Sometime today several domains that I host on an old server all started having the same issue on Chrome Only. I have tried all of the online instructions for purging ssl from internet options, checking firewall, etc. I am a graphic artist and not a server guru so bear with me on any help or instructions as they might not make sense to me at first. I very much need to move everything off of this old server. Just hoping to figure this out for now. I found some of the answers to the below questions in my Plesk panel.
My domain is: I have several domains that are having this issue but for the sake of posting one of them https://www.thedesignersjourney.com/
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
GoDaddy now but formerly MediaTemple.
I can login to a root shell : Yes
I'm using a control panel to manage my site:
Plesk Onyx - Version 17.8.11 Update #94, last updated on July 13, 2023 11:18 PM
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you're using Certbot):
Not using Certbot
Version 117.0.5938.150 (Official Build) (64-bit)
Operating System: Windows 10
This is NOT currently happening for one of my sites on the same server:
Welcome to the Community:
Server is nginx
What ACME client are you using...
shanemielke.com has a valid certificate.
This is because Chrome has recently disabled the obsolete Sha-1 algorithm. You can fix this by upgrading OpenSSL. It isn’t a problem with the certificate so there’s nothing Let’s Encrypt can do to help here.
There is no such version of CentOS, but the 6.x series has been EOL for over five years. You really shouldn't be exposing something that's been unsupported for that long to the public Internet.
I have just been using the Let's Encrypt plugins in Plesk every 90 days.
Thank you. I will look into how hard this is. Preliminary search says it might be more than I'm capable of or possibly because of the OS that I'm on and breaking things.
Curious that one cert is working but the rest are not on the same server. Would it have to do with the date that I last renewed things through the Let's Encrypt plugins in Plesk?
It has nothing to do with the certificate at all, but rather the version of OpenSSL software that is installed on the server.
@mcpherrinm Can you perhaps share some info about that? The only thing I could find was old and about certificates: A further update on SHA-1 certificates in Chrome
Understood from your comments. I just found it weird that one of my sites on the same server still views correctly but several others do not. Which is why I was asking if time of certificate creation had anything to do with it.
So that would mean the ciphers are affected, right?
But the server does have two good and a few other weak non-SHA-1 ciphers configured
Oh, and vulnerable to OpenSSL Padding Oracle vulnerability (CVE-2016-2107)..
See SSL Server Test: www.thedesignersjourney.com (Powered by Qualys SSL Labs)
It’s not the ciphers either; it’s in the actual signature from the server's cert in the handshake. I don’t think that’s configurable or visible anywhere, so the only option is upgrading the software. Only very old OpenSSL is likely to run into this afaik, but without good tools I don’t have any measurements independent of what Chrome said.
This whole situation is terribly under documented so I’ll have a blog post up soon to help with this.
Hm, I always thought that was what the SHA meant in a cipher suite.
@Osiris I think it's a similar problem to Chrome not accepting new cert - #32 by webprofusion whereby old versions of OpenSSL might say one thing, and do another, regarding handshakes.
Right now I'm in the same boat.
Very similar situation as yours @shanemielke . Were you able to solve this issue ? If yes, how ?
I have some sites (plain HTML, Wordpress, Joomla) that are not loading correctly in Chrome. Other browsers are good. But one site (with Wordpress), in the same server, is loading fine on all browsers.
This site can’t provide a secure connection
mywebsite.net sent an invalid response.
Same hosting provider as yours...
- CentOS 6.4 (Final)
- Plesk Onyx Version 17.8.11 Update #94, last updated on July 11, 2023
What version of OpenSSL is installed?
Can you provide an example of a working site and a non-working site on the same server so I can look at the problem and see what is different?
Is there a way to privately message you the domain addresses ?
Edit: I realize i'm hijacking @shanemielke thread, and I will post a new separate thread.
You are fine. I've moved on by moving almost all of my sites to a new server. But it sounds like your situation is exactly like mine and almost the exact same configurations. I had a site that had no problems and several sites that had the issue. The only difference was when the cert was issued (maybe)
Did you even try to update the OpenSSL software? This article explains how How to Install and Update OpenSSL on CentOS | Linux Tutorials for Beginners
I haven't tried it yet.
From what I've read on Chromium bugs forum, old versions of OpenSSL have bugs. And this is where the problem might be.
Btw, which hosting service are you using now? I'm curious. (PM if you prefer).
Edit: added link to article
We've found another potential workaround:
This only seems to affect RSA certificates, so switching to ECDSA will help because it was never used in conjunction with SHA-1. That's why only some of @IAR's sites are broken.
I don't know about other systems like Plesk, as I don't use them.
(Editing in case you are reading this later; ignore the ECDSA stuff in this thread; I was wrong)