Santander want to use our website, however when trying to access it they receive the following error:
'Network Error: Your request contacted a host which presented a certificate signed by an untrusted issuer.'
This appears on a page in red text and their logo, so it's a custom message they're throwing when verifying our site is safe to use. Their technical team have responded to say that it's due to an expired cert on our site, being DST Root CA X3 which I believe is a legacy certificate used by LetsEncrypt (who we use for our certs). This is the Certification Paths output from ssllabs.com for our site's cert:
From what I've read, I believe this shouldn't cause a problem unless they're using extremely old web browsers, because any modern browser should use 'Path #1'?
Separately they've also said that there's an 'alternative names' mismatch issue too, which when put through ssllabs shows the following. It is listed as 'Certificate #2' and belongs to Fastly, so it makes sense that their alternative names won't include our domain.
My understanding for this is that it shouldn't cause a problem unless they are somehow trying to get to our site without SNI enabled?
These exact two issues can also be found by analyzing the Stanford university website: https://www.ssllabs.com/ssltest/analyze.html?d=www.stanford.edu&s=151.101.2.133&latest
My primary questions are:
- Could any of these two 'issues' be causing their problem? And if so, what are my possible solutions?
- What questions should I be asking them to further understand the problem they're having?
- Where does ssllabs get the 2nd certificate from?
My SSL knowledge is limited, so please be kind.
