ssl certificate self signed instead of valid
SNI-Hole
You've fallen into a SNI hole.
SNI is server name indication. This allows you have multiple different hostnames living on the same shared IP. And if you don't actually indicate a servername to a SNI enabled server, then you get back the default certificate. (This is the "SNI hole" part.)
And OpenSSL will not supply a servername to the TLS server unless you tell it to. Use the -servername
parameter for that.
$ echo '' | openssl s_client -showcerts -connect www.unival-logistics.com:443 -servername www.unival-logistics.com 2>/dev/null | grep -Ei 'subject|issuer|return'
subject=/C=US/OU=Domain Control Validated/CN=www.unival-logistics.com
issuer=/C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - SHA256 - G2
Verify return code: 20 (unable to get local issuer certificate)
If you leave that out, then you get the default certificate for that host. And here that is a self-signed certificate. (And I don't think it should be there either. Makes no sense to deliver a self-signed cert.)
$ echo '' | openssl s_client -showcerts -connect www.unival-logistics.com:443 2>/dev/null | grep -Ei 'subject|issuer|return'
subject=/O=americanfuturegate.com/CN=*.americanfuturegate.com/[email protected]
issuer=/O=americanfuturegate.com/CN=*.americanfuturegate.com/[email protected]
Verify return code: 18 (self signed certificate)
Check that installation
Side note: I urge you to disable SSL3. (SSL Labs report here.)
Related videos on Youtube
Aleksandar Pavić
Redmine Cookbook author. Visit blog! http://www.redminecookbook.com Follow me on Linkedin for smart IT related stuff! enter link description here IT Product and Service Development Specialist. Currently managing multiple projects, products and services used by thousands of business and individuals locally and worldwide, by utilizing Agile, SCRUM, ITIL, ISO 27001, SLA + own experience. Managed and managing IT projects with budgets from $0 to nine figures, and lasting from one day to years. Participating in EU funded IT projects like Exchange 3, Exchange 4, Sociotal, WeeLive and Clips. Developing cost-effective IT strategies for companies, cities, municipalities and startups. Redmine administrator and implementation specialist. (buy my book - www.redminecookbook.com) MsC in Product and Service development - industrial engineering BsC in IT, Software Engineering, Electrical engineering and computing, computing sicences and Management in IT: project management, procurement management, product management, infrastructure management, IT strategic management, business process development, IT security, redmine IT Development specialties: javascript, jquery, .NET, PHP, CSS, cakephp, symphony, MVC, vmware, ubuntu, apache, mysql, microsoft sql, C#, XML IT Administration: Netowrk security, firewall zones, antivirus, MSSQL, MSSCM, Linux, Ubuntu, Apache, Tomcat, MySQL, PostgreSql, VmWare, ProxMox, HyperV, Redmine, PHP, Cpanel, Plesk
Updated on September 18, 2022Comments
-
Aleksandar Pavić almost 2 years
I've purchased a valid certificate:
For example this site validates it: https://sslanalyzer.comodoca.com/?url=www.example.com
But when I test it with openSSL, like this:
openssl s_client -showcerts -connect https://www.example.com:443
I get
Verify return code: 18 (self signed certificate)
-
Aleksandar Pavić over 8 yearsThanks, eventually I figured it out, purchasing new certificate now...
-
Aleksandar Pavić over 8 yearsCan you please remove my email from dmarc code... Btw, I've resolved all problems...