Google Chrome Warning!


#1

Hello,

I have just installed Let’s Encrypt onto my NGINX server using the Webroot Plugin.

I have successfully obtained a certificate, however when I click on the green padlock on Chrome and click “Connection”, Chrome displays a message saying “Stop using an invalid certificate.”

Is this normal?

Thanks,
Ashley.


#2

No, that shouldn’t happen. Try SSL Labs on your domain and see if any issues are reported (I’d take a close look at any certificate chain issues it might report - you might have pointed your nginx configuration at cert.pem instead of fullchain.pem.)

If that doesn’t get you anywhere, it might help to share your domain name as well as your web server configuration and the client OS.


#3

Usually “Stop using an invalid certificate” is not a “message” but a button that lets you do what it says. This button appears if you have previously told Chrome that you don’t care about a security problem (for example, you were using a self-signed certificate on that site) and you can press the button if you decide you do care after all.

If you’ve got Let’s Encrypt set up properly for your site you should be able to press this button without any problems.


#4

Thanks for everyone’s help.

I tried pressing the “Stop using an invalid certificate.” but unfortunately this didn’t stop the button from appearing. I also noticed that the first domain on the certificate was not displaying the button but the second domain on the certificate was.

So I decided to generate a strong Diffie-Hellman group with the following command:

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

And then added this into my server block:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;

I then reloaded and restarted NGINX and the button from Google Chrome finally disappeared. So as far as I can see, everything must be installed and configured correctly with Let’s Encrypt. This also upgraded my rank on SSL Labs to A+.