Subdomains, CNAMES and certificates, oh my…

[Kal]

Got a curious one… My wholesale domain registrar requires that I have a subdomain pointed at their server with a CNAME record. It looks like this:

domains    3600    IN    CNAME    interface.synergywholesale.com.

Simple. The only problem is, when you visit the subdomain, you get an SSL/TLS warning about an expired Let's Encrypt certificate. The registrar assures me the certificate at their end is valid. So they're saying there must be an old certificate on my server.

First question: How do I find and remove this old certificate, assuming it exists? I switched to a wildcard certificate some weeks ago, and it's working fine for every other subdomain—this is the only one that isn't working.

Second question: Why are the certificates on my server even relevant? My DNS points the subdomain directly to the registrar's server via the CNAME record. The DNS query is in plaintext (right?), then the resolver goes elsewhere.

 

[kristian]

The only certificate in play here is the one on the server that's doing the SSL handshake, which in this example would be the server with the IP address of interface.synergywholesale.com, not your server. Unless you have access to their server, you can't really "find" it anywhere except in your client connection. Maybe some output from curl and/or openssl will convince them they need to fix something.

 

[factor]

interface.synergywholesale.com

Maybe ask them. Who owns the server at the above FQDN?

I did just look in https://www.ssllabs.com/ssltest/analyze.html?d=interface.synergywholesale.com&hideResults=on
seems fine now.

 

[Kal]

The only certificate in play here is the one on the server that's doing the SSL handshake, which in this example would be the server with the IP address of interface.synergywholesale.com, not your server.

Thanks @kristian, that's what I thought.

seems fine now

Well lo and behold… I wake up this morning and all is indeed fine! Amazing what a good sleep will accomplish sometimes.

Maybe ask them. Who owns the server at the above FQDN?

My wholesale domain registrar owns it, and I certainly did ask them. The first support person suspected my DNS changes hadn't yet propagated. (They had.) The second one suspected an expired certificate on my server. (I couldn't find one.) The third one suggested it could be a conflicting DNS record for the domains subdomain. (There wasn't one.) Then the second guy replied again, coming to the same conclusion he did the first time, that it was an expired certificate on my server. Oh well. Main thing is, it's working now. Thanks guys.