SSLLabs "Certificate name mismatch" with dedicated certificate

Hi All,

We have upgraded the certificate for this site to a dedicated certificate. Since we have done this, SSL Labs now reports a “certificate name mismatch” error when we try to scan any domain, EG:

https://www.ssllabs.com/ssltest/analyze.html?d=contractswise.com&hideResults=on

We have a few sites using Cloudflare free certificates and they all scan fine with SSLLabs.

I have spoken to SSLLabs support and that say there is an issue with the domain lookup and SOA. Is this correct? If so, is this something I have to configure?

If anyone could point me in the right direction about this issue it would be really helpful.

Many thanks,

Mo

I am not even sure their error message is accurate in the first place.

It does not seem to be so much a mismatch of the certificate name but they appear to be unable to fetch the certificate to begin with. Why that is, is something only they can clarify.

Your domain resolves fine and your Cloudflare certificate appears to be properly in place as well
https://www.sslshopper.com/ssl-checker.html#hostname=www.contractswise.com

It does not appear to be IP address related though, as these domains share the same addresses and checks go through

0to23.com
125huodongbanli.com
18269j.com

However, your DNS setup appears to be fine. They would need to elaborate on what exactly they consider to be the issue.

Thanks for the response @sandro , first SSL Labs said:

“Certificate name mismatch error occurs when the website domain name accessed is not included under certificate
Also the website is facing DNS lookup issue”

Then I responded to them saying that domain names appear to be correct, and I got this response:

“also you can verify from the certificate authority or the hosting service provider about the DNS SOA record”

Finally I asked them what I need to ask/configure in Cloudflare, they responded with:

"you can ask them to add the website domain

We are using the following IP address ranges: SSL Labs - 64.41.200.0/24 SSL Pulse - 64.39.109.20 Development SSL Labs server - 104.130.202.77

You can also whitelist these ip’s to allow scan on your website. In case the issue persists"

It sounds a little to me like the person doesn’t really know what the issue is and is trying to fob me off…

That is not correct I am afraid. The certificate does return the right hostname.

As I mentioned, from the screenshot it seems as if they cant fetch the certificate at all, but that is a completely different error and thats where they’d need to elaborate.

Not really accurate either.

The certificate is unrelated to the SOA record.

I am afraid thats how it appears to me as well.

Of course, I cant comment on whats exactly going on on their service, but to me it seems they cant get the certificate for some reason.

1 Like

You can tell them to run the following command

openssl s_client -connect contractswise.com:443 -servername contractswise.com

That will return

CONNECTED(00000003)
depth=2 C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root
verify return:1
depth=1 C = US, ST = CA, L = San Francisco, O = "CloudFlare, Inc.", CN = CloudFlare Inc ECC CA-2
verify return:1
depth=0 C = US, ST = CA, L = San Francisco, O = "CloudFlare, Inc.", CN = contractswise.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=CA/L=San Francisco/O=CloudFlare, Inc./CN=contractswise.com
   i:/C=US/ST=CA/L=San Francisco/O=CloudFlare, Inc./CN=CloudFlare Inc ECC CA-2
 1 s:/C=US/ST=CA/L=San Francisco/O=CloudFlare, Inc./CN=CloudFlare Inc ECC CA-2
   i:/C=IE/O=Baltimore/OU=CyberTrust/CN=Baltimore CyberTrust Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIE1DCCBHugAwIBAgIQCKfikKYu5wScPoWyMyqArTAKBggqhkjOPQQDAjBvMQsw
CQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28x
GTAXBgNVBAoTEENsb3VkRmxhcmUsIEluYy4xIDAeBgNVBAMTF0Nsb3VkRmxhcmUg
SW5jIEVDQyBDQS0yMB4XDTE5MDgxMzAwMDAwMFoXDTIwMDgxMjEyMDAwMFowaTEL
MAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJhbmNpc2Nv
MRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMRowGAYDVQQDExFjb250cmFjdHN3
aXNlLmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABPcERX6scTJTOkKLk9zj
zEjInCLgs5HuL4H7Zxg0x9qMPHR74t0vgVT/oISbMRrgBoflMGAq8sl0swno12Sy
0SSjggL9MIIC+TAfBgNVHSMEGDAWgBQ+dC0fz0V1BH4/wKKHPkxDg1ETxjAdBgNV
HQ4EFgQUXRyhJZrXQ4qpqi9NrzOmyMSrlp4wMQYDVR0RBCowKIIRY29udHJhY3Rz
d2lzZS5jb22CEyouY29udHJhY3Rzd2lzZS5jb20wDgYDVR0PAQH/BAQDAgeAMB0G
A1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB5BgNVHR8EcjBwMDagNKAyhjBo
dHRwOi8vY3JsMy5kaWdpY2VydC5jb20vQ2xvdWRGbGFyZUluY0VDQ0NBMi5jcmww
NqA0oDKGMGh0dHA6Ly9jcmw0LmRpZ2ljZXJ0LmNvbS9DbG91ZEZsYXJlSW5jRUND
Q0EyLmNybDBMBgNVHSAERTBDMDcGCWCGSAGG/WwBATAqMCgGCCsGAQUFBwIBFhxo
dHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAgGBmeBDAECAjB2BggrBgEFBQcB
AQRqMGgwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0LmNvbTBABggr
BgEFBQcwAoY0aHR0cDovL2NhY2VydHMuZGlnaWNlcnQuY29tL0Nsb3VkRmxhcmVJ
bmNFQ0NDQS0yLmNydDAMBgNVHRMBAf8EAjAAMIIBBAYKKwYBBAHWeQIEAgSB9QSB
8gDwAHcApLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BAAAAFsi5qGeAAA
BAMASDBGAiEApcdxBYMN40Ck4Fqq097aH/o4Vazuf3+D6JC3XcSmON0CIQDlTlTG
fuqXGorcg1J8N0NQZaFd/nIivYXgGQooS/teGwB1AF6nc/nfVsDntTZIfdBJ4DJ6
kZoMhKESEoQYdZaBcUVYAAABbIuahbkAAAQDAEYwRAIgdo4kTacgsNCuMYPBNPyP
mm3swc8f2Du2xx20mSOvpPwCIFZNRR61287Is9vjA+uSh4To1pbO9Y2u2Je4IqOI
sFrlMAoGCCqGSM49BAMCA0cAMEQCIAxVspgUQb3r781UFcQKGwCTzurwQzQQWaGO
0b039OJhAiAea1b3x0b/Hvn2DFeQPKKFtKbBFxg+wi9kUc+raKuhgw==
-----END CERTIFICATE-----
subject=/C=US/ST=CA/L=San Francisco/O=CloudFlare, Inc./CN=contractswise.com
issuer=/C=US/ST=CA/L=San Francisco/O=CloudFlare, Inc./CN=CloudFlare Inc ECC CA-2
---

which is the right certificate.

This is additionally confirmed by the link I posted earlier, https://www.sslshopper.com/ssl-checker.html#hostname=www.contractswise.com, as well as by simply opening the site in the browser.

Ask them to elaborate why all of that works and only their service does not.

@sandro Thanks for the help, I will badger them tomorrow and see if I get anywhere.

Cheers,

Mo