Chrome not accepting new cert

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: surething.com

I ran this command: surething.com

It produced this output: This site can’t provide a secure connection
www.surething.com sent an invalid response.
Try running Windows Network Diagnostics.
ERR_SSL_PROTOCOL_ERROR

My web server is (include version): Apache

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Not using certbot

I renewed my cert on September 23, 2023. Everything was fine until around October 1, 2023 (not sure the exact date/time). Then Chrome stopped connecting. Works fine in Firefox, Safari and others. Checking cert in other browsers shows a valid cert expiring December 22, 2023.

Big problem, hopefully someone can shed some light.

Thanks!

1 Like
2

Have you cleared the cache in Chrome?

3 Likes
3

Yes, it's not just my computer we have customers who have reported it too. Seems like a cert problem but it looks good.

4

Please show:
ps -ef | grep apache | grep -v grep

2 Likes
5

Actually, it's not all versions of Chrome either. I have seen it work on Chrome 109.0.5414.120 running on Windows 7.

6

You are chasing a red herring.
Please show the output requested.

3 Likes
7

from my server right?
jmayall@mwww03:~$ ps -ef | grep apache | grep -v grep
root 995 1 0 May21 ? 00:11:39 /usr/sbin/apache2 -k start
www-data 16597 995 0 12:55 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 16609 995 0 12:56 ? 00:00:01 /usr/sbin/apache2 -k start
www-data 16612 995 0 12:57 ? 00:00:01 /usr/sbin/apache2 -k start
www-data 16619 995 0 12:58 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 16620 995 0 12:58 ? 00:00:00 /usr/sbin/apache2 -k start
www-data 16623 995 0 13:00 ? 00:00:00 /usr/sbin/apache2 -k start

1 Like
8

With openssl s_client I received the following error:

20E4DD7FFFFF0000:error:0A000172:SSL routines:tls12_check_peer_sigalg:wrong signature type:ssl/t1_lib.c:1594

I do not know what does it mean.

3 Likes
9

What was the complete command?

2 Likes
10

What shows?:
sudo apachectl -t -D DUMP_VHOSTS

2 Likes
11

With OpenSSL I see no negotiated cipher:

SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000 <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1696439441
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

[which is very strange]

3 Likes
12

VirtualHost configuration:
192.168.5.80:80 www.surething.com (/etc/apache2/sites-enabled/httpd-surething.conf:125)
192.168.5.37:80 secure.surething.com (/etc/apache2/sites-enabled/httpd-sites.conf:479)
192.168.5.53:443 www.surething.com (/etc/apache2/sites-enabled/httpd-surething.conf:89)
192.168.5.53:80 www.surething.com (/etc/apache2/sites-enabled/httpd-surething.conf:110)
192.168.5.52:443 www.surething.com (/etc/apache2/sites-enabled/httpd-surething.conf:50)
192.168.5.52:80 www.surething.com (/etc/apache2/sites-enabled/httpd-surething.conf:71)
192.168.5.51:443 is a NameVirtualHost
default server support.surething.com (/etc/apache2/sites-enabled/httpd-sites.conf:146)
port 443 namevhost support.surething.com (/etc/apache2/sites-enabled/httpd-sites.conf:146)
port 443 namevhost files.surething.com (/etc/apache2/sites-enabled/httpd-sites.conf:197)
port 443 namevhost www.labelme.com (/etc/apache2/sites-enabled/httpd-sites.conf:290)
alias labelme.com
port 443 namevhost esd.surething.com (/etc/apache2/sites-enabled/httpd-sites.conf:417)
port 443 namevhost downloads.surething.com (/etc/apache2/sites-enabled/httpd-sites.conf:455)
alias downloads2.surething.com
port 443 namevhost cloudfront2.surething.com (/etc/apache2/sites-enabled/httpd-sites.conf:506)
port 443 namevhost www.surething.com (/etc/apache2/sites-enabled/httpd-surething.conf:9)
alias surething.com
192.168.5.51:80 is a NameVirtualHost
default server labelgear.com (/etc/apache2/sites-enabled/httpd-sites.conf:11)

13

It's a wildcard cert

14

Show us your tls config (the browser config file where you specify tls versions and cipher list)

4 Likes
15

Is this for my local machine or my server (browser config file confuses me)? where is this located? sorry for my ignorance.

16

On the server side.
Show the ciphers being used and TLS protocols enabled.

Also, let's have a look at the file:

3 Likes
17

this looks like the relevant part:

<VirtualHost 192.168.5.51:443>
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/surething.crt
#SSLCertificateChainFile /etc/apache2/ssl/surething.crt
SSLCACertificateFile /etc/apache2/ssl/surethingca.crt
SSLCertificateKeyFile /etc/apache2/ssl/surething.key
SSLProtocol +TLSv1.2 -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256
18

That is an unexpected location (and names) - but you never did say which ACME client you are using...

3 Likes
19

I'm not sure, I don't use any specific client when generating our certs. I run a docker letsencrypt script.

20

This looks exceptionally short. Browse a little on ssl-config.mozilla.org

4 Likes