Hi everyone, and thank you so much in advance for your help.
We use a LE certificate for the subdomain app.partee.es, that is untrusted for some of our visitors. It is difficult for us to know the exact versions of the problematic operative systems and browsers, because the complains come from customers of our customers, but we have detected this behaviour at least in Windows 10 with Firefox 59.0.2, and several iPhone 6.
The domain is registered in strato.com, and the DNS configuration points to the IP of the server in https://gigas.com/ where the application is deployed. The operative system is Ubuntu 16.04.4 LTS, whereas the version of the Apache is 2.4.18.
Here is the configuration of our virtualhost for HTTPS:
Listen 443
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
ServerName app.partee.es
ServerAlias www.app.partee.es
SSLEngine on
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
SSLCertificateKeyFile /etc/letsencrypt/live/app.partee.es/privkey.pem
SSLCertificateFile /etc/letsencrypt/live/app.partee.es/fullchain.pem
SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4"
SSLHonorCipherOrder on
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / https://localhost:8181/ParteeWeb/
ProxyPassReverse / https://localhost:8181/ParteeWeb/
We would be very grateful if you could help us improve our installation to reduce considerably the number of visitors that do not trust in our web application.
We have detected this problem in Windows 10 + Firefox 59.0.2, and iPhone 6 + Safari, but we are pretty sure there are aditional web agents that do not trust in our server, as we are receiving too many complains.
I’m not sure what happens since when i’m browsing using firefox it throw no error.
Can you share one of the error message they sent to us? (since Windows 10 have LE CA trusted, iPhone 6 has the root)
Unfortunately we don't have any capture of the error messages yet, but we have asked to our users for sending us some. We know they would be very helpfull.
The use case is the next one. Our customer use our application to create a unique URL, that has the next structure: https://app.partee.es/some_unique_path. Our customer sends a link with that URL to one of its customers, which is the final user. The final user clics the link and goes to the web page ( https://app.partee.es/some_unique_path), that contains a web form to introduce some data. The untrusted messages are shown to some of these final users.
Just in case it helps, this is a real unique URL (link)). The application has been developed in AngularJS.
This link uses www.app.partee.es, not app.partee.es. Your certificate is only valid for the latter. Chrome sometimes ignores this error but other browsers do not.
So you need to either correct the link to use app.partee.es or get a certificate that's valid for both names.