Certificate Valid, but Site "Not Secure"

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ampexperts.com

I ran this command: n/a

It produced this output: n/a

My web server is (include version): IIS 7.5

The operating system my web server runs on is (include version): Windows 7 Pro 64-bit

My hosting provider, if applicable, is: self

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 4.1.6.0

I just noticed today that when I access my site in Chrome, the URL bar say’s “not secure” and the https part of the URL has a black strike out through it.

It was working fine until recently.

The only unusual event that happened on this server was that I shut it down last month to boot Knoppix Linux from a CD ROM to do a speed test because I was getting slow upstream speed results in Windows. After that, I rebooted Windows and got an error to the effect that my dynamic DNS updater profile was corrupted. It was 0-bytes. I copied in a backup copy and everything seemed okay. However, I just realized, weeks later, that the site is “not secure”.

What would cause this?

1 Like

Hi @Basspig

checking your site there are three critical problems - https://check-your-website.server-daten.de/?q=ampexperts.com

First, you have mixed content -


	link
	stylesheet
	http://fonts.googleapis.com/css?family=PT+Sans
	
	
	1
	http-link, change to https

Change that to https.

Second: You use only Tls.1.0, that's deprecated.

Browsers (Chrome, FF) will remove Tls.1.0 / 1.1 2020, so you should activate Tls.1.2.

Third, you are using old Cipher Suites with SHA1.

Easiest solution: There is a tool IISCrypto.

https://www.nartac.com/Products/IISCrypto/

Download that, then activate Tls.1.2 and check the Cipher Suites. May be enough, recheck your domain with the online tool.

A reboot is required.

2 Likes

Thanks for that comprehensive reply. The German site provides even more info than Pingdom, which is what I normally check the site with.

This is a lot for me to chew on. The https change is easy but the TLS stuff I’m not sure of. Could be a router. Linksys has not updated the firmware for the WRT3200ACM in over two years. I can’t find that info about SHA256 on their website.

I presume that many of these changes took place in the past month, as Chrome did not issue this “not secure” status last month.

On my to-do list is to build a new energy efficient web server based on Windows 10 instead of Win 7 which is the present decade old Dell system, which is also an energy hog. I want to get individual certs for all 8 of my web sites, so need Win 10 which supports SNI.

I’ll see if I can do the other two patches for the SHA256 if it works for now.

Will report back when I get some results…

2 Likes

First, activate Tls.1.2.

May be the SHA1 problem is gone, because newer cipher suites are used.

1 Like

I downloaded IISCrypto and had it choose “best practices” and apply and reboot. Also changed the links to the fonts at google to https.

Site now shows as secure in Chrome.

Thanks again for the help!

Soon I will build a new server and transition to Windows 10 and then I’ll focus on nailing down each of the problems found on that test website.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.