Ttdfjt

Why does this London Underground poster from 1924 have a Star of David atop a Christmas tree?

How to display a duck or marmot swallowed by a darkhole

How many petaflops does it take to land on the moon? What does Artemis need with an Aitken?

Multiple delayed triggers from Massacre Girl interaction

Is it true that different variants of the same model aircraft don't require pilot retraining?

Can MuseScore be used programmatically?

How to force GCC to assume that a floating-point expression is non-negative?

Why did Lucius make a deal out of Buckbeak hurting Draco but not about Draco being turned into a ferret?

Does NASA use any type of office/groupware software and which is that?

Should an STL container avoid copying elements into themselves when the container is copied into itself?

Notice period 60 days but I need to join in 45 days

Videos of surgery

Half filled water bottle

Given current technology, could TV display screens double as video camera sensors?

Is this password scheme legit?

Dotted background on a flowchart

How to say "I only speak one which is English." in French?

rationalizing sieges in a modern/near-future setting

Why are flat priors said to be proportional to a constant?

Why does matter stay collapsed in the core, following a supernova explosion?

Etymology of "Talo" (Finnish for "house"). Can it be a cognate of Thalamus?

Did ancient peoples ever hide their treasure behind puzzles?

Would Epic Heroism be an acceptable rule variant for a small, first-time group playing the Lost Mine of Phandelver adventure?

Is the Amazon rainforest the "world's lungs"?

A+ rating still unsecure by Google Chrome's opinion

How do I clear Chrome's SSL cache?What determines the combination of ciphers available on an SSL server?Discrepancy in SSL Ciphers between Apache 2.2 and OpenSSL 1.0.1What is wrong with my SSL trust chain?How to mitigate POODLE but keep SSLv3 support for old clientsThe site is using outdated security settings that may prevent future versions of Chrome from being able to safely access it - even with SHA2New SSL, Safari can't open the page b/c server unexpectedly dropped the connection (subdomain)Apache SSL FS disable SHA1

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;

10

1

I am provisioning my server on DigitalOcean, and although I am getting an A+ rating from ssllabs,

https://www.ssllabs.com/ssltest/analyze.html?d=zandu.biz

when I connect to my site, https://www.zandu.biz or https://zandu.biz, I get a unsecure notice inside Chrome.

How do I solve this?

ssl apache-2.4 lets-encrypt

share|improve this question

edited Aug 15 at 17:17

Peter Mortensen

2,17144 gold badges2222 silver badges2424 bronze badges

asked Aug 14 at 19:01

The ArchitectThe Architect

6411 silver badge66 bronze badges

add a comment | 

10

1

I am provisioning my server on DigitalOcean, and although I am getting an A+ rating from ssllabs,

https://www.ssllabs.com/ssltest/analyze.html?d=zandu.biz

when I connect to my site, https://www.zandu.biz or https://zandu.biz, I get a unsecure notice inside Chrome.

How do I solve this?

ssl apache-2.4 lets-encrypt

share|improve this question

edited Aug 15 at 17:17

Peter Mortensen

2,17144 gold badges2222 silver badges2424 bronze badges

asked Aug 14 at 19:01

The ArchitectThe Architect

6411 silver badge66 bronze badges

add a comment | 

I am provisioning my server on DigitalOcean, and although I am getting an A+ rating from ssllabs,

https://www.ssllabs.com/ssltest/analyze.html?d=zandu.biz

when I connect to my site, https://www.zandu.biz or https://zandu.biz, I get a unsecure notice inside Chrome.

How do I solve this?

ssl apache-2.4 lets-encrypt

share|improve this question

edited Aug 15 at 17:17

Peter Mortensen

2,17144 gold badges2222 silver badges2424 bronze badges

asked Aug 14 at 19:01

The ArchitectThe Architect

6411 silver badge66 bronze badges

share|improve this question

edited Aug 15 at 17:17

Peter Mortensen

2,17144 gold badges2222 silver badges2424 bronze badges

asked Aug 14 at 19:01

The ArchitectThe Architect

6411 silver badge66 bronze badges

share|improve this question

edited Aug 15 at 17:17

Peter Mortensen

2,17144 gold badges2222 silver badges2424 bronze badges

asked Aug 14 at 19:01

The ArchitectThe Architect

6411 silver badge66 bronze badges

edited Aug 15 at 17:17

Peter Mortensen

2,17144 gold badges2222 silver badges2424 bronze badges

edited Aug 15 at 17:17

Peter Mortensen

2,17144 gold badges2222 silver badges2424 bronze badges

asked Aug 14 at 19:01

The ArchitectThe Architect

6411 silver badge66 bronze badges

asked Aug 14 at 19:01

The ArchitectThe Architect

6411 silver badge66 bronze badges

1 Answer
1

active

oldest

votes

48

This server could not prove that it is www.zandu.biz; its security
certificate is from zandu.biz. This may be caused by a
misconfiguration or an attacker intercepting your connection.

The name in your site's certificate is zandu.biz, which is not valid for a different name (www.zandu.biz). Moreover, you have a redirect from zandu.biz to www.zandu.biz, so if you use the name the certificate is valid for it redirects to the name that it isn't.

What you need is to get a certificate with both names.

share|improve this answer

edited Aug 15 at 5:49

answered Aug 14 at 19:25

zrmzrm

62633 silver badges66 bronze badges

• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  Wildcard certificates can be more convenient or necessary if the names you intend to use aren't actually known ahead of time. But they also increase your exposure if the associated private key is compromised because then the attacker can forge any name in your domain rather than only the ones that server was actually using.
  
  – zrm
  Aug 14 at 22:37
  

  
  
  
  


• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  Let's Encrypt is a CA. When they first started out they were cross-signed by IdenTrust but that ends in 2020 because their own root certificate is now widely trusted. None of that has anything to do with your problem, which would have been the same either way.
  
  – zrm
  Aug 15 at 0:35
  

  
  
  
  


• 
  
  
  

  
  8
  

  
  
  
  
  
  

  
  
  s/Common Name/Subject Alternative Name/ -- Chrome hasn't used Common Name at all for 2 years; other browsers do so only if SAN is absent, which hasn't been true for any (EE) certs from public CAs since before 2010, although you can arrange it for test certs you create yourself. Which is exactly why you can get one cert for multiple domains -- ancient certs using only Common Name couldn't do that.
  
  – dave_thompson_085
  Aug 15 at 5:40
  
  

  
  
  
  


• 
  
  
  

  
  12
  

  
  
  
  
  
  

  
  
  @djdomi a wildcard certificate for *.example.com still doesn't cover the bare domain example.com. You still need two values in the SAN.
  
  – Michael - sqlbot
  Aug 15 at 13:18
  

  
  
  
  


• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  The bigger reason to avoid a wildcard certificate is that OP is using LetsEncrypt. While LetsEncrypt does support wildcard certificates, this requires a DNS challenge. Satisfying a DNS challenge is harder to automate. Also, automating a DNS challenge may mean that a compromised server will grant attackers access to your DNS. So, it's sufficient to use either a UCC certificate or two certificates (which approach doesn't matter much. Do whichever is easier).
  
  – Brian
  Aug 15 at 14:01
  

  
  
  
  

 | 
show 7 more comments

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f979297%2fa-rating-still-unsecure-by-google-chromes-opinion%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

48

This server could not prove that it is www.zandu.biz; its security
certificate is from zandu.biz. This may be caused by a
misconfiguration or an attacker intercepting your connection.

The name in your site's certificate is zandu.biz, which is not valid for a different name (www.zandu.biz). Moreover, you have a redirect from zandu.biz to www.zandu.biz, so if you use the name the certificate is valid for it redirects to the name that it isn't.

What you need is to get a certificate with both names.

share|improve this answer

edited Aug 15 at 5:49

answered Aug 14 at 19:25

zrmzrm

62633 silver badges66 bronze badges

• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  Wildcard certificates can be more convenient or necessary if the names you intend to use aren't actually known ahead of time. But they also increase your exposure if the associated private key is compromised because then the attacker can forge any name in your domain rather than only the ones that server was actually using.
  
  – zrm
  Aug 14 at 22:37
  

  
  
  
  


• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  Let's Encrypt is a CA. When they first started out they were cross-signed by IdenTrust but that ends in 2020 because their own root certificate is now widely trusted. None of that has anything to do with your problem, which would have been the same either way.
  
  – zrm
  Aug 15 at 0:35
  

  
  
  
  


• 
  
  
  

  
  8
  

  
  
  
  
  
  

  
  
  s/Common Name/Subject Alternative Name/ -- Chrome hasn't used Common Name at all for 2 years; other browsers do so only if SAN is absent, which hasn't been true for any (EE) certs from public CAs since before 2010, although you can arrange it for test certs you create yourself. Which is exactly why you can get one cert for multiple domains -- ancient certs using only Common Name couldn't do that.
  
  – dave_thompson_085
  Aug 15 at 5:40
  
  

  
  
  
  


• 
  
  
  

  
  12
  

  
  
  
  
  
  

  
  
  @djdomi a wildcard certificate for *.example.com still doesn't cover the bare domain example.com. You still need two values in the SAN.
  
  – Michael - sqlbot
  Aug 15 at 13:18
  

  
  
  
  


• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  The bigger reason to avoid a wildcard certificate is that OP is using LetsEncrypt. While LetsEncrypt does support wildcard certificates, this requires a DNS challenge. Satisfying a DNS challenge is harder to automate. Also, automating a DNS challenge may mean that a compromised server will grant attackers access to your DNS. So, it's sufficient to use either a UCC certificate or two certificates (which approach doesn't matter much. Do whichever is easier).
  
  – Brian
  Aug 15 at 14:01
  

  
  
  
  

 | 
show 7 more comments

48

This server could not prove that it is www.zandu.biz; its security
certificate is from zandu.biz. This may be caused by a
misconfiguration or an attacker intercepting your connection.

The name in your site's certificate is zandu.biz, which is not valid for a different name (www.zandu.biz). Moreover, you have a redirect from zandu.biz to www.zandu.biz, so if you use the name the certificate is valid for it redirects to the name that it isn't.

What you need is to get a certificate with both names.

share|improve this answer

edited Aug 15 at 5:49

answered Aug 14 at 19:25

zrmzrm

62633 silver badges66 bronze badges

• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  Wildcard certificates can be more convenient or necessary if the names you intend to use aren't actually known ahead of time. But they also increase your exposure if the associated private key is compromised because then the attacker can forge any name in your domain rather than only the ones that server was actually using.
  
  – zrm
  Aug 14 at 22:37
  

  
  
  
  


• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  Let's Encrypt is a CA. When they first started out they were cross-signed by IdenTrust but that ends in 2020 because their own root certificate is now widely trusted. None of that has anything to do with your problem, which would have been the same either way.
  
  – zrm
  Aug 15 at 0:35
  

  
  
  
  


• 
  
  
  

  
  8
  

  
  
  
  
  
  

  
  
  s/Common Name/Subject Alternative Name/ -- Chrome hasn't used Common Name at all for 2 years; other browsers do so only if SAN is absent, which hasn't been true for any (EE) certs from public CAs since before 2010, although you can arrange it for test certs you create yourself. Which is exactly why you can get one cert for multiple domains -- ancient certs using only Common Name couldn't do that.
  
  – dave_thompson_085
  Aug 15 at 5:40
  
  

  
  
  
  


• 
  
  
  

  
  12
  

  
  
  
  
  
  

  
  
  @djdomi a wildcard certificate for *.example.com still doesn't cover the bare domain example.com. You still need two values in the SAN.
  
  – Michael - sqlbot
  Aug 15 at 13:18
  

  
  
  
  


• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  The bigger reason to avoid a wildcard certificate is that OP is using LetsEncrypt. While LetsEncrypt does support wildcard certificates, this requires a DNS challenge. Satisfying a DNS challenge is harder to automate. Also, automating a DNS challenge may mean that a compromised server will grant attackers access to your DNS. So, it's sufficient to use either a UCC certificate or two certificates (which approach doesn't matter much. Do whichever is easier).
  
  – Brian
  Aug 15 at 14:01
  

  
  
  
  

 | 
show 7 more comments

This server could not prove that it is www.zandu.biz; its security
certificate is from zandu.biz. This may be caused by a
misconfiguration or an attacker intercepting your connection.

The name in your site's certificate is zandu.biz, which is not valid for a different name (www.zandu.biz). Moreover, you have a redirect from zandu.biz to www.zandu.biz, so if you use the name the certificate is valid for it redirects to the name that it isn't.

What you need is to get a certificate with both names.

share|improve this answer

edited Aug 15 at 5:49

answered Aug 14 at 19:25

zrmzrm

62633 silver badges66 bronze badges

share|improve this answer

edited Aug 15 at 5:49

answered Aug 14 at 19:25

zrmzrm

62633 silver badges66 bronze badges

answered Aug 14 at 19:25

zrmzrm

62633 silver badges66 bronze badges

answered Aug 14 at 19:25

zrmzrm

62633 silver badges66 bronze badges