Have certification, web browser says untrusted


#1

I’m not sure what’s going on here at all. I got the certification from certbot by running certbot --apache and it changed the .conf files to include everything that was necessary for it to work. But when going to the https address of the domain, it says that it’s untrustworthy.

Here is the main .conf file:

<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        ServerName jackreggin.com

        ServerAdmin info@jackreggin.com
        DocumentRoot /home/jackr/http

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        LogLevel info warn error

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
#RewriteEngine on
#RewriteCond %{SERVER_NAME} =jackreggin.com
#RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>

(I commented out the rewriting code so that the http address would work.)

And here is the ssl .conf file:

<IfModule mod_ssl.c>
<VirtualHost *:443>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        ServerName jackreggin.com

        ServerAdmin info@jackreggin.com
        DocumentRoot /home/jackr/http

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        LogLevel info warn error

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
SSLCertificateFile /etc/letsencrypt/live/jackreggin.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/jackreggin.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

My domain is: jackreggin.com

My operating system is (include version): Ubuntu 16.04 (Desktop)

My web server is (include version): Apache 2.4.18

I can login to a root shell on my machine (yes or no, or I don’t know): yes

Any idea what’s going on here?


#2

Hi @jacknbeans

Error messages are usually a good clue :smiley:

https://support.mozilla.org/t5/Fix-slowness-crashing-error/How-to-troubleshoot-the-error-code-quot-SEC-ERROR-UNKNOWN-ISSUER/ta-p/35758

If you review your website through this tool you will see that you are using a Fake LE Certificate

https://www.ssllabs.com/ssltest/analyze.html?d=jackreggin.com&s=87.214.96.232&hideResults=on&latest

You seemed to be using the staging server to get the certificates not the live server.

I can confirm that no real certificates have been issued for your domain: https://crt.sh/?q=*jackreggin.com

Andrei


#3

Oh yeah, duh! Thanks for the info and pointing me in the right direction.


#4

I had same issue with my site : https://staging.dover.com.au/ .
This is my certificate : https://www.ssllabs.com/ssltest/analyze.html?d=staging.dover.com.au.
Can you help me to solve it ?
this is ssl config : http://prntscr.com/eunlmk
this is site config : http://prntscr.com/eunmbq
I had pem files on server : http://prntscr.com/eunmnb


#5

The SSLLabs test indicates that your server is fine and serving a trusted certificate. Browsing to your domain shows no errors. What is the issue that you’re having?


#6

Hi @vnatuan1989

Have a review of this site: https://www.whynopadlock.com/

Some browsers are more sensitive about sites that are served over HTTPS but have links to non secure content (e.g. images, css files)

The offender in this case is a PNG graphic served over HTTP

Once you get that sorted you will get the green padlock :smiley:

Andrei


#7

when I use https://staging.dover.com.au/ to connect to my site , it said : “Connection is not Secure” . It is my issue. Can you help me ?


#8

@vnatuan1989, use https://www.whynopadlock.com/

It will explain the problems (mixed content errors, in this case the insecure image link http://apps.dover.com.au/wp-content/uploads/2016/04/cream_pixels.png). This is the same problem that @ahaw021 just explained above!


#9

Thank you , I will try to fix it .


#10

It was done , my site had certificate, thank you very much


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.