the way up to the AddTrust External CA Root). In your place I would suspect an intercepting proxy is in place, and is attempting to "spoof" the certificate, as indicated by the warning. Fetch the certificate again, and check it (and its public key thumbprint, which I see as 12 6f d3 9a 62 3f f3 41 24 34 f2 cc ec a2 42 65 4f 6f 84 a8 from here) against the issued cert you installed.
0
 

Author Comment

by:oo7ml
ID: 40617730
Thanks Dave, strangely enough... I refreshed my browser when I got home, and it was working fine again.

Any advice on specifying a dedicated IP?
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40618339
You already seem to have one - if you see my notes from the testing, I specified an IP, not a domain name, when fetching your cert using OpenSSL - and got the right cert.
0
 

Author Comment

by:oo7ml
ID: 40618440
Thanks Dave, much appreciated.

On a separate note, why do most hosting companies charge on average €100 for an SSL cert when you can buy the for €7 on cheapsslsecurity.com?
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40618599
Because the bigger names are still clinging to a pricing model that was valid back when there were only a handful of CAs, all based in the USA. A Verisign cert (for example) is no more or less valid than a GoDaddy one, but 10x the price.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:oo7ml
ID: 40618615
Ah ok coo, thanks again for all of your help, much appreciated.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40618651
NP. With any luck, we will find something better in the future - there is no real reason why, once DNS is digitally signed, we should continue to pay a CA to demonstrate someone gave them money....
0
 

Author Comment

by:oo7ml
ID: 40618676
Yeah, the whole process seems a bit out dated. Surely everything website should be encrypted by now using a standardised system.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 40618982
Nothing wrong with the underlying idea - using PKI to protect a session key, or in the case of DHE, protect the negotiation of a session key.  The issue is in
a) having to pay a CA to certify your key is your key
b) having to trust a CA does a good enough job of checking that for your $30 or whatever that you can rely on it for a $1M transaction...
0
 

Author Comment

by:oo7ml
ID: 40619024
Ok cool, thanks Dave, appreciate you coming back to explain all of that.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now