0

We replaced an old SSL certificate with a new wildcard SSL certificate from GoDaddy. We switched out this certificate last week and have been receiving calls from customers trying to register ever since about the following error.

enter image description here

We cannot figure out what on earth is going on as we have tested this cert in IE 6,7,8, Chrome, & Firefox without receiving any errors, but we know there is a problem as we continue to get calls. For the record, we do have multiple SSL certificates installed on this box, but are using separate IP addresses to serve them up.

Any help or ideas would be greatly appreciated.

Thank you,

FAtBalloon
  • 279
  • 1
  • 3
  • 12

3 Answers3

3
$ curl -Iv https://classes.stcharleshealthcare.org/
* About to connect() to classes.stcharleshealthcare.org port 443 (#0)
*   Trying 67.59.90.121... connected
* Connected to classes.stcharleshealthcare.org (67.59.90.121) port 443 (#0)
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
*    subject: serialNumber=ESKZZ-OSKRZAHAnZ8ssPXoULbrv1/Obw; C=US; ST=Oregon; L=Bend; O=St. Charles Medical Center; OU=GT14856843; CN=*.scmc.org
*    start date: 2010-10-10 19:25:39 GMT
*    expire date: 2012-01-13 10:20:49 GMT
*    subjectAltName does not match classes.stcharleshealthcare.org
* Closing connection #0
* SSLv3, TLS alert, Client hello (1):
* SSL peer certificate or SSH remote key was not OK
curl: (51) SSL peer certificate or SSH remote key was not OK

So, the DNS for classes.stcharleshealthcare.org is going to a server that is presenting the SSL cert for *.scmc.org. Check your DNS and/or your virtual host definitions in Apache.

cjc
  • 24,533
  • 2
  • 49
  • 69
  • So the server has multiple IP addresses and multiple SSL certificates. I'm assuming that we need to specify a specific IP address for each one of them? The scmc certificate is currently on a , so I'm guessing that we need to make sure and make that IP static as well? Also, any idea why you would get a mismatch when executing that curl, and my computer gets a match? – FAtBalloon Jan 09 '12 at 16:47
  • I don't recall how Apache determines which VirtHost to use, though I suspect it'll be most specific (i.e., IP address) to least. So, yes, that VirtualHost definition will be serving up the *.scmc.org cert to all incoming connections to port 443. You should definitely specify IP address in the VirtHosts when using SSL. I don't know why your computer is getting a match. Caching? I sometimes use Chrome's incognito mode to get a clean slate for this sort of check. If there were a DNS change, the local DNS cache may still be in effect, whereas the rest of the Net is pulling a new record. – cjc Jan 09 '12 at 16:50
  • Does incognito mode work pretty well for testing this? I made a few changes on the server and tried incognito mode and it works, but I really don't have a good way to test this thing since I could never reproduce it in the first place. – FAtBalloon Jan 09 '12 at 16:57
  • Incognito mode works well for browser-based stuff (page caches, cookies, etc.). It won't do much if DNS is the issue, i.e., if the stale data is outside your browser. Note that I'm still getting the same error on my curl. One other testing method would be to have some other computer on a different network (i.e., using a different DNS at, say, Starbucks, or home, etc.) look at the same site. You shouldn't be testing it only from one location. – cjc Jan 09 '12 at 17:00
0

Certificate has been issued to *.scmc.org, you're trying to secure a site called stcharleshealthcare.org. Obviously you need a cert such as *.stcharleshealthcare.org

Vick Vega
  • 2,398
  • 16
  • 22
0
You attempted to reach classes.stcharleshealthcare.org, but instead you actually reached a server identifying itself as *.scmc.om

You are using a wildcard certificate that doesn't match your domain name.

CloudWeavers
  • 2,511
  • 1
  • 14
  • 17