Jump to content

Security Certificate Question or Problem???


daskunk

Recommended Posts

I'm not sure where to post this because we aren't sure where the problem is. So for now it's a question. I have a dozen users of my daskunk.heliohost.org domain (website) and ever since July 4th a few of us can no longer access it. We are getting invalid security certificate messages like:

Your PC doesn’t trust this website’s security certificate.

Error Code: DLG_FLAGS_INVALID_CA

However the other users can still access the site. We use a myriad a devices (Windows laptops of different Windows versions, Macs, iPads, iPhones, Androids, etc) so we aren't sure if the problem is on the Heliohost side or somewhere else. So the first question is  .. is it possible the security certificate on my domain is indeed invalid or corrupt?  Is there any way the Heliohost support staff can check or confirm the certificate is valid?

If it is valid then the next question is can I create a new domain with a completely different domain name but not disturb the existing domain in any way? (I don't want to break the site for those still able to use it). In other words what are the rules for naming the new domain and can I make it so none of the files in the existing domain are accessed when visiting the new domain. The test would be to see if we get the same security warning when visiting a different Heliohost domain that only has a simple index.html file and no other content. That may help us track down the source of the problem.

Thank you in advance for your help.

Link to comment
Share on other sites

Your ssl certificate is valid, and it appears as if autossl is working fine. https://www.sslshopper.com/ssl-checker.html#hostname=daskunk.heliohost.org

The CA error means that it is the "cPanel, Inc. Certification Authority" or the "COMODO RSA Certification Authority" chain that is the problem. Neither of these CA's have revoked their certificate, and both are valid until 2025+. The certificate that domain is using was issued on June 7th, so it's strange that it start happening on July 4th. You went almost a month using that same certificate before anyone noticed any issues with it.

Anyways, here is an article for understanding that error and some ideas of how to fix it https://geekermag.com/error-code-dlg_flags_invalid_ca/ One that is really simple that stands out to me is simply clearing your browser cache.

Link to comment
Share on other sites

Thank you so much for checking into that. I really appreciate it. I did read through the article and tried all the relevant items and still seeing the issue. So now I suspect something on our side. The next step would be my second question in my post.

Can I create a new domain with a completely different domain name but not disturb the existing domain in any way? (I don't want to break the site for those actively using it). In other words what are the rules for naming the new domain and can I make it so none of the files in daskunk.heliohost.org are accessed when visiting the new domain. The test would be to see if we get the same security warning when visiting a different Heliohost domain that only has a single index.html file and no other content. That would tell us if we have a new security check that is rejecting some piece of content on my existing site --or-- outright rejecting https://<anything>.heliohost.org as being a potentially unsafe site.

 

I did read your online documentation under Create a New Domain but it wasn't quite clear on the naming rules for the new domain or whether I could have the data completely segregated so that no access is done to the existing files.

Thank you again

Link to comment
Share on other sites

We don't actually offer heliohost.org subdomains anymore. Since you created your account prior to us getting the heliohost.us domain you're allowed to keep your domain, but no one can have new ones.

As far as setting up a separate domain probably the easiest would be to register a domain for free at freenom and add it as an addon domain to your account. Addon domains are completely separate from your main domain.

If you think it's somehow related to heliohost.org subdomain you can try going to https://krydos.heliohost.org/ It uses the same autossl certificate on the same server as you.

Link to comment
Share on other sites

Again thank you for the information and the link. Interestingly the krydos link works fine!  Simply substituting daskunk for krydos in the url causes the security failure. So it seems like it's something specific to my site and something that changed between July 3 and 4. So I'll have to start backing out recent changes to see if I can figure it out.

Thank you again so much for the help.

Link to comment
Share on other sites

Thank you again for trying that. Unfortunately I still am getting the Security warning. I made sure to clear my browser cache and restart Firefox

Someone could be trying to impersonate the site and you should not continue.
 
Websites prove their identity via certificates. Firefox does not trust daskunk.heliohost.org because its certificate issuer is unknown, the certificate is self-signed, or the server is not sending the correct intermediate certificates.
 
Error code: SEC_ERROR_UNKNOWN_ISSUER

 

Also I received an email indicating the certificate was renewed. It shows 7 error messages. Should I be concerned about those?

 

AutoSSL has renewed “daskunk.heliohost.org”’s Domain Validated (DV) SSL certificate. The new certificate lacks 7 of the website’s domains:

 

⛔mail.daskunk.heliohost.org (checked on Jul 13, 2021 at 2:09:49 AM UTC)
There is no recorded error on the system for “mail.daskunk.heliohost.org”. This might mean that this domain failed DCV (Domain Control Validation) when the system requested the new certificate, but the domain has since passed DCV.
⛔www.daskunk.heliohost.org (checked on Jul 13, 2021 at 2:09:49 AM UTC)
There is no recorded error on the system for “www.daskunk.heliohost.org”. This might mean that this domain failed DCV (Domain Control Validation) when the system requested the new certificate, but the domain has since passed DCV.
⛔cpanel.daskunk.heliohost.org (checked on Jul 13, 2021 at 2:09:49 AM UTC)
There is no recorded error on the system for “cpanel.daskunk.heliohost.org”. This might mean that this domain failed DCV (Domain Control Validation) when the system requested the new certificate, but the domain has since passed DCV.
⛔webmail.daskunk.heliohost.org (checked on Jul 13, 2021 at 2:09:49 AM UTC)
There is no recorded error on the system for “webmail.daskunk.heliohost.org”. This might mean that this domain failed DCV (Domain Control Validation) when the system requested the new certificate, but the domain has since passed DCV.
⛔webdisk.daskunk.heliohost.org (checked on Jul 13, 2021 at 2:09:49 AM UTC)
There is no recorded error on the system for “webdisk.daskunk.heliohost.org”. This might mean that this domain failed DCV (Domain Control Validation) when the system requested the new certificate, but the domain has since passed DCV.
⛔cpcontacts.daskunk.heliohost.org (checked on Jul 13, 2021 at 2:09:49 AM UTC)
There is no recorded error on the system for “cpcontacts.daskunk.heliohost.org”. This might mean that this domain failed DCV (Domain Control Validation) when the system requested the new certificate, but the domain has since passed DCV.
⛔cpcalendars.daskunk.heliohost.org (checked on Jul 13, 2021 at 2:09:49 AM UTC)
There is no recorded error on the system for “cpcalendars.daskunk.heliohost.org”. This might mean that this domain failed DCV (Domain Control Validation) when the system requested the new certificate, but the domain has since passed DCV.

 

If these domains do not need valid SSL, then you do not need to take any further action. However, if you want AutoSSL to secure these domains, you must resolve the above problems.

 

 

Link to comment
Share on other sites

I discovered something else that might be helpful. I can no longer ftp to daskunk.heliohost.org. I get a connection time out error. That also happened on July 4th but I assumed it was the system. I just tried it again and it's still failing. However I was able to make an ftp connection to krydos.heliohost.org. So if you can think of something common between the web site SSL certificate and not being able to make an ftp connection, that may be a clue.

Earlier I tried numerous things with hiding/deleting files in case the problem really has to do with content, but nothing I tried made any difference. I even renamed my public_html folder so as to hide all the files, and still got the SSL certificate error.

Link to comment
Share on other sites

Are you only using firefox? Does the same error come up with other browsers? I viewed your site with chrome, safari, and edge and it works on all of those. Maybe it's something specific to firefox? I don't have firefox installed so I can't test that.

Link to comment
Share on other sites

Thanks again for all the testing. Yes we are seeing the problems on multiple browsers & devices but these are all under a common security application.  The other users outside of this group (and even an old laptop I have which is totally non-associated to this group) all works fine.  The reason we weren't sure it was on our side was because all information we're getting is there were no changes or updates during the July 4th weekend.  Yet everything worked fine on Saturday and somehow broke on Sunday. I'm sure you understand that given the trouble began on a holiday (and a Sunday) we were leaning towards something being down on your side. I was traveling all of last week so I couldn't look into it until the past 2 days.

We are trying to find out what happened on our side. Either it simply doesn't like the domain name (daskunk) anymore and somehow thinks its a malicious or unsafe site --or-- it doesn't like the content on my site. But I hid the entire public_html folder structure and still got the security violation. Which makes me think it's "daskunk" because krydos.heliohost.org works just fine!

One thing that I was wondering if you could do that could help if it turns out these laptops are permanently blocked ... when my account was migrated to Tommy I noticed that whenever I compress (zip) files and then use CPANEL to upload/download the zip file, when I extract the zip, the time stamps on all the files is off. The time stamps change from their correct local time (ET for me) to UTC time. So the end result is the file on my laptop winds up being 4 hours different from the file on Tommy after doing the zip-upload/download process. That never happened on Ricky. I would routinely zip a bunch of files on my laptop, upload them via CPANEL, and extract them in the CPANEL File Manager and the timestamps were maintained. But not on Tommy. Is there any way to fix that? I could live with it before because when I needed to maintain timestamp accuracy I would just FTP the files. But now that I can't FTP to the site either, literally the only working tool I have now is CPANEL. I would really be grateful if this could be helped.

 

Thanks again

 

Link to comment
Share on other sites

1 hour ago, daskunk said:

could help if it turns out these laptops are permanently blocked

The ip you posted from is not blocked. If you provide some other ips that you think are blocked I could check them too.

 

1 hour ago, daskunk said:

But now that I can't FTP to the site either

Is there any error when you try to FTP? Are you using FTPS, FTP, or SFTP? We recommend SFTP. FTP is insecure, and FTPS rarely works right.

  

1 hour ago, daskunk said:

when my account was migrated to Tommy I noticed that whenever I compress (zip) files and then use CPANEL to upload/download the zip file, when I extract the zip, the time stamps on all the files is off. The time stamps change from their correct local time (ET for me) to UTC time. So the end result is the file on my laptop winds up being 4 hours different from the file on Tommy after doing the zip-upload/download process. That never happened on Ricky. I would routinely zip a bunch of files on my laptop, upload them via CPANEL, and extract them in the CPANEL File Manager and the timestamps were maintained. But not on Tommy. Is there any way to fix that?

Does this help? https://unix.stackexchange.com/a/164093 It seems like the topmost directories lose their timestamp, but all files and subdirectories should keep them.

Link to comment
Share on other sites

Sorry I don't have any other IPs to provide that are causing trouble. It only seems to be my site (daskunk.heliohost.org). As I mentioned earlier about half of my users have no problem at all accessing it so I know the site is not "generally blocked". We are trying to determine (for the handful of us having the problem) whether it's "locally blocked" by the security software we have and what happened on July 4th to start blocking us.

 

I did try ftp and sftp. The problem in both cases is a connection time out. I did a very simple test

ftp daskunk.heliohost.org       // connection time out

ftp krydos.heliohost.org         // connected immediately

 

So it seems our laptops are blocked from any type of connectivity/communication with daskunk.heliohost.org

 

Link to comment
Share on other sites

As for the zip timestamp issue, thanks for the link but it doesn't help. Again I did a very simple test. Using CPANEL, I zipped 2 files in one of my folders, downloaded the zip to my laptop, and looked inside the zip file. The timestamps on both files are exactly 4 hours off. For example, looking at one file, on Tommy the timestamp is June 22, 10:15 PM (which is correct, that was the local time when the file was put there). In the zip file, it shows June 23, 2:15 AM which happens to be the UTC time of the file (my local time + 4 hrs).

 

When my account was migrated over a year ago, I noticed it and asked about it. I don't remember the exact response, but apparently you were aware of it and it had something to do with how Tommy is configured compared to Ricky. I was just wondering if there's any way to resolve it.

 

Thanks again

 

Link to comment
Share on other sites

Thank you again for all the testing and help thus far. We did some further testing on our side and we are getting certificate errors on multiple platforms (Windows 10 and IOS Bug Sur 11.3.1 and 11.4). The problem is not our ISP (as we all use different ISPs nor is it our laptops (per se)). However we do think it's related to our security package (the common denominator amongst us). We tested several laptops without this security package and they all work fine.

Even though the certificate is valid and newly generated, is there any possibility that this could be our issue since the certificate issuer is OpenDNS?

https://support.opendns.com/hc/en-us/articles/227987007-Block-Page-Errors-Installing-the-Cisco-Umbrella-Root-CA

Our browser updates are part of the security package we use, and thus we don't normally install any add-ons

This is the error I get in FireFox when trying to add daskunk.heliohost.org as an exception and I click on Get Certificate

image.png.002d63642345bbcf544d0d682881e1dc.png

 

The krydos.heliohost.org certificate is not issued by OpenDNS and does not have the Cisco Umbrella Secondary SubCA piece. We have no trouble accessing krydos.heliohost.org

Is there a way we can get a certificate generated similar to krydos.heliohost.org on daskunk.heliohost.org?

 

Thank you again

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...