Avatar of yballan
yballan
Flag for United States of America asked on

certificate error on website only in internal network

Dear Experts,

When we access our website from our internal network I get "There is a problem with this website’s security certificate." message.
When I access it from outside, I don't have that issue at all.  When I view the certificate, it is Parallell, which I believe it is the platform web developer used, but other than that, I don't have any idea how to fix this.  This started as soon as we hired a new web developer, and they wanted to host the web pages on their servers.  Because this does not happen outside of our network, they will not help us.
Please adviese.
SecuritySSL / HTTPSWeb Development

Avatar of undefined
Last Comment
yballan

8/22/2022 - Mon
masnrock

Does the problem happen in all browsers, or just IE? And does your AD domain name match that of your website?
yballan

ASKER
Yes, It happens with all browsers, and AD domain name does match the website.  I  have been looking at the server settings, and trying to see if I can find anything strange in DNS server role.
masnrock

Does anything look strange about the security certificate? Maybe possible to see info from it?
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
yballan

ASKER
Certificate is from Parallell Panel, here is the screenshot.
Untitled.png
masnrock

That's not a good sign. You're seeing the old certificate for some reason. And the web server that was onsite is totally disabled, correct? That sounds like an issue that the vendor needs to fix in terms of certificate installation.

I am also guessing that your network's internal DNS entry for "www" was pointing to the correct IP address?
yballan

ASKER
There was never a web server onsite.  It used to be with NetworkSolutions.  Then this company moved it to their own server, and that is when we started to see this problem.  But when I reach out to them, since they cannot replicate the issue (it only happens in our network) they will not fix it.

DNS Server on our main server has www entry that points to the IP where the website is hosted.  In CloudFlair, where DNS info is hosted, the A record for www also points to the same address.

Do you think I should remove the DNS info from our server?
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
masnrock

Got it. But it still doesn't make any sense that you would get presented with an old SSL certificate. You have nothing to lose in deleting the www entry. Try that first. I also hope they made sure to remove the old SSL certificate (I have seen that cause issues at times too). I assume everything is up to date in terms of browsers within your network.

I just paid more attention, you need to trust the CA. But I am digging some more into this.
yballan

ASKER
OK, I took off www entry, I couldn't get to the website at all from our network, so I put it back.
I will go around trusting the CA on users PC.  I still don't understand what the difference is between the new webhosting servers and NetworkSolutions servers.
masnrock

In this case, I think they might have done something wrong involving the SSL certificate. Try this as an experiment: From a computer that's not on your network, see what shows up in the certificate information. There should be some certificate authority listed in it. Also see what domain it actually shows for the certificate itself.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
yballan

ASKER
Got it, I will look when I get home tonight.
Dirk Kotte

you see a self-signed certificate from parallels hosting infrastructure.
your webpage is hosted on parallels server?
with external access you see another certificate (post certificate details if possible)
Feel free to send your URL with PM.
masnrock

My question would be whether you're actually connecting to the correct server while in the office. Do the website people have a way to confirm whether they are actually seeing traffic to the site from your office? If so, then it's more likely an issue involving the way they handled the SSL certificates. (I've seen major vendors like Oracle even screw up SSL certificate installations)
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
SOLUTION
Scott Fell

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
yballan

ASKER
Thank you, Experts, I just went back to web hosting company and verified that they are using Parallel Platform, and their certificate is by Comodo.

Dear Scott Fell, when you say "you do need to add both the certificate and ca root certificate", you mean the web hosting server needs these certificates?
masnrock

It sounds like there is a self signed certificate that shouldn't be there. Try to get the developer to remove it.
Scott Fell

It is a bit confusing.  Do you have access to Plesk? If so, when you go to the certificate area there are 2 box's. One for the certificate and one for the intermediate.  

If your cert requires an intermediate and it does not work using Plesk, then it will be up to the hosting service to add the certificate manually outside of Plesk.

That may not be the issue though. If you can give us the url, we can view the certificate and provide better information to you.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
masnrock

@Scott - The author is seeing an expired self signed certificate when accessing the site from the office network, and a proper Comodo certificate when elsewhere. However, the site is handled by an outside company, therefore the author would not have access to Plesk.
yballan

ASKER
Dear Scott, I am a bit confused when you say "If you can give us the url", do you mean to paste it here?  I thought earlier you said that was not allowed????
masnrock

@yballan - Scott was saying that you're not supposed to send the information in a PM, which would give that person an unfair advantage over everyone else. However, if you were going to give out the URL, you would need to post it here , where any expert would be able to look at it and assist (everyone would have the same information).

If you want one on one assistance, that's where the Live feature on here comes into play (at a monetary cost).

But all of that said, it sounds like the web developer needs a good push. There's no reason a publicly accessible website should have a self signed SSL certificate out there.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
yballan

ASKER
Dear masnrock,  Ok I understand.
Here it is.
Yes, I am having a great difficulty working with this web developer.  It was against my will to move the website to their server.

www.lmhcare.com

Thank you.
masnrock

Another thing..  Comodo is a pretty bad source for SSL certs. They have problems to an exyenr where a number of sources do not trust them. A number of forever ones keep coming from them.. And every so often another chunk of certificates have to get revoked.
yballan

ASKER
I see, what I don't understand is, is the bad certificate on the web hosting servers or in our network?
How can I find the self-signed certificate that seems to be the offending certificate only to us in this local network?
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
ASKER CERTIFIED SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
yballan

ASKER
Dear Experts, thank you for giving me direction on this, I will speak to our web hosting company personnel and will use your postings as additional push to get them in action.

Always appreciate your help!!