Gmail displaying Suspicious link popup on links to site with Letsecrypt cert

I send out emails with an activation link and Gmail has started flagging the link as a ‘Suspicious link’ with a popup with the message:

“Suspicious link This link leads to an untrusted site. Are you sure you want to proceed to domainname.com?”

The site has a Letsencrypt certificate, has nginx with ssl configured using:

  ssl_certificate /etc/letsencrypt/live/domainname.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/domainname.com/privkey.pem;
  ssl_trusted_certificate /etc/letsencrypt/live/domainname.com/chain.pem;

and

# See https://cipherli.st/ for details on this configuration
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Content-Type-Options nosniff;

I also use Cloudflare and this happens with both ‘DNS Only’ and ‘DNS and HTTP Proxy’ settings.

The SSL report from www.ssllabs.com gives the site A ratting.

How do configure the SSL so that Gmail stops displaying the security warning popup?

If you hide the real domain then we can only provide guesses.
If you provide a real domain then we can do a real investigation and propose an adequate solution.

@rg305 Thanks for the reply. I know it’s tedious this way, but it’s a security risk to post the ssl configuration of the site on a public forum. Since my previous post, the problem has suddenly, somewhat magically it seems, stopped happening. Both Cloudflare settings now work without causing the security popup. So I guess that’s the end of this thread. Time for another cup of tea.

It would be only a security risk if you did realy realy screw up your config and than it would be good because somebody could say you that you did a bad job.

@bfqTudaffO1LNwUSmNFf That’s an interesting perspective you have. Good job/bad job is pretty irrelevant in the overall scheme of things, and in practice configurations and the software are an evolving thing rather than something that is right or wrong, There’s no such thing as completely bullet proof security. Probably I’m more cautious than you.

@fegoze, are you aware of the fact that all certificates are already being logged to the publicly-accessible Certificate Transparency logs? This is not providing you with any additional secrecy, only preventing those in a position to help you from doing so. If you’re uncomfortable sharing your domain on the search-engine indexable forum, would you go ahead and post a link to the certificate from the Certificate Transparency list? You can search at https://crt.sh and post the link to your certificate here. That could be used to reference your domains while not posting any more information than is already publicly - and permanently - online.

Failing that, I think you need to take this up with Google - the fact that you have TLS with a signed certificate doesn’t determine if a site is suspicious or not. Anyone can get a DV certificate for a malicious site, as long as it wasn’t on the blacklists Let’s Encrypt checks when the certificate was issued.

However, without the name, there’s really nothing anyone here can even start to do to help you.

Look I’m not going to add a link to my site from a post detailing the security configuration of the site. If you’re not willing to help people in my situation then make that clear on the forum description, rather than pressure people to do things they aren’t comfortable doing.

hi @fegoze

the challenge here is that you didn’t select the right category

server is for server based configuration

the help category states this pretty clearly

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

as an aside

there have been multiple people who claimed that evertyhing was set up correctly till they were blue in the face

once the domain was provided the issue was identified in 2-3 minutes

asking for help works if you are able to provide sufficient information or let people do their own tests

I am not sure what your expertise in testing TLS is but assuming you are asking for help then it may not be as good as others in this forum

Not to be rude, but when you post to "Help" there's a form presented that tells you exactly that. In fairness, I believe this may have been in the Server category and moved, if memory serves, so you would not have seen this when posting. The message below is what you would normally see:

Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

Of course, people here will still do everything we can to help without it, but in this case (and many, many others) that's really not a feasible option. Nobody on this forum has any control over Google's suspicious sites list, all we can do is do our best to help you determine what lists it had been added to which may hint at a root cause, but that's impossible without the name.

Either way, it sounds like you've got it sorted, which I'm glad to hear! Cheers!

you follow some best practises, config looks good. That shouldn’t cause the problems. So it must be your domain name.

Yes like I said before the problem went away, despite the heavy handed approach of some of you on this forum!

i have had a look at some of your previous posts and these problems always seem to go away

I wonder what the balancing point between dealing with “heavy handed” vs waiting it out is however providing good information leads to good results

most people on these forums are volunteers and offer their time free of charge for the benefit of all - part of this benefit is creating a trail of breadcrumbs for people to follow troubleshooting steps

blackbox cases such as the one you are describing to me don’t add any value at all

feel free to disagree

Closing this since the problem seems to have gone away. Feel free to open another thread if this happens again!