Security issue or not?

Hi, we just moved from Godaddy to Bluehost(which was a nosebleed), and I thought everything was finally ok. But a user today got the attached error. I asked her what browser she was on, but she won't be back in until tomorrow morning.

I checked it here: https://www.ssllabs.com/ssltest/analyze.html?d=techgardens.com  and it shows that the second certificate, the one on Bluehost, has a mismatching name and is not trusted.

Bluehost said this was a known issue that was fixed long ago. Then they said, "it is a known issue and will take some time to update and show the right details." So,, which is it, Bluehost?

I called in and talked to another tech, showed him that link. He said that my user had a caching issue, she should clear her cache and it will go away. That sounds incorrect to me, if SSL labs is showing a mismatch, then the error my user got is real.

It looks like our SSL is good, bit the Bluehost one has an issue? I am really not that up on SSL, can anyone explain this to me and advise what I can do?   Thanks!!
mel200Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
Certificate chain error. Try to reinstall the Comodo intermediate certs (contain no root certificate) which is given to you or gotten from  Comodo. Restart the web server. Reset your browser cache and try test again.

For info if you are trying to bundle all cert into a crt including the many intermediate certificate, you can check this out. Should not matter to you though ourhttps://certificatechain.io

Comodo usually provides instructions for certificate installation. In those instructions, they typically provide a link to download the intermediate certificate. In this case, your intermediate certificate is called COMODO RSA Domain Validation Secure Server CA. Actual installation varies based on the load balancer or web server you use to terminate SSL/TLS.
0
mel200Author Commented:
Ok, so the problem lies at Bluehost, right? I should ask them to reinstall it? Shouldn't they know this? I am so frustrated by them...
0
mel200Author Commented:
Thanks, by the way!!
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

mel200Author Commented:
They are telling me that I either need to upgrade to a VPS account, or ignore the error and ask people to clear their cache if they see this. I find this completely unacceptable, am I wrong?
0
Adam BrownSr Solutions ArchitectCommented:
There isn't an error attached to your question, btw. That would help :D Under normal circumstances, the chain order doesn't matter because the Intermediate and Root CA certificates are already implicitly trusted by the client system and would not be required to verify certificate trust. Only a really wonky or old as crap system would get a certificate error because of the single major error shown on the SSL Labs test. I personally do not get an error when connecting to your company site, which would suggest that the client's system falls under the aforementioned "Wonky or old as crap" heading. Depending on which error the user is getting, there are different actions you would need to take, so please post that error when you can.

That said, if you would like a simple primer on how digital certificates work, I wrote one on my blog a while back: http://acbrownit.com/2015/12/28/theory-understanding-digital-certificates
You may also find this helpful: http://acbrownit.com/2016/01/29/anatomy-of-a-certificate-error
0
RoninCommented:
I tried loading the website on 3 kind of browsers, everything is showing properly.
0
Adam BrownSr Solutions ArchitectCommented:
Just another quick comment to mention, if Bluehost is giving you three completely different answers when you talk to their support guys, I'd run that up the flagpole to someone higher up. That's definitely a load of crap, and shows their techs are just shooting in the dark and guessing at what the problem is.
1
btanExec ConsultantCommented:
If the intermediate gotten from them is right than it is the browser which they also cannot really control the cache purge
 I suspecting they have a proxy like load balancer that may also be part of the issue. Anyway, as long as you test the site and there is no warning prompt to use then it is alright esp for those who has browse the old site and then went on to this new one. Good to find out. Anyway the website still score A in ssltest and the strong cipher is still used. If it does get warnibg prompts like this then it is to investigate further
https://community.qualys.com/thread/13775

Kind of finding rhe Comodo not very helpful though
1
mel200Author Commented:
Shoot, sorry about not uploading that. Here it is, and it's the same error seen here: https://www.instantssl.com/ssl-faqs/ssl-certificate-errors.html  under "Certificate Name 'Mismatch' error".
Capture.JPG
0
mel200Author Commented:
The tech said that only people who had been to the old site when it was on godaddy would see this error, and not all of them. Would it help to know browser version used by the person who saw the error?  Thanks for all the great information!!
0
btanExec ConsultantCommented:
For the IE error capture, there actually many reason to it but in you case seems to be "The security certificate was issued by a company you have not chosen to trust." that you have confirmed in the ssltest. I suggest you can also take a look at some resolution. https://kb.intermedia.net/Article/3270##Resolution. In a way is as what we discussed, get the hosting party to verify which you done and eventually next step is suggested by them. But there more check in the link - no harm taking a look ..
Would it help to know browser version used by the person who saw the error?
That is good. But I am thinking you can't possibly catch all users but rather, you may consider comms out to users to clear cache and take this opportunity to promote the website and share security awareness tips like strange pop up, phishing link. I think the user will appreciate it as part of your effort to constantly revamp site to improve their experience.
Good to have them feedback then you dont really need to investigate so much ... mass user size have to done smartly but if just handful of user, I see that finding out their version can be trivial. I would thought there is some standard build in the issued machine and that is where the IT team will know best to advise.
1
mel200Author Commented:
Thanks very much! Great information, and I think we're good now.
0
Adam BrownSr Solutions ArchitectCommented:
FYI...the error you're seeing is an Outlook certificate error, not a web browser error. This is caused by incorrect Autodiscover configuration. You'll want to go through your DNS settings for the domain and make sure autodiscover.techgardens.com is pointing to an Exchange server or is deleted if you're using a SRV record for autodiscover. Right now it's pointing to the IP of your company website.
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mel200Author Commented:
Ok- so under A records, and then under SRV, I see this. Under a record, should they all point to the domain rather than the IP?

Keep in mind that the email accounts are still on Godaddy, we changed the DNS on Bluehost to make them work.
SRV.txt
arecord.txt
0
RoninCommented:
You probably should remove the SRV record and point A record to your Exchange's external IP, if I understand the issue correctly.
You do want to configure your Outlook to connect to Exchange, right?
0
Adam BrownSr Solutions ArchitectCommented:
All of those IPs in your A Records are pointing to the same server. The Bluehost web server. So that's the source of your issue. You'll need delete the A record for autodiscover and replace it with a CNAME that points to autodiscover.secureserver.net. You can remove the SRV record.
1
btanExec ConsultantCommented:
Alternatively you can still use SRV and remove the A records. There is a search sequence for the resolving of where to get autodiscover service and SRV is the last attempt. For info.

https://www.petenetlive.com/KB/Article/0001184
0
mel200Author Commented:
"You'll need delete the A record for autodiscover and replace it with a CNAME that points to autodiscover.secureserver.net. You can remove the SRV record." will this slow down or stop email at all? I am a bit nervous about doing it. :)
0
btanExec ConsultantCommented:
I dont think it will affect as much as the CNAME will go into the IP resolved by the external party DNS server (bluehost). Let say if CNAME or A record fail, the SRV is the last check still (assuming you retain SRV). There again it is referring to external host. Not something you can control but I doubt they will go missing in service. You can test it using https://testconnectivity.microsoft.com/
0
mel200Author Commented:
Hi,Adam,

I was able to download my old DNS records from godaddy, and I see this under CNAME:
autodiscover      600      IN      CNAME      autodiscover.outlook.com

Should I use that instead of autodiscover.secureserver.net?
0
mel200Author Commented:
From the reading you sent me, I think maybe I should delete the a record, change the SRV to autodiscover.secureserver.net, then test it on the testing site you sent. Does that make sense?
0
btanExec ConsultantCommented:
Can try keeping the SRV and test
0
mel200Author Commented:
Hi- we got a clean test at https://testconnectivity.microsoft.com/. Just wanted to thank you all again.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Development

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.