Link to home
Start Free TrialLog in
Avatar of yballan
yballanFlag for United States of America

asked on

certificate error on website only in internal network

Dear Experts,

When we access our website from our internal network I get "There is a problem with this website’s security certificate." message.
When I access it from outside, I don't have that issue at all.  When I view the certificate, it is Parallell, which I believe it is the platform web developer used, but other than that, I don't have any idea how to fix this.  This started as soon as we hired a new web developer, and they wanted to host the web pages on their servers.  Because this does not happen outside of our network, they will not help us.
Please adviese.
Avatar of masnrock
masnrock
Flag of United States of America image

Does the problem happen in all browsers, or just IE? And does your AD domain name match that of your website?
Avatar of yballan

ASKER

Yes, It happens with all browsers, and AD domain name does match the website.  I  have been looking at the server settings, and trying to see if I can find anything strange in DNS server role.
Does anything look strange about the security certificate? Maybe possible to see info from it?
Avatar of yballan

ASKER

Certificate is from Parallell Panel, here is the screenshot.
Untitled.png
That's not a good sign. You're seeing the old certificate for some reason. And the web server that was onsite is totally disabled, correct? That sounds like an issue that the vendor needs to fix in terms of certificate installation.

I am also guessing that your network's internal DNS entry for "www" was pointing to the correct IP address?
Avatar of yballan

ASKER

There was never a web server onsite.  It used to be with NetworkSolutions.  Then this company moved it to their own server, and that is when we started to see this problem.  But when I reach out to them, since they cannot replicate the issue (it only happens in our network) they will not fix it.

DNS Server on our main server has www entry that points to the IP where the website is hosted.  In CloudFlair, where DNS info is hosted, the A record for www also points to the same address.

Do you think I should remove the DNS info from our server?
Got it. But it still doesn't make any sense that you would get presented with an old SSL certificate. You have nothing to lose in deleting the www entry. Try that first. I also hope they made sure to remove the old SSL certificate (I have seen that cause issues at times too). I assume everything is up to date in terms of browsers within your network.

I just paid more attention, you need to trust the CA. But I am digging some more into this.
Avatar of yballan

ASKER

OK, I took off www entry, I couldn't get to the website at all from our network, so I put it back.
I will go around trusting the CA on users PC.  I still don't understand what the difference is between the new webhosting servers and NetworkSolutions servers.
In this case, I think they might have done something wrong involving the SSL certificate. Try this as an experiment: From a computer that's not on your network, see what shows up in the certificate information. There should be some certificate authority listed in it. Also see what domain it actually shows for the certificate itself.
Avatar of yballan

ASKER

Got it, I will look when I get home tonight.
you see a self-signed certificate from parallels hosting infrastructure.
your webpage is hosted on parallels server?
with external access you see another certificate (post certificate details if possible)
Feel free to send your URL with PM.
My question would be whether you're actually connecting to the correct server while in the office. Do the website people have a way to confirm whether they are actually seeing traffic to the site from your office? If so, then it's more likely an issue involving the way they handled the SSL certificates. (I've seen major vendors like Oracle even screw up SSL certificate installations)
SOLUTION
Avatar of Scott Fell
Scott Fell
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of yballan

ASKER

Thank you, Experts, I just went back to web hosting company and verified that they are using Parallel Platform, and their certificate is by Comodo.

Dear Scott Fell, when you say "you do need to add both the certificate and ca root certificate", you mean the web hosting server needs these certificates?
It sounds like there is a self signed certificate that shouldn't be there. Try to get the developer to remove it.
It is a bit confusing.  Do you have access to Plesk? If so, when you go to the certificate area there are 2 box's. One for the certificate and one for the intermediate.  

If your cert requires an intermediate and it does not work using Plesk, then it will be up to the hosting service to add the certificate manually outside of Plesk.

That may not be the issue though. If you can give us the url, we can view the certificate and provide better information to you.
@Scott - The author is seeing an expired self signed certificate when accessing the site from the office network, and a proper Comodo certificate when elsewhere. However, the site is handled by an outside company, therefore the author would not have access to Plesk.
Avatar of yballan

ASKER

Dear Scott, I am a bit confused when you say "If you can give us the url", do you mean to paste it here?  I thought earlier you said that was not allowed????
@yballan - Scott was saying that you're not supposed to send the information in a PM, which would give that person an unfair advantage over everyone else. However, if you were going to give out the URL, you would need to post it here , where any expert would be able to look at it and assist (everyone would have the same information).

If you want one on one assistance, that's where the Live feature on here comes into play (at a monetary cost).

But all of that said, it sounds like the web developer needs a good push. There's no reason a publicly accessible website should have a self signed SSL certificate out there.
Avatar of yballan

ASKER

Dear masnrock,  Ok I understand.
Here it is.
Yes, I am having a great difficulty working with this web developer.  It was against my will to move the website to their server.

www.lmhcare.com

Thank you.
Another thing..  Comodo is a pretty bad source for SSL certs. They have problems to an exyenr where a number of sources do not trust them. A number of forever ones keep coming from them.. And every so often another chunk of certificates have to get revoked.
Avatar of yballan

ASKER

I see, what I don't understand is, is the bad certificate on the web hosting servers or in our network?
How can I find the self-signed certificate that seems to be the offending certificate only to us in this local network?
ASKER CERTIFIED SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of yballan

ASKER

Dear Experts, thank you for giving me direction on this, I will speak to our web hosting company personnel and will use your postings as additional push to get them in action.

Always appreciate your help!!