Question : Inconsistent server configuration

I have a question about a Dutch website:
https://www.denhaagcentraal.net

But first of all:
- no, it is not my site;
- no, it is not the site of the railway station Den Haag Centraal Station (Central Station in The Hague);
- it is the site of a newspaper in The Hague called "Den Haag Centraal".

Very recently when I tried to go there, I got a warning. Here is it from FF:
"Warning: Potential Security Risk Ahead
Firefox detected a potential security threat and did not continue to www.denhaagcentraal.net."

I decided to check the site at two sites:

1. sslshopper
https://www.sslshopper.com/ssl-checker.html#hostname=https://www.denhaagcentraal.net

As far as I could tell, no problem was found.

2. SSL Labs
https://www.ssllabs.com/ssltest/analyze.html?d=www.denhaagcentraal.net

As far as I can tell, the site checks both the IPv4 number and the IPv6 number.
There we are seeing the difference and probably the problem.

2-a.
31.7.2.49
server3.dpi.cloud.shockmedia.nl
Ready
Grade B

2-b.
2a03:9700:8000:0:0:0:2:49
server3.dpi.cloud.shockmedia.nl
Certificate not valid for domain name

And a clear message:
Warning: Inconsistent server configuration

You could then ignore the cert. mismatch and check again.
For the IPv4 number you get the same, for the IPv6 number you get then:
2a03:9700:8000:0:0:0:2:49
server3.dpi.cloud.shockmedia.nl
Ready
Grade T

And again the same warning about Inconsistent server configuration.

==========

Could some of you please tell me more?
And what means Grade T at SSL Labs?
Thanks in advance.

 

As far as I can tell the issue is that the certificate is valid but it does not belong to the domain.

So the website "https://www.denhaagcentraal.net" is configured with a ssl certificate that is meant for a different domain "server3.dpi.cloud.shockmedia.nl"

Bad actors do this to impersonate a legitimate website. Or it could just be an honest mistake by the website's owner.

Firefox's security policies are preventing you from visiting the site for your protection. If you trust the website, you can override and visit (recommended for advanced users only).

 

Thank you @Raza0007

Somehow I was thinking the same but really was not sure. And you worded it some hundreds times better than I could! Thanks Raza!

I don't know why sslshopper didn't discover it while SSL Labs did it in some way.
I'm still not sure what that "Grade T" means in SSL Labs.

 

This is what they say about Grade T according to a SSL Labs blog post here: https://blog.qualys.com/product-tec...-new-grades-for-trust-t-and-mismatch-m-issues

sslshopper is displaying an incorrect assessment. It says "The hostname (https://www.denhaagcentraal.net) is correctly listed in the certificate". Which is not true.

If you open the website in Firefox, on the warning page, click advanced and at the bottom you can view the certificate. The name on the certificate is clearly "server3.dpi.cloud.shockmedia.nl" and not "https://www.denhaagcentraal.net".

So both Firefox and SSL Labs are correct. sslshopper is incorrect.

Hope this helps.

 

Thanks again Raza
It did help! Thank you for the explanation!!

 

@FanJ
This certificate is absolutely correct and correct, it is issued by COMODO under the issuer name Lets Encrypt and it is issued only on a domain basis. I checked, it is a completely correct and valid certificate. And the domain has also been verified and the certificate has been issued just and only for this domain.

Spoiler: Certificate Data

PS. But as for Firefox, all kinds of weird things can happen with it, but since version 108 it can still be used in certain cases. But not everywhere.

 

The certificate is valid, but it is not issued for www.denhaagcentraal.net, it is for a different domain server3.dpi.cloud.shockmedia.nl

Here is the top part of the certificate with the domain's name

Spoiler: Certificate

And it is not just a Firefox issue, MS Edge gives a similar warning. I am assuming Chrome does too, but I do not have it on my system to test.

Spoiler: Firefox Warning

Spoiler: Microsoft Edge Warning

 

@Raza0007
I try with any browser, I don't get any error message and also I don't get such certificate data.
I have no idea how you get them. The only thing you can think of is that you have old or non-compliant certificates that have not been removed. Do you usually do it and how? And how are you connected to the internet - directly or through some dubious VPN?
What you are referring to is the Plesk admin panel domain, which is really on another server, hosted by another server, it means, they are using it as service.
I also use Plesk myself, so I more or less know what it is. And I have also been dealing with certificates all the time, for at least the last 10 years.

 

@kaljukass,

I am on the latest Firefox 116.0.3 and MS Edge should be latest as well. I am not on VPN, just a direct connection from my ISP. I have never messed with certificates, web browsers a supposed to do this job on their own in the background.

Are you telling me that when you visit https://www.denhaagcentraal.net, you do not get an error message?...... That is strange. I will investigate it further, as this error should be the same for everyone.

 

@kaljukass

I just tested it with a VPN, while connecting from Canada. The website works fine and it has a correct certificate.

Spoiler: Certificate while connected from Canada

The website is not working if you connect from US, on direct ISP connection for some reason.

I will investigate further......

 

@Raza0007
Thank you, so I thought there must be something else causing this problem. Now it's all clear, I think.
I really have no problem and I even decided to follow this site for a while, although I have nothing to do with Germany, but just out of interest. Yes, and apparently I don't have these problems because I'm not in the US either, I'm in one an EU country, not far from Germany.

It was great working with you to resolve this issue, thanks again.

 

I believe I found the issue.

The website's IPv4 address is configured with a correct certificate. While its IPv6 address is mis-configured with an incorrect certificate. So depending on whether you are connecting though IPv4 or IPv6, you will get different results.

My direct connection though ISP is on IPv6, but my VPN is still on IPv4, this is why I connected with VPN. In fact, I have verified it by connecting to the website using the same VPN though US based location, and this time it connects without any issue.

SSL Labs test on the website agrees with my findings.

Spoiler: SSL Labs Results

 

@Raza0007 Thanks for this information too. Here is another reason why I didn't see this problem - I only have IPv4 at the moment.

*** Too bad there is no "Thanks" or "Like" button on this forum.

 

exactly this as explained.
the server was not configured to act as "denhaagcentraal.net". admin failure.

 

Thank you all for your posts!

I think the problem was fixed (but if you could check please ...).

No more problem to go to that site.

And SSL Labs shows nomore the problem:
https://www.ssllabs.com/ssltest/analyze.html?d=www.denhaagcentraal.net

31.7.2.49
server3.dpi.cloud.shockmedia.nl
Ready
Grade B

2a03:9700:8000:0:0:0:2:49
server3.dpi.cloud.shockmedia.nl
Ready
Grade B

==========

PS-1
I called them today, but the person I talked to ... I better shut my mouth now.

PS-2
@kaljukass
It was The Netherlands, not Germany.
In my first post I wrote "Dutch website". "Dutch" means The Netherlands.
But of course I do understand the misunderstanding. You are not the first person about it.

Thank you all again!

 

OK, but if it was/is the Netherlands, I'm not at all surprised that you don't want to talk to anyone for a long time now and prefer to keep your mouth shut.
Good luck to You, at least now You know why you got this message.

 

Yes the issue is fixed at my end.

So you called them they fixed it this quickly! I am actually amazed! Usually you have to wait at least 24-48 hrs for a turnaround in such cases.

Is this some European joke that I am missing here, or are they really this rude!

 

Thanks Raza!

Or they were already noticed

It was certainly not a joke by me, also not meant rude.
I have no idea why kaljukass posted that ...

Anyways, all is said now. Issue fixed. IMHO good learning thread.
But now it is time to close this thread.
Thank you all!