Mdthbs

What's the point of writing that I know will never be used or read?

What should I do with the stock I own if I anticipate there will be a recession?

What is the fastest way to level past 95 in Diablo II?

What is the opposite of "hunger level"?

Will some rockets really collapse under their own weight?

Why did IBM make the PC BIOS source code public?

Insert or push_back to end of a std::vector?

Output the list of musical notes

How to get locks that are keyed alike?

Solving pricing problem heuristically in column generation algorithm for VRP

100 Years of GCHQ - A quick afternoon puzzle!

When did Bilbo and Frodo learn that Gandalf was a Maia?

Why do so many people play out of turn on the last lead?

Why are electric shavers specifically permitted under FAR §91.21

What are some tips and tricks for finding the cheapest flight when luggage and other fees are not revealed until far into the booking process?

How to prevent criminal gangs from making/buying guns?

How do I answer an interview question about not meeting deadlines?

Are there any cons in using rounded corners for bar graphs?

What modifiers are added to the attack and damage rolls of this unique longbow from Waterdeep: Dragon Heist?

What should we do with manuals from the 80s?

Are they two subordinate clauses?

Is the Microsoft recommendation to use C# properties applicable to game development?

How does the Moon's gravity affect Earth's oceans despite Earth's stronger gravitational pull?

Quick destruction of a helium filled airship?

A+ rating still unsecure by Google Chrome's opinion

How do I clear Chrome's SSL cache?What determines the combination of ciphers available on an SSL server?Discrepancy in SSL Ciphers between Apache 2.2 and OpenSSL 1.0.1What is wrong with my SSL trust chain?How to mitigate POODLE but keep SSLv3 support for old clientsThe site is using outdated security settings that may prevent future versions of Chrome from being able to safely access it - even with SHA2New SSL, Safari can't open the page b/c server unexpectedly dropped the connection (subdomain)Apache SSL FS disable SHA1

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}

10

1

I am provisioning my server on DigitalOcean, and although I am getting an A+ rating from ssllabs,

https://www.ssllabs.com/ssltest/analyze.html?d=zandu.biz

when I connect to my site, https://www.zandu.biz or https://zandu.biz, I get a unsecure notice inside Chrome.

How do I solve this?

ssl apache-2.4 lets-encrypt

share|improve this question

edited yesterday

Peter Mortensen

2,16644 gold badges2222 silver badges2424 bronze badges

asked 2 days ago

The ArchitectThe Architect

5911 silver badge55 bronze badges

New contributor

The Architect is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

10

1

I am provisioning my server on DigitalOcean, and although I am getting an A+ rating from ssllabs,

https://www.ssllabs.com/ssltest/analyze.html?d=zandu.biz

when I connect to my site, https://www.zandu.biz or https://zandu.biz, I get a unsecure notice inside Chrome.

How do I solve this?

ssl apache-2.4 lets-encrypt

share|improve this question

edited yesterday

Peter Mortensen

2,16644 gold badges2222 silver badges2424 bronze badges

asked 2 days ago

The ArchitectThe Architect

5911 silver badge55 bronze badges

New contributor

The Architect is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

add a comment | 

I am provisioning my server on DigitalOcean, and although I am getting an A+ rating from ssllabs,

https://www.ssllabs.com/ssltest/analyze.html?d=zandu.biz

when I connect to my site, https://www.zandu.biz or https://zandu.biz, I get a unsecure notice inside Chrome.

How do I solve this?

ssl apache-2.4 lets-encrypt

share|improve this question

edited yesterday

Peter Mortensen

2,16644 gold badges2222 silver badges2424 bronze badges

asked 2 days ago

The ArchitectThe Architect

5911 silver badge55 bronze badges

New contributor

The Architect is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

edited yesterday

Peter Mortensen

2,16644 gold badges2222 silver badges2424 bronze badges

asked 2 days ago

The ArchitectThe Architect

5911 silver badge55 bronze badges

New contributor

The Architect is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this question

edited yesterday

Peter Mortensen

2,16644 gold badges2222 silver badges2424 bronze badges

asked 2 days ago

The ArchitectThe Architect

5911 silver badge55 bronze badges

New contributor

The Architect is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

edited yesterday

Peter Mortensen

2,16644 gold badges2222 silver badges2424 bronze badges

edited yesterday

Peter Mortensen

2,16644 gold badges2222 silver badges2424 bronze badges

asked 2 days ago

The ArchitectThe Architect

5911 silver badge55 bronze badges

New contributor

The Architect is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

asked 2 days ago

The ArchitectThe Architect

5911 silver badge55 bronze badges

1 Answer
1

active

oldest

votes

40

This server could not prove that it is www.zandu.biz; its security
certificate is from zandu.biz. This may be caused by a
misconfiguration or an attacker intercepting your connection.

The name in your site's certificate is zandu.biz, which is not valid for a different name (www.zandu.biz). Moreover, you have a redirect from zandu.biz to www.zandu.biz, so if you use the name the certificate is valid for it redirects to the name that it isn't.

What you need is to get a certificate with both names.

share|improve this answer

edited yesterday

answered 2 days ago

zrmzrm

54633 silver badges66 bronze badges

New contributor

zrm is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  Wildcard certificates can be more convenient or necessary if the names you intend to use aren't actually known ahead of time. But they also increase your exposure if the associated private key is compromised because then the attacker can forge any name in your domain rather than only the ones that server was actually using.
  
  – zrm
  yesterday
  

  
  
  
  


• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  Let's Encrypt is a CA. When they first started out they were cross-signed by IdenTrust but that ends in 2020 because their own root certificate is now widely trusted. None of that has anything to do with your problem, which would have been the same either way.
  
  – zrm
  yesterday
  

  
  
  
  


• 
  
  
  

  
  8
  

  
  
  
  
  
  

  
  
  s/Common Name/Subject Alternative Name/ -- Chrome hasn't used Common Name at all for 2 years; other browsers do so only if SAN is absent, which hasn't been true for any (EE) certs from public CAs since before 2010, although you can arrange it for test certs you create yourself. Which is exactly why you can get one cert for multiple domains -- ancient certs using only Common Name couldn't do that.
  
  – dave_thompson_085
  yesterday
  
  
  

  
  
  
  


• 
  
  
  

  
  9
  

  
  
  
  
  
  

  
  
  @djdomi a wildcard certificate for *.example.com still doesn't cover the bare domain example.com. You still need two values in the SAN.
  
  – Michael - sqlbot
  yesterday
  

  
  
  
  


• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  The bigger reason to avoid a wildcard certificate is that OP is using LetsEncrypt. While LetsEncrypt does support wildcard certificates, this requires a DNS challenge. Satisfying a DNS challenge is harder to automate. Also, automating a DNS challenge may mean that a compromised server will grant attackers access to your DNS. So, it's sufficient to use either a UCC certificate or two certificates (which approach doesn't matter much. Do whichever is easier).
  
  – Brian
  yesterday
  

  
  
  
  

 | 
show 6 more comments

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

The Architect is a new contributor. Be nice, and check out our Code of Conduct.

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f979297%2fa-rating-still-unsecure-by-google-chromes-opinion%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

40

This server could not prove that it is www.zandu.biz; its security
certificate is from zandu.biz. This may be caused by a
misconfiguration or an attacker intercepting your connection.

The name in your site's certificate is zandu.biz, which is not valid for a different name (www.zandu.biz). Moreover, you have a redirect from zandu.biz to www.zandu.biz, so if you use the name the certificate is valid for it redirects to the name that it isn't.

What you need is to get a certificate with both names.

share|improve this answer

edited yesterday

answered 2 days ago

zrmzrm

54633 silver badges66 bronze badges

New contributor

zrm is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  Wildcard certificates can be more convenient or necessary if the names you intend to use aren't actually known ahead of time. But they also increase your exposure if the associated private key is compromised because then the attacker can forge any name in your domain rather than only the ones that server was actually using.
  
  – zrm
  yesterday
  

  
  
  
  


• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  Let's Encrypt is a CA. When they first started out they were cross-signed by IdenTrust but that ends in 2020 because their own root certificate is now widely trusted. None of that has anything to do with your problem, which would have been the same either way.
  
  – zrm
  yesterday
  

  
  
  
  


• 
  
  
  

  
  8
  

  
  
  
  
  
  

  
  
  s/Common Name/Subject Alternative Name/ -- Chrome hasn't used Common Name at all for 2 years; other browsers do so only if SAN is absent, which hasn't been true for any (EE) certs from public CAs since before 2010, although you can arrange it for test certs you create yourself. Which is exactly why you can get one cert for multiple domains -- ancient certs using only Common Name couldn't do that.
  
  – dave_thompson_085
  yesterday
  
  
  

  
  
  
  


• 
  
  
  

  
  9
  

  
  
  
  
  
  

  
  
  @djdomi a wildcard certificate for *.example.com still doesn't cover the bare domain example.com. You still need two values in the SAN.
  
  – Michael - sqlbot
  yesterday
  

  
  
  
  


• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  The bigger reason to avoid a wildcard certificate is that OP is using LetsEncrypt. While LetsEncrypt does support wildcard certificates, this requires a DNS challenge. Satisfying a DNS challenge is harder to automate. Also, automating a DNS challenge may mean that a compromised server will grant attackers access to your DNS. So, it's sufficient to use either a UCC certificate or two certificates (which approach doesn't matter much. Do whichever is easier).
  
  – Brian
  yesterday
  

  
  
  
  

 | 
show 6 more comments

40

This server could not prove that it is www.zandu.biz; its security
certificate is from zandu.biz. This may be caused by a
misconfiguration or an attacker intercepting your connection.

The name in your site's certificate is zandu.biz, which is not valid for a different name (www.zandu.biz). Moreover, you have a redirect from zandu.biz to www.zandu.biz, so if you use the name the certificate is valid for it redirects to the name that it isn't.

What you need is to get a certificate with both names.

share|improve this answer

edited yesterday

answered 2 days ago

zrmzrm

54633 silver badges66 bronze badges

New contributor

zrm is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  Wildcard certificates can be more convenient or necessary if the names you intend to use aren't actually known ahead of time. But they also increase your exposure if the associated private key is compromised because then the attacker can forge any name in your domain rather than only the ones that server was actually using.
  
  – zrm
  yesterday
  

  
  
  
  


• 
  
  
  

  
  4
  

  
  
  
  
  
  

  
  
  Let's Encrypt is a CA. When they first started out they were cross-signed by IdenTrust but that ends in 2020 because their own root certificate is now widely trusted. None of that has anything to do with your problem, which would have been the same either way.
  
  – zrm
  yesterday
  

  
  
  
  


• 
  
  
  

  
  8
  

  
  
  
  
  
  

  
  
  s/Common Name/Subject Alternative Name/ -- Chrome hasn't used Common Name at all for 2 years; other browsers do so only if SAN is absent, which hasn't been true for any (EE) certs from public CAs since before 2010, although you can arrange it for test certs you create yourself. Which is exactly why you can get one cert for multiple domains -- ancient certs using only Common Name couldn't do that.
  
  – dave_thompson_085
  yesterday
  
  
  

  
  
  
  


• 
  
  
  

  
  9
  

  
  
  
  
  
  

  
  
  @djdomi a wildcard certificate for *.example.com still doesn't cover the bare domain example.com. You still need two values in the SAN.
  
  – Michael - sqlbot
  yesterday
  

  
  
  
  


• 
  
  
  

  
  3
  

  
  
  
  
  
  

  
  
  The bigger reason to avoid a wildcard certificate is that OP is using LetsEncrypt. While LetsEncrypt does support wildcard certificates, this requires a DNS challenge. Satisfying a DNS challenge is harder to automate. Also, automating a DNS challenge may mean that a compromised server will grant attackers access to your DNS. So, it's sufficient to use either a UCC certificate or two certificates (which approach doesn't matter much. Do whichever is easier).
  
  – Brian
  yesterday
  

  
  
  
  

 | 
show 6 more comments

This server could not prove that it is www.zandu.biz; its security
certificate is from zandu.biz. This may be caused by a
misconfiguration or an attacker intercepting your connection.

The name in your site's certificate is zandu.biz, which is not valid for a different name (www.zandu.biz). Moreover, you have a redirect from zandu.biz to www.zandu.biz, so if you use the name the certificate is valid for it redirects to the name that it isn't.

What you need is to get a certificate with both names.

share|improve this answer

edited yesterday

answered 2 days ago

zrmzrm

54633 silver badges66 bronze badges

New contributor

zrm is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

share|improve this answer

edited yesterday

answered 2 days ago

zrmzrm

54633 silver badges66 bronze badges

New contributor

zrm is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

answered 2 days ago

zrmzrm

54633 silver badges66 bronze badges

New contributor

zrm is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

answered 2 days ago

zrmzrm

54633 silver badges66 bronze badges