By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Server has wrong security certificate attached

0

Hi, I have a domain name registered with Route53 (say its X.com). The hosted zone has CNAME records for my SSL certificate for the same domain from ACM. However, when I launch my Elastic Beanstalk instance (I have a A record pointing to my EB environment) and go to my domain name I initially get the following error:

Your connection is not private Attackers might be trying to steal your information from X.com (for example, passwords, messages or credit cards). Learn more NET::ERR_CERT_COMMON_NAME_INVALID This server could not prove that it is X.com; its security certificate is from *.Y.com. This may be caused by a misconfiguration or an attacker intercepting your connection.

After a few mins I can reload the page and everything is fine. Is this to do with delays in propagating the certificate? Or is something else going on?

Thanks

Topics
ComputeNetworking & Content DeliverySecurity, Identity, & Compliance
Tags
AWS Elastic BeanstalkAmazon Route 53AWS Certificate Manager
Language
English
rePost-User-6219083
asked a year ago230 views
1 Answer
0

Hi,

I am assuming you see the NET::ERR_CERT_COMMON_NAME_INVALID error from a web browser such as Google Chrome. I believe this error usually means that the browser sees the domain in the subject (or SAN list) of the cert as not a match for the domain in the browser's address bar.

I suggest comparing the domain in your browser address bar (ex: www.X.com) with the subject (or SAN list) of the cert. Specifically, use the browser to view the cert in case the browser is for some reason not seeing the cert you expect. Usually you can click the padlock in a browser address bar and drill in to see the details of the certificate.

For example, maybe your browser is encountering a local proxy server with non-matching certificate instead of reaching your ElasitcBeanstalk instance that is otherwise configured correctly with your certificate. Or, maybe the CNAME you are using with your browser does not match the subject on the cert you provisioned through ACM (ex: CNAME is "www.X.com" but cert is for "X.com").

You can also also try using a tool such as "curl -v https://www.X.com" to access your ElasticBeanstalk instance and see if it gives you more information about the connection security, etc. Although note a command like curl may do something different than your browser such as not abide by Windows proxy settings (and therefore work whereas your browser still fails).

I am not certain, but it may also be that if your web site loads resources (i.e., contains HTTPS links to other sites) and one of those links produces this error condition then the browser will report the error you see even if your address bar domain and certificate subject match? Just bringing up another possible explanation.

Regards,

Ryan

profile pictureAWS
Ryan_M
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content