Error 526 - Invalid SSL certificate

General
#1

Hello, I’ve revoked my SSL certificate to change it, after 3 hours its still saying that certificate is invalid (I’ve cleaned cache several times)

Screenshots:

Screenshot_2022-04-18-17-13-59-915_com.android.chrome
Screenshot_2022-04-18-17-13-59-915_com.android.chrome1076×1434 98.4 KB

Screenshot_2022-04-18-17-13-48-907_com.android.chrome
Screenshot_2022-04-18-17-13-48-907_com.android.chrome1073×1431 101 KB

CURL output for zeronet.space:

❯ curl -svo /dev/null --resolve zeronet.space:443:xxx https://zeronet.space/
* Added zeronet.space:443:xxx to DNS cache     * Hostname zeronet.space was found in DNS cache
*   Trying xxx:443...
* Connected to zeronet.space (xxx) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /data/data/com.termux/files/usr/etc/tls/cert.pem
*  CApath: /data/data/com.termux/files/usr/etc/tls/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS header, Certificate Status (22):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.2 (IN), TLS header, Finished (20):
{ [5 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [19 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [4052 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
{ [264 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Finished (20):
{ [52 bytes data]
* TLSv1.2 (OUT), TLS header, Finished (20):
} [5 bytes data]
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Finished (20):
} [52 bytes data]
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=bravo785.startdedicated.de
*  start date: Apr 18 07:06:10 2022 GMT
*  expire date: Jul 17 07:06:09 2022 GMT
*  subjectAltName does not match zeronet.space
* SSL: no alternative certificate subject name matches target host name 'zeronet.space'
* Closing connection 0
* TLSv1.2 (OUT), TLS header, Supplemental data (23):
} [5 bytes data]
* TLSv1.3 (OUT), TLS alert, close notify (256):
} [2 bytes data]

CURL output for subdomain:

❯ curl -svo /dev/null --resolve community.zeronet.space:443:xxx https://community.zeronet.space/
* Added community.zeronet.space:443:xxx to DNS cache
* Hostname community.zeronet.space was found in DNS cache
*   Trying xxx:443...
* Connected to community.zeronet.space (xxx) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
*  CAfile: /data/data/com.termux/files/usr/etc/tls/cert.pem
*  CApath: /data/data/com.termux/files/usr/etc/tls/certs
* TLSv1.0 (OUT), TLS header, Certificate Status (22):
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.2 (IN), TLS header, Certificate Status (22):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [122 bytes data]
* TLSv1.2 (IN), TLS header, Finished (20):
{ [5 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
{ [19 bytes data]
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Certificate (11):
{ [1207 bytes data]
* TLSv1.2 (OUT), TLS header, Unknown (21):
} [5 bytes data]
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
} [2 bytes data]
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0

Thanks in advance.
Dimitriy.

#2

Well, if you have revoked the certificate, it won’t be valid any more. You need to fix the server certificate and once that works, Cloudflare will accept it as well.

You probably best Cloudflare for now and unpause only once your site loads fine on HTTPS.

1 Like
#3

No, I’ve meant I revoked it, created new and changed it in the panel.

#4

You currently have a certificate with the serial number 2F:05:8A:6D:0A:9D:5E:95:59:62:03:A6:86:E7:5A:90:C0:BF:DF:A8 on the community host. Is that the certificate listed under Origin certificates?

1 Like
#5

How I can to check that?

#6

Can you post the certificate that is listed at https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/origin?

1 Like
#7 
-----BEGIN CERTIFICATE-----
MIIEpjCCA46gAwIBAgIUJtQYBSH27Re4o9cgYtvoTg6syUMwDQYJKoZIhvcNAQEL
BQAwgYsxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTQw
MgYDVQQLEytDbG91ZEZsYXJlIE9yaWdpbiBTU0wgQ2VydGlmaWNhdGUgQXV0aG9y
aXR5MRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlh
MB4XDTIyMDQxODEzMjIwMFoXDTM3MDQxNDEzMjIwMFowYjEZMBcGA1UEChMQQ2xv
dWRGbGFyZSwgSW5jLjEdMBsGA1UECxMUQ2xvdWRGbGFyZSBPcmlnaW4gQ0ExJjAk
BgNVBAMTHUNsb3VkRmxhcmUgT3JpZ2luIENlcnRpZmljYXRlMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvshU7LlKBcWxETAhc7RKFz/udv+B3uVZl7ve
Jz2rtpE+nuQfQXdqbD2yvIq8ksF+cBdXGLQXsGa5n7x1bulr/OHPqg1E+uPgaEvY
b/hnT3P/I4pGgAn2zEYzCR+70Wck7TSlSNI4joctp0TZebgHaC1V1gQ9SoItSkxQ
UM0qdVJKn2Lxg6Ec4iUqBFVjRSycXwtJ6gOpe0t7rHldYxK0773f6rOTfTpHglRn
txDPEZYkilCXjuwA+iDG/msWPwJza/xBRpuTtOiYv80Q+AWs1gPwVQ7cwY5EB1Nm
ZMqBkJmfCcfAqC7HkAqaCZGmiUeWlbKeSFqwD+qx7Tt/ju0P8wIDAQABo4IBKDCC
ASQwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMCBggrBgEFBQcD
ATAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTvO3puSijRkoXt2D35kGuHBO29EDAf
BgNVHSMEGDAWgBQk6FNXXXw0QIep65TbuuEWePwppDBABggrBgEFBQcBAQQ0MDIw
MAYIKwYBBQUHMAGGJGh0dHA6Ly9vY3NwLmNsb3VkZmxhcmUuY29tL29yaWdpbl9j
YTApBgNVHREEIjAggg8qLnplcm9uZXQuc3BhY2WCDXplcm9uZXQuc3BhY2UwOAYD
VR0fBDEwLzAtoCugKYYnaHR0cDovL2NybC5jbG91ZGZsYXJlLmNvbS9vcmlnaW5f
Y2EuY3JsMA0GCSqGSIb3DQEBCwUAA4IBAQCCWpmatjATJ6PLMrO5hNo2dCFvtNg6
fbjtY4cpV524pxk6BaIiWH1+IZMih7omu0U+QClh3cuw3dHBVbIPHBhGPBA8P9WM
MgQ9KXr/xwftQUyhCpsEFqTf0+/jRJRWxed91ZLq3pXSmhSufg/o30JmXcJzCXu1
bAa1FwW8OT7GzjZY8JP84AUIi9S3y8yAcQ3OAIVxgWHLm7ut9+TZyM+Y3BpP8tLb
GT8kenfaWlEq07KYx6Z14lDc6zGO0zaUd7l6w0XiGNuPH+wDsvFBmaOghzIOs2mt
gIaONX91D2rToWObK04qneYkoXPjovurPIMxgwR/hFhcGUUhbDC7Xxx7
-----END CERTIFICATE-----
#8

This is not the certificate currently served by your server. Double check your configuration.

As I mentioned, pause Cloudflare and make sure the right certificate is served.

1 Like
#9

Oh, I think current situation repeats my previous thread, I’ll try after 30 minutes.

#10

If you have the wrong certificate configured, that won’t fix it either I am afraid.

1 Like
#11

I’ve checked certificates, the one from Cloudflare’s dashboard matches with one that is assigned to zeronet.space (maybe I’ve just have to wait? my friends certificate started working only after two days)

#12

All right, if your server takes time to reload the certificate, then that could certainly explain a delay. Right now, it simply does not serve the right certificate.

1 Like
#13

Okay, thank you for help, have a good day!

#14

Pleasure and thanks, you too.

1 Like
#15

Now I think that problem is not in the server, because I’ve deleted domain from hosting panel, added it again, and added new Origin certificate, after hour its still not working.

#16

Did you pause and check if you get the correct certificate?

#17

Yes, I’ve tried checking if they match with ones from Cloudflare and hosting panel, certificates from Cloudflare and hosting panel match, but the one from browser don’t (sorry for bad English)

#18

If you are still not getting the right certificate, I am afraid you can only contact your host to clarify this with them. That’s something they need to fix.

#19

Also, somewhy certificate is issued to the server hostname, not to my domain
image

#20

I have a dedicated server so I have full control