/ Register

Get the most out of your Centmin Mod LEMP stack
Become a Member

Cloudflare Certificate name mismatch?

Discussion in 'Domains, DNS, Email & SSL Certificates' started by rdan, Nov 4, 2019.

Previous Thread Next Thread
Loading...
  1. Nov 4, 2019 #1
    rdan

    rdan Well-Known Member

    5,452
    1,418
    113
    May 25, 2014
    Ratings:
    +2,212
    Local Time:
    1:13 PM
    Mainline
    10.2
  2. Nov 4, 2019 #2
    eva2000

    eva2000 Administrator Staff Member

    58,893
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    3:13 PM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
    probably just ssllabs seeing as real browser access to www domain works as does in curl header checks

    with HTTP/2 excerpt of SSL cert served by Cloudflare
    Code (Text):
    * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=CA; L=San Francisco; O=CloudFlare, Inc.; CN=centminmod.com
*  start date: Apr 10 00:00:00 2019 GMT
*  expire date: Apr 10 12:00:00 2020 GMT
*  subjectAltName: host "www.centminmod.com" matched cert's "*.centminmod.com"
*  issuer: C=US; ST=CA; L=San Francisco; O=CloudFlare, Inc.; CN=CloudFlare Inc ECC CA-2
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)

    particularly www hostname matching Cloudflare's dedicated SSL wildcard certificate which contradicts ssllabs message = Alternative names not found in the certificate. But still could be an issue if particular Cloudflare edge server isn't serving the dedicated SSL cert properly I guess.
    Code (Text):
    *  subjectAltName: host "www.centminmod.com" matched cert's "*.centminmod.com"


    full output with HTTP/2
    Code (Text):
    domain=https://www.centminmod.com

curl -Iv $domain
*   Trying 2606:4700:10::6814:e655:443...
* TCP_NODELAY set
* Connected to www.centminmod.com (2606:4700:10::6814:e655) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=CA; L=San Francisco; O=CloudFlare, Inc.; CN=centminmod.com
*  start date: Apr 10 00:00:00 2019 GMT
*  expire date: Apr 10 12:00:00 2020 GMT
*  subjectAltName: host "www.centminmod.com" matched cert's "*.centminmod.com"
*  issuer: C=US; ST=CA; L=San Francisco; O=CloudFlare, Inc.; CN=CloudFlare Inc ECC CA-2
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5620e06701c0)
> HEAD / HTTP/2
> Host: www.centminmod.com
> User-Agent: curl/7.66.1-DEV
> Accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
< HTTP/2 302 
HTTP/2 302 
< date: Sun, 03 Nov 2019 15:27:36 GMT
date: Sun, 03 Nov 2019 15:27:36 GMT
< content-type: text/html
content-type: text/html
* Added cookie __cfduid="dfba384c08451a2a47af9fde30fd1524d1572794856" for domain centminmod.com, path /, expire 1604330856
< set-cookie: __cfduid=dfba384c08451a2a47af9fde30fd1524d1572794856; expires=Mon, 02-Nov-20 15:27:36 GMT; path=/; domain=.centminmod.com; HttpOnly
set-cookie: __cfduid=dfba384c08451a2a47af9fde30fd1524d1572794856; expires=Mon, 02-Nov-20 15:27:36 GMT; path=/; domain=.centminmod.com; HttpOnly
< location: https://centminmod.com/
location: https://centminmod.com/
< cf-cache-status: DYNAMIC
cf-cache-status: DYNAMIC
< cf-ray: 52ff5f8f08a09a14-EWR
cf-ray: 52ff5f8f08a09a14-EWR
< cf-railgun: direct (starting new WAN connection)
cf-railgun: direct (starting new WAN connection)
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< x-content-type-options: nosniff
x-content-type-options: nosniff
< x-frame-options: SAMEORIGIN
x-frame-options: SAMEORIGIN
< x-powered-by: centminmod
x-powered-by: centminmod
< x-xss-protection: 1; mode=block
x-xss-protection: 1; mode=block
< alt-svc: h3-23=":443"; ma=86400
alt-svc: h3-23=":443"; ma=86400
< server: cloudflare
server: cloudflare
< 
* Connection #0 to host www.centminmod.com left intact

    with HTTP/3
    Code (Text):
    domain=https://www.centminmod.com

curl-http3 --http3 -Iv $domain
*   Trying 2606:4700:10::6814:e755:443...
* Sent QUIC client Initial, ALPN: h3-23
* h3 [:method: HEAD]
* h3 [:path: /]
* h3 [:scheme: https]
* h3 [:authority: www.centminmod.com]
* h3 [user-agent: curl/7.67.0-DEV]
* h3 [accept: */*]
* Using HTTP/3 Stream ID: 0 (easy handle 0x55590d642eb0)
> HEAD / HTTP/3
> Host: www.centminmod.com
> user-agent: curl/7.67.0-DEV
> accept: */*
> 
< HTTP/3 302
HTTP/3 302
< date: Sun, 03 Nov 2019 15:29:21 GMT
date: Sun, 03 Nov 2019 15:29:21 GMT
< content-type: text/html
content-type: text/html
< set-cookie: __cfduid=db8e2eb23c1cab69236beeabe2917c8791572794960; expires=Mon, 02-Nov-20 15:29:20 GMT; path=/; domain=.centminmod.com; HttpOnly
set-cookie: __cfduid=db8e2eb23c1cab69236beeabe2917c8791572794960; expires=Mon, 02-Nov-20 15:29:20 GMT; path=/; domain=.centminmod.com; HttpOnly
< location: https://centminmod.com/
location: https://centminmod.com/
< cf-cache-status: DYNAMIC
cf-cache-status: DYNAMIC
< cf-ray: 52ff6217e926e6cc-EWR
cf-ray: 52ff6217e926e6cc-EWR
< cf-railgun: 04164a4912 stream 0.000000 0200 0dda
cf-railgun: 04164a4912 stream 0.000000 0200 0dda
< expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
< x-content-type-options: nosniff
x-content-type-options: nosniff
< x-frame-options: SAMEORIGIN
x-frame-options: SAMEORIGIN
< x-powered-by: centminmod
x-powered-by: centminmod
< x-xss-protection: 1; mode=block
x-xss-protection: 1; mode=block
< alt-svc: h3-23=":443"; ma=86400
alt-svc: h3-23=":443"; ma=86400
< server: cloudflare
server: cloudflare
* Connection #0 to host www.centminmod.com left intact
     
  3. Nov 4, 2019 #3
    eva2000

    eva2000 Administrator Staff Member

    58,893
    12,490
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +19,122
    Local Time:
    3:13 PM
    Nginx 1.31.x
    MariaDB 10.x/11.4+/12.3+
  4. Nov 4, 2019 #4
    rdan

    rdan Well-Known Member

    5,452
    1,418
    113
    May 25, 2014
    Ratings:
    +2,212
    Local Time:
    1:13 PM
    Mainline
    10.2
    Nyay, hehe.
    So SSLLabTest issue happens on Wildcard/Cloudflare certificates.
     
Previous Thread Next Thread
Loading...

.