certificate error on website only in internal network

yballan
yballan used Ask the Experts™
on
Dear Experts,

When we access our website from our internal network I get "There is a problem with this website’s security certificate." message.
When I access it from outside, I don't have that issue at all.  When I view the certificate, it is Parallell, which I believe it is the platform web developer used, but other than that, I don't have any idea how to fix this.  This started as soon as we hired a new web developer, and they wanted to host the web pages on their servers.  Because this does not happen outside of our network, they will not help us.
Please adviese.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2018

Commented:
Does the problem happen in all browsers, or just IE? And does your AD domain name match that of your website?

Author

Commented:
Yes, It happens with all browsers, and AD domain name does match the website.  I  have been looking at the server settings, and trying to see if I can find anything strange in DNS server role.
Distinguished Expert 2018

Commented:
Does anything look strange about the security certificate? Maybe possible to see info from it?
Become a CompTIA Certified Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

Author

Commented:
Certificate is from Parallell Panel, here is the screenshot.
Untitled.png
Distinguished Expert 2018

Commented:
That's not a good sign. You're seeing the old certificate for some reason. And the web server that was onsite is totally disabled, correct? That sounds like an issue that the vendor needs to fix in terms of certificate installation.

I am also guessing that your network's internal DNS entry for "www" was pointing to the correct IP address?

Author

Commented:
There was never a web server onsite.  It used to be with NetworkSolutions.  Then this company moved it to their own server, and that is when we started to see this problem.  But when I reach out to them, since they cannot replicate the issue (it only happens in our network) they will not fix it.

DNS Server on our main server has www entry that points to the IP where the website is hosted.  In CloudFlair, where DNS info is hosted, the A record for www also points to the same address.

Do you think I should remove the DNS info from our server?
Distinguished Expert 2018

Commented:
Got it. But it still doesn't make any sense that you would get presented with an old SSL certificate. You have nothing to lose in deleting the www entry. Try that first. I also hope they made sure to remove the old SSL certificate (I have seen that cause issues at times too). I assume everything is up to date in terms of browsers within your network.

I just paid more attention, you need to trust the CA. But I am digging some more into this.

Author

Commented:
OK, I took off www entry, I couldn't get to the website at all from our network, so I put it back.
I will go around trusting the CA on users PC.  I still don't understand what the difference is between the new webhosting servers and NetworkSolutions servers.
Distinguished Expert 2018

Commented:
In this case, I think they might have done something wrong involving the SSL certificate. Try this as an experiment: From a computer that's not on your network, see what shows up in the certificate information. There should be some certificate authority listed in it. Also see what domain it actually shows for the certificate itself.

Author

Commented:
Got it, I will look when I get home tonight.
you see a self-signed certificate from parallels hosting infrastructure.
your webpage is hosted on parallels server?
with external access you see another certificate (post certificate details if possible)
Feel free to send your URL with PM.
Distinguished Expert 2018

Commented:
My question would be whether you're actually connecting to the correct server while in the office. Do the website people have a way to confirm whether they are actually seeing traffic to the site from your office? If so, then it's more likely an issue involving the way they handled the SSL certificates. (I've seen major vendors like Oracle even screw up SSL certificate installations)
Scott FellDeveloper & EE Moderator
Fellow 2018
Most Valuable Expert 2013
Commented:
> Feel free to send your URL with PM.

While a good suggestion, that is not allowed.  Everything should be posted publicly to give all Experts the same chance to come up with a solution.  Members can pay for a private Live session for one on one support if needed.

In any case, it will help us to view the url so we can see the certificate.  

In plesk, you do need to add both the certificate and ca root certificate. There are two text box's, one for each.  If still having issues, https://support.plesk.com/hc/en-us/articles/213907565-Warning-when-login-to-Plesk-This-ca-root-certificate-is-not-trusted.

Author

Commented:
Thank you, Experts, I just went back to web hosting company and verified that they are using Parallel Platform, and their certificate is by Comodo.

Dear Scott Fell, when you say "you do need to add both the certificate and ca root certificate", you mean the web hosting server needs these certificates?
Distinguished Expert 2018

Commented:
It sounds like there is a self signed certificate that shouldn't be there. Try to get the developer to remove it.
Scott FellDeveloper & EE Moderator
Fellow 2018
Most Valuable Expert 2013

Commented:
It is a bit confusing.  Do you have access to Plesk? If so, when you go to the certificate area there are 2 box's. One for the certificate and one for the intermediate.  

If your cert requires an intermediate and it does not work using Plesk, then it will be up to the hosting service to add the certificate manually outside of Plesk.

That may not be the issue though. If you can give us the url, we can view the certificate and provide better information to you.
Distinguished Expert 2018

Commented:
@Scott - The author is seeing an expired self signed certificate when accessing the site from the office network, and a proper Comodo certificate when elsewhere. However, the site is handled by an outside company, therefore the author would not have access to Plesk.

Author

Commented:
Dear Scott, I am a bit confused when you say "If you can give us the url", do you mean to paste it here?  I thought earlier you said that was not allowed????
Distinguished Expert 2018

Commented:
@yballan - Scott was saying that you're not supposed to send the information in a PM, which would give that person an unfair advantage over everyone else. However, if you were going to give out the URL, you would need to post it here , where any expert would be able to look at it and assist (everyone would have the same information).

If you want one on one assistance, that's where the Live feature on here comes into play (at a monetary cost).

But all of that said, it sounds like the web developer needs a good push. There's no reason a publicly accessible website should have a self signed SSL certificate out there.

Author

Commented:
Dear masnrock,  Ok I understand.
Here it is.
Yes, I am having a great difficulty working with this web developer.  It was against my will to move the website to their server.

www.lmhcare.com

Thank you.
Distinguished Expert 2018

Commented:
Another thing..  Comodo is a pretty bad source for SSL certs. They have problems to an exyenr where a number of sources do not trust them. A number of forever ones keep coming from them.. And every so often another chunk of certificates have to get revoked.

Author

Commented:
I see, what I don't understand is, is the bad certificate on the web hosting servers or in our network?
How can I find the self-signed certificate that seems to be the offending certificate only to us in this local network?
Distinguished Expert 2018
Commented:
The certificate would come from the web hosting server. I assume that you're not running a proxy or anything like one, correct (and even then, you wouldn't get a self signed certificate like you're getting).

At this point, I'm not certain of why it's your network specifically, but on the other side of it, that doesn't explain the presence of a self-signed certificate.

Author

Commented:
Dear Experts, thank you for giving me direction on this, I will speak to our web hosting company personnel and will use your postings as additional push to get them in action.

Always appreciate your help!!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial