Chrome, Firefox non valid certificates


#27

Thanks. That was a bug, is now fixed. No preferred version www or non-www or more then one https - result with http status 200 -> C. You should have one preferred version (www or non-www), then add a redirect non-preferred -> preferred version.


PS: If this is your first certificate, B is ok.

A requires Http Strict Transport Security. This is an excellent feature - but requires a correct certificate.


#28

Mmmmm was a A before. I do that the chain and the key but still say that.


#29

No in C :frowning: but with 2 error


#30

In this Page now I have A+

https://www.ssllabs.com/ssltest/analyze.html?d=apps.migracion.gob.sv


#31

This is good, you have fixed your incomplete chain. But ssllabs says:

Certificates provided 3 (3990 bytes)
Chain issues Incorrect order, Extra certs

so it looks you send the intermediate certificate two times.

You don’t have a preferred version. One of

https://apps.migracion.gob.sv/
https://www.apps.migracion.gob.sv/

should be preferred, so add a redirect from the other domain to your preferred domain with http status 301.

PS: The preload directive is irrelevant if you don’t add your site to Googles Preload-list. And preload is only possible for your main domain - migracion.gob.sv.

Check

https://hstspreload.org/

PS: Checked with my own domain (without error).

Certificates provided 2 (2590 bytes)
Chain issues None

2, not 3.


#32

Thanks… I Fixed the chain issues

https://www.ssllabs.com/ssltest/analyze.html?d=apps.migracion.gob.sv

Additional Certificates (if supplied)
Certificates provided 2 (2582 bytes)
Chain issues None

I will try make 1 preferred version.

Thank You…


#33

Can you give me the link to add the main domain.

Thanks


#34

The link is already posted:

https://hstspreload.org/

But Google has problems to understand your main domain:

We cannot connect to https://migracion.gob.sv using TLS (“Get https://migracion.gob.sv: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)”).


#35

Oh Sorry, I thinked was other URL.

Thanks. Yeap main domain is in wordpress also different server without HTTPS, I Will put letsencrypt again, because before have issue with the updating certs.


#36

Then you shouldn’t add a HSTS header. HSTS is ok, if you are sure you will always have a valide certificate. Same with every subdomain.

With HSTS, users can’t create a certificate exception if the certificate is invalide (expired).

And preload requires correct redirects http -> https.


#37

Ok Thank you, For your help.


#38

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.