Domain mismatch on SSL certificate

Summary
I am having an issue where the padlock in the browser does not appear. This is because the domain name on the SSL certificate does not match the domain name of the URL being navigated to in the browser. Is there some way to resolve this?

Details
We have a store on a platform called Storenvy. It is a marketplace for buyers and sellers, like Etsy. We have it set up so that our domain name store.stelladivina.com goes to our store hosted on Storenvy’s server. This is implemented by changing the A record for store.stelladivina to the IP address of the Storenvy server.

Store.stelladivina and Storenvy are both hosted on different servers. We do not have control or access to Storenvy’s server.

Things were fine until a week or so ago. Now when you navigate to store.stelladivina in the browser, you get this:

Screen Shot 2020-11-13 at 4.34.42 PM1282×655 46.2 KB

Basically, to my understanding, the error message means that the SSL certificate for the Storenvy site has *.storenvy and storenvy. While the website you are navigating to has the domain name of store.stelladivina. Because these don’t match, the browser thinks it’s some kind of attack.

According to Storenvy, you can solve that by integrating with Cloudflare. (https://support.storenvy.com/hc/en-us/articles/360038746152-How-do-I-get-my-custom-domain-to-show-as-secure-) So I went through the hassle of setting this up. However, when I turn the orange cloud on with Full (strict mode) for store.stelladivina, it then looks like this:

SSL error2880×1800 362 KB

Which pretty much looks like the original problem I encountered. The Storenvy SSL certificate is still valid since it expires in March 2021. I would guess the problem is again, that the SSL certificate lists *.storenvy and storenvy instead of store.stelladivina. So my question is, is there any way to resolve this through Cloudflare? Or is this problem just not solvable?

Additional Information
I double checked that the IP address in the A record is correct. It is. I also did a test to see whether I did something wrong with my Cloudflare setup. I created a test subdomain at test.stelladivina. It works properly:

SSL Subdomain on Cloudflare2789×1409 208 KB

Storenvy Customer Service is no help. They say, “What i am Suggesting is you contact your Hosting Service, If its Couldfare and tell them you are having trouble Pointing the Domain to Storenvy and they will help you fix it easily. SSL is totally different from the existing issue you are facing. That needs to be fixed first. I would have helped you if i could. Please reach out to your hosting Service.” (that’s a literal copy/paste)

I would guess that if the domain was not pointing correctly to Storenvy, then I would not be getting errors about the SSL certificate having *.storenvy and storenvy on it. Also, in the first screenshot, you can see the site if you click on the link that says “Proceed to store.stelladivina (unsafe).” But the long term solution isn’t to tell prospective customers to ignore the message.

So, you don’t have control over the SSL certificate in storenvy? You cannot replace the SSL certificate from the storenvy.com ones to stelladivina.com on their side?

@sandro any advice? I believe their SSL mode is Full (strict) right now.

Thank you for your reply. Yes, I do not have control over the SSL certificate in Storenvy. I can request that their customer service do something. However, their customer service appears to not know what they’re doing, so if I request anything - I would basically have to tell them what to do. And judging from my previous interactions, I’m not sure they would accommodate me even if I was super specific. (If, however, you or anyone else knows what I could tell them to do, I would still try anyway.)

Yes the SSL mode is full (strict). I tried setting it to just “Full”, but got the error message shown in the first screenshot in my last post. Currently I have the orange cloud turned off for store.stelladivina.

I believe this screenshot was taken when the proxy was not in place.

Yes, I know the screenshot you are referencing was what the browser showed when it was not proxied. I recall that it still looked like that when it was proxied on SSL full mode.

I edited my original post to clarify the second screenshot is for full (strict mode).

Perhaps the DNS proxy mode change was not yet propagated to all DNS servers. Hence the error.

Thanks. Well, I guess I will have to try the full mode again. I will send an update tomorrow morning. That should be enough time.

One question: is store.stelladivina.com a CNAME record pointing to storenvy.com?

No it’s an A record.

I will double check in the morning but it actually looks like it works now, on full mode.

If they could provide a subdomain for you to point via CNAME instead of just giving you an IP address, things can be better.

With the CNAME record, you can actually have Full (strict) mode enabled, plus no more Error 526. Perhaps you may try to ask them whether they can provide a subdomain instead of an IP address?

Thanks, it is still working so I have marked your post as providing the solution. I will tell them to update their documentation. However, since their customer service is inept, I doubt they will do it.

I will also give them your suggestion about CName. Their official documents direct you to create an A record, so unfortunately I don’t know that the CName will work. The store’s real address is stelladivina.storenvy.com. I may try changing the test subdomain to see if that will work. I don’t want to touch store.stelladivina again because it’s working and my client wants it working for the holiday shopping season.

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.