certificate error on website only in internal network

Dear Experts,

When we access our website from our internal network I get "There is a problem with this website’s security certificate." message.
When I access it from outside, I don't have that issue at all.  When I view the certificate, it is Parallell, which I believe it is the platform web developer used, but other than that, I don't have any idea how to fix this.  This started as soon as we hired a new web developer, and they wanted to host the web pages on their servers.  Because this does not happen outside of our network, they will not help us.
Please adviese.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Does the problem happen in all browsers, or just IE? And does your AD domain name match that of your website?
yballanAuthor Commented:
Yes, It happens with all browsers, and AD domain name does match the website.  I  have been looking at the server settings, and trying to see if I can find anything strange in DNS server role.
Does anything look strange about the security certificate? Maybe possible to see info from it?
Get a highly available system for cyber protection

The Acronis SDI Appliance is a new plug-n-play solution with pre-configured Acronis Software-Defined Infrastructure software that gives service providers and enterprises ready access to a fault-tolerant system, which combines universal storage and high-performance virtualization.

yballanAuthor Commented:
Certificate is from Parallell Panel, here is the screenshot.
That's not a good sign. You're seeing the old certificate for some reason. And the web server that was onsite is totally disabled, correct? That sounds like an issue that the vendor needs to fix in terms of certificate installation.

I am also guessing that your network's internal DNS entry for "www" was pointing to the correct IP address?
yballanAuthor Commented:
There was never a web server onsite.  It used to be with NetworkSolutions.  Then this company moved it to their own server, and that is when we started to see this problem.  But when I reach out to them, since they cannot replicate the issue (it only happens in our network) they will not fix it.

DNS Server on our main server has www entry that points to the IP where the website is hosted.  In CloudFlair, where DNS info is hosted, the A record for www also points to the same address.

Do you think I should remove the DNS info from our server?
Got it. But it still doesn't make any sense that you would get presented with an old SSL certificate. You have nothing to lose in deleting the www entry. Try that first. I also hope they made sure to remove the old SSL certificate (I have seen that cause issues at times too). I assume everything is up to date in terms of browsers within your network.

I just paid more attention, you need to trust the CA. But I am digging some more into this.
yballanAuthor Commented:
OK, I took off www entry, I couldn't get to the website at all from our network, so I put it back.
I will go around trusting the CA on users PC.  I still don't understand what the difference is between the new webhosting servers and NetworkSolutions servers.
In this case, I think they might have done something wrong involving the SSL certificate. Try this as an experiment: From a computer that's not on your network, see what shows up in the certificate information. There should be some certificate authority listed in it. Also see what domain it actually shows for the certificate itself.
yballanAuthor Commented:
Got it, I will look when I get home tonight.
Dirk KotteSECommented:
you see a self-signed certificate from parallels hosting infrastructure.
your webpage is hosted on parallels server?
with external access you see another certificate (post certificate details if possible)
Feel free to send your URL with PM.
My question would be whether you're actually connecting to the correct server while in the office. Do the website people have a way to confirm whether they are actually seeing traffic to the site from your office? If so, then it's more likely an issue involving the way they handled the SSL certificates. (I've seen major vendors like Oracle even screw up SSL certificate installations)
Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
> Feel free to send your URL with PM.

While a good suggestion, that is not allowed.  Everything should be posted publicly to give all Experts the same chance to come up with a solution.  Members can pay for a private Live session for one on one support if needed.

In any case, it will help us to view the url so we can see the certificate.  

In plesk, you do need to add both the certificate and ca root certificate. There are two text box's, one for each.  If still having issues, https://support.plesk.com/hc/en-us/articles/213907565-Warning-when-login-to-Plesk-This-ca-root-certificate-is-not-trusted.
yballanAuthor Commented:
Thank you, Experts, I just went back to web hosting company and verified that they are using Parallel Platform, and their certificate is by Comodo.

Dear Scott Fell, when you say "you do need to add both the certificate and ca root certificate", you mean the web hosting server needs these certificates?
It sounds like there is a self signed certificate that shouldn't be there. Try to get the developer to remove it.
Scott Fell, EE MVEDeveloper & EE ModeratorCommented:
It is a bit confusing.  Do you have access to Plesk? If so, when you go to the certificate area there are 2 box's. One for the certificate and one for the intermediate.  

If your cert requires an intermediate and it does not work using Plesk, then it will be up to the hosting service to add the certificate manually outside of Plesk.

That may not be the issue though. If you can give us the url, we can view the certificate and provide better information to you.
@Scott - The author is seeing an expired self signed certificate when accessing the site from the office network, and a proper Comodo certificate when elsewhere. However, the site is handled by an outside company, therefore the author would not have access to Plesk.
yballanAuthor Commented:
Dear Scott, I am a bit confused when you say "If you can give us the url", do you mean to paste it here?  I thought earlier you said that was not allowed????
@yballan - Scott was saying that you're not supposed to send the information in a PM, which would give that person an unfair advantage over everyone else. However, if you were going to give out the URL, you would need to post it here , where any expert would be able to look at it and assist (everyone would have the same information).

If you want one on one assistance, that's where the Live feature on here comes into play (at a monetary cost).

But all of that said, it sounds like the web developer needs a good push. There's no reason a publicly accessible website should have a self signed SSL certificate out there.
yballanAuthor Commented:
Dear masnrock,  Ok I understand.
Here it is.
Yes, I am having a great difficulty working with this web developer.  It was against my will to move the website to their server.


Thank you.
Another thing..  Comodo is a pretty bad source for SSL certs. They have problems to an exyenr where a number of sources do not trust them. A number of forever ones keep coming from them.. And every so often another chunk of certificates have to get revoked.
yballanAuthor Commented:
I see, what I don't understand is, is the bad certificate on the web hosting servers or in our network?
How can I find the self-signed certificate that seems to be the offending certificate only to us in this local network?
The certificate would come from the web hosting server. I assume that you're not running a proxy or anything like one, correct (and even then, you wouldn't get a self signed certificate like you're getting).

At this point, I'm not certain of why it's your network specifically, but on the other side of it, that doesn't explain the presence of a self-signed certificate.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
yballanAuthor Commented:
Dear Experts, thank you for giving me direction on this, I will speak to our web hosting company personnel and will use your postings as additional push to get them in action.

Always appreciate your help!!
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.