ssl certificate self signed instead of valid

ssl ssl-certificate openssl certificate-authority
15,288

SNI-Hole

You've fallen into a SNI hole.

SNI is server name indication. This allows you have multiple different hostnames living on the same shared IP. And if you don't actually indicate a servername to a SNI enabled server, then you get back the default certificate. (This is the "SNI hole" part.)

And OpenSSL will not supply a servername to the TLS server unless you tell it to. Use the -servername parameter for that.

$ echo '' | openssl s_client -showcerts -connect www.unival-logistics.com:443  -servername www.unival-logistics.com 2>/dev/null | grep -Ei 'subject|issuer|return'
subject=/C=US/OU=Domain Control Validated/CN=www.unival-logistics.com
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2
    Verify return code: 20 (unable to get local issuer certificate)

If you leave that out, then you get the default certificate for that host. And here that is a self-signed certificate. (And I don't think it should be there either. Makes no sense to deliver a self-signed cert.)

 $ echo '' | openssl s_client -showcerts -connect www.unival-logistics.com:443  2>/dev/null | grep -Ei 'subject|issuer|return'
 subject=/O=americanfuturegate.com/CN=*.americanfuturegate.com/[email protected]
 issuer=/O=americanfuturegate.com/CN=*.americanfuturegate.com/[email protected]
     Verify return code: 18 (self signed certificate)

Check that installation

Side note: I urge you to disable SSL3. (SSL Labs report here.)

Share:
15,288

Related videos on Youtube

Aleksandar Pavić
Author by

Aleksandar Pavić

Redmine Cookbook author. Visit blog! http://www.redminecookbook.com Follow me on Linkedin for smart IT related stuff! enter link description here IT Product and Service Development Specialist. Currently managing multiple projects, products and services used by thousands of business and individuals locally and worldwide, by utilizing Agile, SCRUM, ITIL, ISO 27001, SLA + own experience. Managed and managing IT projects with budgets from $0 to nine figures, and lasting from one day to years. Participating in EU funded IT projects like Exchange 3, Exchange 4, Sociotal, WeeLive and Clips. Developing cost-effective IT strategies for companies, cities, municipalities and startups. Redmine administrator and implementation specialist. (buy my book - www.redminecookbook.com) MsC in Product and Service development - industrial engineering BsC in IT, Software Engineering, Electrical engineering and computing, computing sicences and Management in IT: project management, procurement management, product management, infrastructure management, IT strategic management, business process development, IT security, redmine IT Development specialties: javascript, jquery, .NET, PHP, CSS, cakephp, symphony, MVC, vmware, ubuntu, apache, mysql, microsoft sql, C#, XML IT Administration: Netowrk security, firewall zones, antivirus, MSSQL, MSSCM, Linux, Ubuntu, Apache, Tomcat, MySQL, PostgreSql, VmWare, ProxMox, HyperV, Redmine, PHP, Cpanel, Plesk

Updated on September 18, 2022

Comments

  • Aleksandar Pavić
    Aleksandar Pavić almost 2 years

    I've purchased a valid certificate:

    For example this site validates it: https://sslanalyzer.comodoca.com/?url=www.example.com

    But when I test it with openSSL, like this:

    openssl s_client -showcerts -connect https://www.example.com:443

    I get

    Verify return code: 18 (self signed certificate)

  • Aleksandar Pavić
    Aleksandar Pavić over 8 years
    Thanks, eventually I figured it out, purchasing new certificate now...
  • Aleksandar Pavić
    Aleksandar Pavić over 8 years
    Can you please remove my email from dmarc code... Btw, I've resolved all problems...

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Openssl: Extract root certificate from certificate chain?
Can't make httpd use correct SSL
What does "tlsv1 alert unknown ca" mean?
Squid: how to enable verification for SSL self-signed certificates
OpenSSL Verify Peer (Client) Certificate in C++
Invalid CA certificate with self signed certificate chain
Error while creating self-signed SSL certificate
How can the SSL client validate the server's certificate?
SSL certificate not accepted
How to create an OpenSSL Self-Signed Certificate using SAN?