I have a site running with an SSL certificate from Comodo/InstantSSL which should have 99% compatibility.
In my testing everything seems to work fine, however I've had some users send me screenshots of browser warnings about the security of my site:
Security warnings have been seen on IE 11 and Chrome 52 so the certificate should be valid.
The site is https://sololet.com
Can anyone tell me how I can debug this situation and find the problem, as like I said, it works fine for me on iPhone, iPad, Safari on MAC.
Thanks
I had such an issue with mobile clients (also a commodo certificate).
For (at least) Android clients you need to use a full-chain-certificate that includes your root- and intermediate certificate besides your domain certificate. This is also the result of a ssl-sitecheck at https://www.ssllabs.com/ssltest/analyze.html?viaform=on&d=sololet.com
You should have received both files from commodo or your respective reseller.
Combine all 3 files into one and use that file as certificate in your vhost configuration.
Combine like:
YOUR-CERT
ROOT-CERT
INTERMEDIATE-CERT
That solved our issue.
Related
First of all, my thanks to this community for helping me solve many, many issues over the years. In fact, I have never needed to post a new question - I was always able to find an answer (eventually).
Not so this time. I am a moderately experienced hobby developer, self-hosting a small set of sites on my Mac Mini (Apache 2.4, PHP 8.0, MySQL 5.6). I built a reasonably complex site (www.fundas.us/manhattanzen) and everything was working perfectly.
I then decided to add SSL encryption to my server (certificate purchased from ssl.com) and installed it with no issues. Checking the SSL configuration via "SSL Checker" and Whynopadlock.com confirms that the certificate is properly installed. The only "warning" I get is that I only have TLSv1 enabled on the server. This despite the fact that my httpd-ssl.conf file says "SSLProtocol -all SSLv3". I mention this in case it is the cause of my troubles.
The issue I am experiencing is that the SSL encrypted site works perfectly using Firefox and Chrome on the Mac Mini (Mojave), but fails using Safari on the same Mac and fails using any of the browsers on my iPad or iPhone. Safari's web console shows "Failed to load resource: The network connection was lost." and the server log shows "child pid XXXXX exit signal Segmentation fault (11)".
The resources that fail to load are some (but not all) of the css and js resources that reside on the local (Mac Mini) server. All other resources (residing on external servers) load fine.
I have tried a number of suggestions found on Stack Overflow, including
changing file permissions to 777 on the offending resources (js, css files)
setting KeepAlive to Off in httpd-default.conf
minifying offending resource files
increasing SSLSessionCache in httpd-ssl.conf
None of it has made any difference. I should also point out that I have configured .htaccess in the root folder of my site to force all incoming connections to https://
This seems like the last hurdle to make this website fully encrypted and fully functional and I am thoroughly stuck. I will appreciate any pointers you have for me. Many thanks.
Was able to figure this out and wanted to answer my own question, in case it helps anybody else.
First, the strange test results from SSL validation sites that my server was not TLSv1.2 ready. I fixed this by changing the SSLProtocol line in httpd-ssl.conf to explicitly only permit TLSv1.2 ("SSLProtocol all -SSLv3" --> "SSLProtocol TLSv1.2")
Second, the odd behavior of Safari (on both desktop and mobile) occasionally hanging unable to load a page (while other browsers had no issues). I found the solution to this at https://serverfault.com/questions/937253/https-doesnt-work-with-safari. Making the recommended change to httpd-ssl.conf and adding the line "Header unset Upgrade" solved the Safari issue.
I'm hoping for some help with troubleshooting a frequently received error on my computer. I often try to navigate to very common websites such as https://illinoiscomptroller.gov. This is fine on my work computer, I receive no error. On my laptop at home, I get the NET::ERR_CERT_REVOKED error.
I'm not really all that experienced in troubleshooting these types of errors, but I have been getting this message for so long and would really appreciate some help resolving this issue. Every time I google for an answer, most sources suggest there is really an invalid cert, but I know this isn't true. Other answers point to an incorrectly installed cert, but again, I know this isn't the case.
I think the issue lies somewhere in my configuration on my machine. I don't have any fancy firewall set up. What I have noticed is if I click on the "Not Secure" message in the URL part of the Chrome browser, it tells me the cert was revoked by one source.
On my work computer, for the same website it says it has a valid SSL cert through DigiCert. I looked at my Internet Options SSL Cert providers and DigiCert is on there? Any ideas what I can do to figure this out?
I have had several hundred visitors and there have been two or three that have reported to get the "This website is insecure" warnings. The latest reported the same result in both the latest version of Firefox (57) and IE. I've tested on several browsers and OS's; including the same config of (win7 and FF57) the last report I have and didn't see issue. The only thing I can figure is the user's computer perhaps has malware that has overwritten their root certs. Does that make sense? Any other possibilities here?
recently, I ordered a SSL certificate for my website. Prior to that, everything worked fine for me, the website was fast and I had no issue. Since the certificate has been installed by OVH... Well... Things changed... The issue is that not everybody has the same behaviour as me. When I go on "https://www.areaprog.com/" with different browsers, here is what I get:
Chrome:
"Your connection is not private
Attackers might be trying to steal your information from
www.areaprog.com (for example, passwords, messages or credit cards).
NET::ERR_CERT_COMMON_NAME_INVALID"
Firefox:
"This connection is untrusted
You have asked Firefox to connect securely to www.areaprog.com, but we
can't confirm that your connection is secure.
Technical details:
www.areaprog.com uses an invalid security certificate.
The certificate is only valid for ssl2.ovh.net
(Error code: ssl_error_bad_cert_domain)"
Internet explorer:
"The security certificate presented by this website was issued for a
different website's address.
Security certificate problems may indicate an attempt to fool you or
intercept any data you send to the server."
I asked to OVH and everything is fine for them and apparently, it is also the case for other people out there (I asked around to see if I was the only one), but other people also experiences the same issue...
Moreover, Firebug keeps on saying:
"This site makes use of a SHA-1 Certificate; it's recommended you use
certificates with signature algorithms that use hash functions
stronger than SHA-1"
Besides, for people who are experiencing this issue, well, the site is extremely slow. For me, a simple page takes more than 20 seconds to load...
Does some of you have the same issue than me and does someone have an idea of what to say to OVH who keeps telling me that everything is OK?
Thanks a lot
I have started looking into testing our site with BrowserStack.
However, I'm having issues with live-testing (as opposed to automated testing with Selenium, which mostly works fine) a site we're developing as we're serving it with a self-signed certificate.
Manually approving the certificate doesn't bother me as much as the fact that some Ajax request are failing (at least on IE10) due to security issues and this makes it impossible to actually manually test the site.
An acceptable solution would be to somehow add our self-signed cert. into the list of trusted root CAs. However, I haven't found out how to upload files into the BrowserStack test environment (not sure if that's even possible, really).
Any ideas ?
I contacted BrowserStack about this issue, and their formal response is:
"We currently do not support installing client certificates on the remote machines. However, this is on our list, and we’ll keep you posted."
Hopefully this issues will be resolved soon and I'll post a different answer here.
April 2021 update:
BrowserStack has shipped a toggle to trust self-signed certs.
It is available on iOS and Android devices for now.
When it happens, open the "Network" tab, and open in a new tab the request which is failing. If it is "just" a certificate issue, you would then be able to bypass the warning. Then, your request should work correctly.
When the "Cannot Verify Server Identity" dialogue pops up, click details, then 'Trust'. This will work if all calls are to the same domain as the website.