SSL Certificates - The common name is causing problems

Discussion in 'General troubleshooting' started by Violynne, May 1, 2015.

  1. The knowledge base is lacking some serious information, and I wish Winhost would take the time to update the page rather than give examples without possible solutions.

    Here's the issue: recently, my SSL cert expired (intentionally) because I purchased the wildcard version last year only to find out it does NOT cover "domain.com" websites.

    So, today I purchased the "domain.com" $29 cert and registered my site (peppermintvault.com) without the "www" prefix.

    Now the cert doesn't work at all, giving me a message stating that it only covers "peppermintvault.com".

    The problem is the domain constantly returns to www.peppermintvault.com and I have absolutely idea how to stop it from doing it.

    I've altered my web.config file to remove the redirect to "peppermintvault.com" from the HTTP request, so there are no longer any redirects.

    Can someone here explain to me how in the world we're supposed to covert BOTH the "www." and the non "www." part using a single certificate, because IT'S BAFFLING!

    There is no way to add two certs to one site from the CP, so any help will be greatly appreciated.

    In the meantime, I'm going to have no choice but to spend yet another $29 to generate a "www." cert and remove the existing cert. :mad:

    UPDATE:
    Seems the cert is working for the non www version of the site. I guess it took a bit of time to register the cert?

    Also saw I can add additional certs, so now I have two.

    All's well, but sheesh what a headache. :p
     
    Last edited by a moderator: Oct 14, 2015
  2. SSL certificates are not exactly simple or intuitive to use, and recent events just add a new layer of confusion. Glad you got yours sorted out though.

    If you have a suggestion for the Knowledge Base we'd be glad to hear it. For a subject like SSL certificates there's a lot of information to provide and it isn't easy to make it digestible.
     
    Last edited: Oct 14, 2015
  3. Suggestions I have:

    -A wildcart cert will NOT cover "domain.com". It will also not cover mail.domain.com or ftp.domain.com, since they reside on separate servers.

    -A minimum of two SSL certs will be required to cover single domain registrations. One cert will cover "domain.com" and the other will cover "www.domain.com". Sub-domains will also require individual SSL cert purchases if a wildcard cert is not used.

    That'll help, I think. :)
     
  4. ComputerMan

    ComputerMan Winhost Staff

    If you need to cover domain.com and AnySubdomainName.domain.com Then you need to get the: GeoTrust True BusinessID Wildcard. As stated on their site: https://www.geotrust.com/ssl/wildcard-ssl-certificates/ "Bonus: secure domain.com for free when you order *.domain.com"

    Mail.domain.com points to our mail server. So we can't add the SSL Certificate to it. The SSL Certificate you add to your site account only works on the web server.
    ftp.domain.com points to our web server but it uses the web server's SSL Certificate.

    We only allow you to install one SSL Certificate on a site account. You can't install two SSL Certificates. If you require a Multi Domain Name SSL Certificate you may install it and add the alternative subject names at a later time with the SSL provider. You would need to create the CSR on our web server if you plan to use the Multi Domain Name SSL Certificate on our web server for your site account. Contact the SSL provider that sale a Multi domain name SSL Certificate and provide them with the CSR.
     
    Michael likes this.
  5. ComputerMan

    ComputerMan Winhost Staff

    Your SSL Certificate you have installed must be the GeoTrust QuickSSL Premium certificate since that covers both www. and the main domain name. You can see that in the alternative subject name information for the SSL Certificate:

    DNS Name=www.peppermintvault.com
    DNS Name=peppermintvault.com

    As stated in the article here: https://www.geotrust.com/ssl/ssl-certificates-premium/

    It says: Bonus: Secure domain.com for free when you order www.domain.com *
     
    Michael likes this.
  6. Arrrrrrrrrrgh! See, this is so confusing to me! When I spoke to the folks at Rapid, they told me I would need two certs, so I bought another one. Here's my current listing for certs for my domain, peppermintvault.com:

    www.peppermintvault.com
    RapidSSL
    Issued 05/01/2016

    peppermintvault.com
    RapidSSL Issued
    05/01/2016

    So, does this mean only 1 cert is now active? The step-by-step guide showed me how to add both certs.

    The service rep at Rapid told me the server had nothing to do with the cert, but the domain name and pointer did. If both are pointing to the same location, both had to have separate certs. He said the reason is the "." before "peppermintvault", which counts as a qualifier (my word, as I can't remember what he called it). Wildcard certs look for the domain name, then the qualifier, and resolves accordingly. Last year, the wildcard cert I bought did NOT cover "peppermintvault.com", to which I was recommended to put a redirect on IIS.

    Since there is no "." before the name "peppermintvault", then there was nothing to resolve. The example was anything before "peppermint" couldn't be treated as the wildcard, for example, "icecreampeppermintvault" couldn't be covered by the wildcard cert. Without the ".", it might as well be icecreampeppermintvault. That's why he said the other cert would cover the name without the ".".

    When I get some time, I'll remove the redirect script that was added last year to cover what the wildcard cert didn't and see if "peppermintvault.com" shows the lock in the address bar. If it doesn't, I guess I wasted money again. >:[
     
  7. I have no idea. I simply followed the instruction on Winhost. There are only two cert options to buy.

    This was due to the misunderstanding of the common name, which I put down as "peppermintvault.com". I had no clue it meant to include the "www." as well. That cert did NOT cover "www.peppermintvault.com", so I purchased the other one and put the common name as "www.peppermintvault.com".

    I'm pretty sure I purchased two $29 certs, as linked from Winhost. Huh. Having just looked at the cert listings, when did the other non-Rapid SSL options get added?
     
  8. ComputerMan

    ComputerMan Winhost Staff

    Now I feel like having some ice cream.

    It can be and I feel your pain. That's why we are here to help you figure all this out. We know our hosting environment and the SSL provider really can only give you generic information. Technically you can install two SSL Certificates on the server. But in our hosting environment we don't allow this option.

    That's why it's important to choose the correct one before ordering.

    That was the correct one you ordered since it covers/protects both: peppermintvault.com and www.peppermintvault.com

    That is what you want. Right?

    You did, I can see it in our system.

    One has a common name of: www.peppermintvault.com (This is the correct one)
    The other one has the common name of: peppermintvault.com (The wrong one you bought)

    You can contact our billing department to see what they can do for you in regards to the wrong one you bought.

    Make sure when you contact them that the wrong SSL Certificate is the one with the common name: peppermintvault.com
    Tell them to make sure to leave the SSL Certificate with the common name: www.peppermintvault.com alone and don't touch it. Thats the one that protects both: www.peppermintvault.com and peppermintvault.com
     
    Last edited by a moderator: Oct 14, 2015
    Michael likes this.
  9. Except that it doesn't cover it, which is why I bought the other one.

    After I bought the cert, I removed the redirect script from IIS. www. worked perfectly, but when I typed in "peppermintvault.com", without the www., I got the "This certificate is not valid for this site" (or something like that - though I'm pretty sure it said the common name could not be resolved or trusted with the existing cert).

    I waited, and tried again a few hours later, just to ensure there was no delay in setting it up, and the same message appeared.

    The information you provided certainly explains why the other cert didn't work.

    Bottom line was to throw the redirect script back into place and just allow the "www.peppermintvault.com" cert take over from there.

    That's why the guy at Rapid told me the non-www. site won't be covered because "peppermintvault.com" is not a (or rather, the) common name.

    Isn't the common name supposed to be the domain?

    Years ago, on another web hosting site that's now long dead, I remember their customer service person telling me that having the "www." in front of the name would be beneficial since most people add it, and if I stuck with the non-www name, I should order the other with it and point it to the same server (to keep anyone else from taking it).

    I don't believe this has changed, and looking at my domain list and seeing both names on it, this tells me it hasn't.

    What's the common name of "www.peppermintvault.com" AND "peppermintvault.com"?
     
  10. ComputerMan

    ComputerMan Winhost Staff

    The common name is what you want to cover with the SSL Certificate.

    There some people who want to use the common name/encrypt the URL store.YourDomainName.com or secure.YourDomainName.com or what ever they wish to use.

    The alternative subject names are the following for the current SSL certificate:

    (www.peppermintvault.com, peppermintvault.com)

    For the current SSL Certificate you have on your site account. It suppose to protect both of them: www.peppermintvault.com, peppermintvault.com

    You can also confirm this by using your UIP number for your domain name with the HTTPs here: https://199.233.253.147/

    It will through an error message on Firefox BUT that's because the SSL Certificate doesn't cover the IP number. However, if you click on "Technical Details" the error message clearly states the following:

    The certificate is only valid for the following names: www.peppermintvault.com, peppermintvault.com

    So the SSL Certificate you have now does protect both URLs.

    The common name for the SSL Certificate you're currently using is: www.peppermintvault.com

    BUT because of the type of SSL Certificate you're using. It covers both www.peppermintvault.com" AND "peppermintvault.com
     
    Michael likes this.
  11. Here I was thinking it was because I had two certs why it all worked. Given only one cert works on this site, I reconfigured my config file to redirect only http traffic, and sure enough, it's working.

    One final question: I'd like to remove the useless "peppermintvault.com" cert from the SSL Certificates page. I don't see an option to do this, so is there a way I can do it or should I just ignore it?
     
  12. ComputerMan

    ComputerMan Winhost Staff

    If it was me I would just ignore it. But that's just me.

    If you like I would suggest you contact our billing department to see if they can do anything for you in regards to the extra SSL certificate you ordered.
     
  13. I will ignore it then. :)

    Thanks for all your help!
     
    ComputerMan likes this.

Share This Page