I use a SSL certificate for our domain.
The New Certificate is valid until 15th November.
On some Computers (same Browsers) the Certificate is expired.
After cleaning the cache and restarting the browser, the domain is working as expected.
My Problem: Not every customer knows to clean the cache, so i need a solution on the server side.
For my Computer i already tried cleaning the cache - works!
you should clear SSL cache from the browser programmatically for that domain. So you wouldn't need to do it manually.
Related
We have a website with SSL configured. 2 days back SSL certificate was expired so I purchased a new instead of renewing. I have configured the new one. Now some of users are still getting SSL certificate expired issue although the new one is configured.
I want to force the browser to recheck the new SSL certificate using some server side configuration since we can not go and update each user browser certificate manually. It have to be done using some server side configuration. We are using Nginx.
This is really critical to us.
Please help in this regard.
Thanks!
The certificate is validated by the client only when the server sends one. The server sends one with each full TLS handshake. The browser does not somehow cache an old certificate and ignore the one sent by the server when validating.
It is more likely that you've not fully rolled out the new certificate on the server side. For example if you have multiple servers make sure that all have the new certificate. If your server provides access for IPv4 and IPv6 make sure that in both cases the proper certificate is served. If you provide service on multiple ports make sure that they all use the new certificate.
It's also possible your affected users are behind a proxy that caches certificates. For example if they're behind a Smoothwall proxy that generates its own certificates after inspecting HTTPS traffic and caches them.
Either way, if you've updated the certificates on your server and restarted the necessary services, it's probably nothing you have control over and will most likely resolve itself in time.
I have a digitalocean One-Click Ubuntu Wordpress Droplet with a NameCheap domain.
I've never done anything with SSL before so I followed a tutorial (https://www.digitalocean.com/community/tutorials/how-to-create-a-ssl-certificate-on-apache-for-ubuntu-14-04). Once I made it to the end with no issues, I realized that it was a self-signed certificate and didn't remove the warning that browsers were giving and that I had to purchase one from a provider. Since my domain is through NameCheap, I went through them (Comodo?) and followed their linked tutorial for the setup (https://brettdewoody.com/how-to-setup-ssl-certs-with-digitalocean-and-comodo/).
I made it through that and browsers were bringing up an error saying that it was a self-signed certificate and it could be a problem. I went back through both tutorials and checked my stuff and tried to remove what I could of the original part. After blindly finagling things for a few hours, my site receives an A+ from this ssl checker (https://www.ssllabs.com/ssltest/analyze.html?d=vc2online.com) but browsers refuse to connect to the site (vc2online.com).
I don't even know where I need to start to get this to working properly.
Currently your issue is that you have 301 redirect from vc2online.com to www.vc2online.com but unfortunately your ssl certificate is only for vc2online.com, not www.vc2online.com.
You enabled HSTS so going backward won't be easy.
The quickest way to solve it is by using let's encrypt instead the comodo certificate.
You can use certbot to fully automate the process. You will find out it is much easier (and cheaper) than comodo paid certificate
P.S. I think this question should be asked in super user / server fault.
I setted up let's encrypt on a virtual machine. A dyndns domain points to this vm and it works all great. I can access the site by calling the dyndns domain and use ssl.
I have no experience with setting up ssl at all. Do I need to backup something? What if the vm is getting lost and I will setup a new vm and a new let's encrypt ssl certificate, which should work identically. Can I just rerun the let's encrypt wizard on the vm and get a new certificate or will I end up in an error, like their has been already a certificate been published and I need to restore the old certificate?
Yes, you can rerun the letsencrypt wizard and it will give you your certificate again, for as long as you control the domain. Remember that there are rate limits though and you can't just request over and over again.
My ssl certificate has expired and I have created a new one using Startssl. I have followed the steps for Nginx server that I have found in the FAQs from Startssl but, although the paths to the certificate and the key are correct, when I try to load the website with any browser it always gets the old certificate instead of the new one. Do anyone knows what can be happening?
Thanks!
March 22th UPDATE:
I have found something of what is happening: we have 2 web servers in AWS and a Load balancer. I have seen the load balancer has also the ssl certificate and I guess I have to update it too. I have done it and now the new certificate is in usage. But I still see an error: the server cannot check my domain because my certificate comes from one of my subdomains. When I created the certificate in StartSSL there was an step that asks me for a subdomain. It said the certificate will be for the domain and subdomain, but now I'm getting this message. Any idea?
I have found the answer:
When StartSSL asked for a subdomain when I was following the steps to get the new certificate, I was indicating one of my real subdomains. If I set as subdomain "www" everything works. So I wanted to share my experience with everyone hoping it helps:
First: when you are asked for a subdomain in StartSSL, set it as "www".
Second: If you are using AWS and you have a load balancer, don't forget to update the SSL certificate in the load balancer, using the AWS NETWORK & SECURITY -> Load balancers option (Listeners tab).
Hope it helps.
Thanks for reading and trying to help me.
I have SSL working fine in production but have some issues locally.
When I run the site it opens 2 tabs, one http:// and one https://
I want to just use the http:// tab locally for testing. When I go to a page that requires https I get the error:
Unable to make a secure connection to the server. This may be a
problem with the server or it may be requiring a client authentication
certificate that you don't have
I have added the certificate to:
Persona/Certificates
Trusted Root Certification Authorities/Certificates
Intermediate Certification Authorities/Certificates
Everything works fine locally when I use the https:// tab.
Do I need to add the certificate somewhere else too?
Using SSL certs locally is always a challenge. When the website opens, it's likely using the loopback IP (127.0.0.1) which will always (rare exceptions, perhaps, that I can't think of) give a certificate error, because the cert is bound to a domain name, not an IP. Ideally you'd probably want to not use your websites real SSL cert locally anyway for security reasons.
You can use a self signed cert for localhost, which should work:
http://social.msdn.microsoft.com/Forums/en-US/wcf/thread/32bc5a61-1f7b-4545-a514-a11652f11200
Also, I just blogged a code snippet we've used before -- in short, it just avoids using SSL for local connections and otherwise lets you define which pages/folders should otherwise be SSL protected...
http://www.structuretoobig.com/post/2013/02/19/Skipping-SSL-Connections-Locally.aspx