Created cert but chrome returns a "Privacy Error"


#1

Hello I successfully added https protocol to my own website. Currently implementing it for another website located at www.cheepcheep.net. It’s on shared hosting so I’ve found it a bit hard to overcome permissions etc.

I’ve also run the site across https://www.ssllabs.com/ssltest/analyze.html?d=cheepcheep.net and it was given an A grade. So I’m not sure why Chrome says there is an issue?

Click on the ‘lock’ symbol under the connection tab it says the following

The identity of this website has not been verified.
• Server’s certificate does not match the URL.

Any ideas?


#2

You have a cert for cheepcheep.net only but the server is redirecting to www.cheepcheep.net. For this to work you need a cert for both names, in the official client this is done by using multiple -d flags.


#3

Thanks for you reply cool110. But i’ve redone the steps but for www.cheepcheep.net instead.

Apologies one moment I’m going to uninstall the current cert and they keys on my server, I’ll let you know how it goes as it seem I didn’t update it properly.


#4

Okay I’ve updated the key and applied it to www.cheepcheep.net and cheepcheep.net.

This time the site is loading however I don’t have the green lock next to my URL. Google Chrome still mentions that my security is weak

Your connection to www.cheepcheep.net is encrypted using a modern cipher suite. Further, this page includes other resources which are not secure. These resources can be viewed by others while in transit, and can be modified by an attacker to change the look of the page.

The connection uses TLS 1.2.

The connection is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism.

I’ve also retested the SSL and have been given an “A grade”. https://www.ssllabs.com/ssltest/analyze.html?d=www.cheepcheep.net


#5

You include a lot of images, css etc on your page using http not https

try checking your site with https://www.whynopadlock.com and it will list them all for you.


#6

Thanks serverco. Will check that out! and update this thread with my results.


#7

So I believe it was what serverco said about my links not being https. But I updated my .htaccess file with a plugin and it’s working now, however the links to my images are broken.


#8

Your plugin is presumably forcing https

It looks as if you got a certificate for www.cheepcheep.net only ( not www.cheepcheep.net and cheepcheep.net ) so some of the links, ( like https://cheepcheep.net/wp-content/uploads/2015/10/61209.jpg ) are using cheapcheap.net ( not www.cheapcheap.net ) which isn’t valid - so your plugin (I’m guessing ) blocks them.

I’d suggest getting a certificate for both the www and none-www version, or correct all your links so they go to the www version.


#9

I had something similar when I moved to https on my personal site. The page I wrote wasn’t using relative links for the headings (e.g. “/img/headingmain.jpg”), and instead used URLs (e.g. “http://example.com/img/headingmain.jpg”).

This was my mistake from when I was teaching myself how to write HTML over a decade ago. I took a shortcut (using URLs) because I could cut and paste hypertext from any page into any other page and the links would still work. The links would break when I used relative links since the relative locations changed from page to page.

I didn’t realise I’d kept so much old code in my pages. My current site uses PHP and style sheets but I still had three or four http links in my main landing page alone. If you wrote the site yourself (or based it on somebody else’s) I’d search the page for “http” and replace the URL with a relative link.

Good luck!


#10

Use relative links is a good advice.

Also, when linking external resources, remove http: or https: from the link.

E.g. Use:

src="//www.some3rdpartysite.com/image.jpg"

Instead of:

src="http://www.some3rdpartysite.com/image.jpg"


#11

Another option you could try is using CSP (content security policy) to tell users’ browsers to upgrade all insecure HTTP. It isn’t supported by all browsers (I think the only major ones supporting are Chrome, Firefox, and Opera), but it will tell the browser to rewrite any HTTP links it finds on your site to HTTPS if possible.

Basically to do this, you’d add this header to your server: Content-Security Policy: upgrade-insecure-requests.
If you don’t have the ability to add HTTP headers to your server, you could alternatively embed it in your HTML <head> as shown on https://googlechrome.github.io/samples/csp-upgrade-insecure-requests/:
<meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests">.

This might give you some time to hunt down all the links and other resources being referenced over HTTP and upgrade them to HTTPS.


#12

Thanks Quicksilver and koluke. Apart from fixing those http links, I haven’t played much with website building since I finished mine years ago. And my site basically reduced over time as I moved to things like ownCloud and Roundcube.

This is the problem with being self-taught. I had no idea src could reference a website without specifying http or htttps, or that I could request the browser upgrade insecure requests. Since my site is self-contained, my links were more like src="…/…/img/blog/picture.jpg".

But it worked! Ah, misspent youth. I’ve always been a crappy programmer, you should have seen the basic I wrote for my Commodore64 back in the day :wink: