LE certificate not trusted in some devices


#1

Hi everyone, and thank you so much in advance for your help.

We use a LE certificate for the subdomain app.partee.es, that is untrusted for some of our visitors. It is difficult for us to know the exact versions of the problematic operative systems and browsers, because the complains come from customers of our customers, but we have detected this behaviour at least in Windows 10 with Firefox 59.0.2, and several iPhone 6.

We get a A grade in ssllabs. https://www.ssllabs.com/ssltest/analyze.html?d=app.partee.es

The domain is registered in strato.com, and the DNS configuration points to the IP of the server in https://gigas.com/ where the application is deployed. The operative system is Ubuntu 16.04.4 LTS, whereas the version of the Apache is 2.4.18.

Here is the configuration of our virtualhost for HTTPS:

Listen 443

ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined ServerName app.partee.es ServerAlias www.app.partee.es SSLEngine on SSLProxyEngine on SSLProxyVerify none SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off SSLCertificateKeyFile /etc/letsencrypt/live/app.partee.es/privkey.pem SSLCertificateFile /etc/letsencrypt/live/app.partee.es/fullchain.pem SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4" SSLHonorCipherOrder on ProxyRequests Off ProxyPreserveHost On ProxyPass / https://localhost:8181/ParteeWeb/ ProxyPassReverse / https://localhost:8181/ParteeWeb/

We would be very grateful if you could help us improve our installation to reduce considerably the number of visitors that do not trust in our web application.

Thank you so much from the Partee Team!


#2

Hi

From what I see, your website is worked fine.
Only XP users are having trouble accessing.

Can you tell us what platform user can’t access your website? (Since it should be compatible with 99% of user agents)

Thank you


#4

Hi,

Thank you very much for your reply.

We have detected this problem in Windows 10 + Firefox 59.0.2, and iPhone 6 + Safari, but we are pretty sure there are aditional web agents that do not trust in our server, as we are receiving too many complains.

Any idea?


#5

Hi,

I’m not sure what happens since when i’m browsing using firefox it throw no error.
Can you share one of the error message they sent to us? (since Windows 10 have LE CA trusted, iPhone 6 has the root)

Thank you


#6

For test puposes, I’d try removing “EDH+aRSA”


#7

It would also be helpful to know exactly what error the incompatible browsers are displaying when trying to access the site.


#8

Hi,

Thank you for your reply.

Unfortunately we don’t have any capture of the error messages yet, but we have asked to our users for sending us some. We know they would be very helpfull.

The use case is the next one. Our customer use our application to create a unique URL, that has the next structure: https://app.partee.es/some_unique_path. Our customer sends a link with that URL to one of its customers, which is the final user. The final user clics the link and goes to the web page ( https://app.partee.es/some_unique_path), that contains a web form to introduce some data. The untrusted messages are shown to some of these final users.

Just in case it helps, this is a real unique URL (link)). The application has been developed in AngularJS.

Thank you very much!


#9

Hi,

We know it, we are looking forward to receiving some screenshots but, it is not easy because the end users are customers of our customers.

Thank you so mucho for you reply!


#10

Hi,

We have just removed it. Let’s hope it helps.

Thank you so much for your help!


#11

This link uses www.app.partee.es, not app.partee.es. Your certificate is only valid for the latter. Chrome sometimes ignores this error but other browsers do not.

So you need to either correct the link to use app.partee.es or get a certificate that’s valid for both names.


#12

That is!. We have just received a screenshoot with the message SSL_ERROR_BAD_CERT_DOMAIN.

Thank you so much for your help!


#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.