Chrome 69.0.3497.81 reports Active content with certificate errors


#1

Even if this topic (Latest Ubuntu Chrome shows it insecure and inspect/security tells “Active content with certificate errors”) has been mentioned and closed earlier with repeated reminders to clear the browser state I am compelled to mention it again, and here is why.

I have a carefully crafted letsencrypt cert with server settings that shows all-green on the advanced Qualys report https://www.ssllabs.com/ssltest/analyze.html?d=yourdomain.tld and have adjusted my zone file to all needed options, the cipher-suite to match the requirements, and even cleansed my wp-theme from all URLs with “http” I’m still persistently getting this error (and as a result browser showing the site red-unsecure) on Chrome (but not on latest Chromium).

It is still probably a simple config on my side, but this eluding me I was wondering what other things I should check. Especially since advanced site scanners not seeing the reason and browser inspect not having a more verbose diagnostics on this it is annoying to hunt this one down.

Any insight is greatly appreciated.


#2

What’s the URL of your website? What messages does Chrome give?


#3

deployyour.app (work in progress) - top row says “! Not Secure” in red and inspect->security tells

Resources - active content with certificate errors

You have recently allowed content loaded with certificate errors (such as scripts or iframes) to run on this site.

I am suspecting the fancy wp module content has some minified js libraries which may still be unclean (e.g. a hidden iframe) but not been able to grep by now.


#4

It’s probably because of https://canyoutag.com included in your main page:

<script src='https://canyoutag.com/?...' type='text/javascript'></script><meta name="referrer" content="always"/>

Which has an invalid certificate (valid for www.canyoutag.com but not canyoutag.com)

That script tag is included in your main page by your server (not by another javascript file).


You can see it in the “Non-secure origins” of the “security” tab of the chrome console.


#5

Thanks - your info surely helped to fix the issue.

Observations:

  • my version of Chrome does not out-of-box show the non-secure origins (maybe I need to turn on a flag?) but once you know this as a possible issue, view-source helps in hunting the culprit down.
  • an accidentally network-enabled plugin not supporting wp-multi can cause cross-referring.
  • Purely relying on WP-Encrypt may not be the final word on using your excellent certbot on multi-tenant wp-setups.
  • There is room for a more end-to-end security scan to identify these types of issues including telling which wp-plugin or js library causes it especially when many plugins and other resources are being used.

#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.