Sorry for being late to the party, although you guys figured it out faster than I would have anyway. This is indeed an odd and confusing issue. One thing that’s not in this thread is that our Smart Weather web app is hosted on Google Firebase. We primarily use Firebase for it’s cross-platform user management system, but we also take advantage of their website hosting for convenience/simplicity. Firebase does all the SSL cert provisioning for us, automagically (there is no other option), and they use Let’s Encrypt as their certificate authority.
Since Firebase does all of the SSL certificate provisioning, there’s nothing we can do as long as the site is hosted there. As @vreihen discovered, our domain is listed on the cert, but it’s just one of many “Subject Alternative Names” on there. One certificate, many domains. That’s part of the way SSL works, and it’s completely secure. It’s just unfortunate and concerning that some ISP’s “protection” systems seem to have trouble with it.
Thanks for the help everyone! @jwritz glad you’re back in action!
FWIW, if you have login access the magic incantation to force renewal is “certbot renew --force-renewal”, which I figured out today for my site. It’s not self-evident from the very cryptic+circular LetsEncrypt docs and ‘help’ forums, both of which assume you knew the answer already and neither of which help if you didn’t. Pretty frustrating to battle through.
Welcome to the 21st century! While you’re in the config files, make sure to disable SSLv2, SSLv3, TLSv1, TLSv1.1…and of course all of the weak ciphers.
A great tool for checking the security of an SSL server is Qualys SSL Labs:
nuts - I got bit by this. The buried domain name in the certificate alt names for tempestwx.com makes it inaccessible at my office. They have very strict filtering rules and that apparently doesn’t meet muster. I inspected the cert and there are a plethora of domain names. But, I’m getting that service for basically free, so I’m ok with the cost saving steps they take to help keep it free.
Using google Firebase also makes it very scalable.
Is your work firewall blocking certificates issued by Let’s Encrypt because they are free and scammers frequently use them? That is the more likely explanation, since the use of “SAN” certificates is common in the 21st century on web hosts sharing an IP address…