Chrome 69.0.3497.81 reports Active content with certificate errors

Server
1

Even if this topic (Latest Ubuntu Chrome shows it insecure and inspect/security tells “Active content with certificate errors”) has been mentioned and closed earlier with repeated reminders to clear the browser state I am compelled to mention it again, and here is why.

I have a carefully crafted letsencrypt cert with server settings that shows all-green on the advanced Qualys report https://www.ssllabs.com/ssltest/analyze.html?d=yourdomain.tld and have adjusted my zone file to all needed options, the cipher-suite to match the requirements, and even cleansed my wp-theme from all URLs with “http” I’m still persistently getting this error (and as a result browser showing the site red-unsecure) on Chrome (but not on latest Chromium).

It is still probably a simple config on my side, but this eluding me I was wondering what other things I should check. Especially since advanced site scanners not seeing the reason and browser inspect not having a more verbose diagnostics on this it is annoying to hunt this one down.

Any insight is greatly appreciated.

2

What’s the URL of your website? What messages does Chrome give?

3

deployyour.app (work in progress) - top row says “! Not Secure” in red and inspect->security tells

Resources - active content with certificate errors

You have recently allowed content loaded with certificate errors (such as scripts or iframes) to run on this site.

I am suspecting the fancy wp module content has some minified js libraries which may still be unclean (e.g. a hidden iframe) but not been able to grep by now.

4

It’s probably because of https://canyoutag.com included in your main page:

<script src='https://canyoutag.com/?...' type='text/javascript'></script><meta name="referrer" content="always"/>

Which has an invalid certificate (valid for www.canyoutag.com but not canyoutag.com)

That script tag is included in your main page by your server (not by another javascript file).

image
image.png721×669 120 KB

You can see it in the “Non-secure origins” of the “security” tab of the chrome console.

5

Thanks - your info surely helped to fix the issue.

Observations:

  • my version of Chrome does not out-of-box show the non-secure origins (maybe I need to turn on a flag?) but once you know this as a possible issue, view-source helps in hunting the culprit down.
  • an accidentally network-enabled plugin not supporting wp-multi can cause cross-referring.
  • Purely relying on WP-Encrypt may not be the final word on using your excellent certbot on multi-tenant wp-setups.
  • There is room for a more end-to-end security scan to identify these types of issues including telling which wp-plugin or js library causes it especially when many plugins and other resources are being used.
2 Likes
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.