Certificate is not woking only on Safari Desktop


#1

Here are my apache settings :

SSLCertificateFile /etc/letsencrypt/live/www.a-cp.fr/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.a-cp.fr/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/www.a-cp.fr/fullchain.pem
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

If I use Firefox, Chrome, Safari on Iphone, the site is accessible,
If I use Safari Desktop on a PC or a MAC, I have the error message “Safari can’t establish a secure connection to the server”

Can anyone tell me if I have to add something on the server to make it work? It seems that issues have been faced for mobile which is not my case.

Thanks


#2

What version of apache are you using ?

For version 2.4.7 and earlier it should use chain.pem not fullchain.pem

SSLCertificateFile /etc/letsencrypt/live/www.a-cp.fr/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.a-cp.fr/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/www.a-cp.fr/chain.pem

for 2.4.8 and later it should use the fullchain in SSLCertificateFile

SSLCertificateFile /etc/letsencrypt/live/www.a-cp.fr/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/www.a-cp.fr/privkey.pem


#3

My apache version is 2.4.6, so I updated as you said and it is still not working, any other idea? Any tool that I can test to identify the issue. I tried https://www.ssllabs.com/ but I’m not sure of what has to be fixed or not and how :confused:


#4

It looks as if you do not have the correct protocols for Safari in your config. Have a look at https://mozilla.github.io/server-side-tls/ssl-config-generator/ and set the things you want, it should give you a reasonable config in terms of ciphers etc.


#5

Not all the parameters are accepted even if I selected the right version of apache and openssl :frowning:, mostly these:

SSLUseStapling          on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off

After looking more carefully, I noticed that my vhost configuration was setting this line SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 (I’m using Virtualmin) so I think it was defined by default. I removed it and let the default global configuration in the ssl.conf file from apache and it worked! :slight_smile:

Thanks for you help.


#6

Which Safari version are you running? I run Safari on OS X and macOS and so far all have zero issues with any of the Lets Encrypt certs that I’ve installed on Linux Centos, Ubuntu, AWS Linux, or even Windows. It’s also possible that Safari has something cached.

Safari 10.1 (beta) macOS Beta
Safari 10.0.3 macOS Sierra
Safari 10.0.3 OS X El Capitan

You can test against my blog that uses a LE SSL cert. https://www.trunkful.com


#7

Whoops, wrong minor version, the minor version in question is 2.4, not 2.2 :wink:


#8

well spotted - finger trouble - thanks :slight_smile: will edit.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.