My site showing not secured in for some users

Viswa · January 24, 2024, 6:56pm

so how to solve it ?

Bruce5051 · January 24, 2024, 6:59pm

From here SSL Server Test: recruitopen.com (Powered by Qualys SSL Labs)

I highly suggest stop offering this EXPIRED Certificate #2 as None SNI will possible us it.

Bruce5051 · January 24, 2024, 7:03pm

Actually I disagree; I believe the certificate was updated to this crt.sh | 11852165767 one
Valid from Wed, 24 Jan 2024 09:41:45 UTC
crt.sh | recruitopen.com

Viswa · January 24, 2024, 7:05pm

actually i had the certificate that was valid till march 2024 which i renewed on december 2023. Since it showed the "not secured" issue i renewed it again today afternoon

MikeMcQ · January 24, 2024, 7:10pm

Did you just make a change? Because I was getting a failure using HTTPS with curl to your site but now the connection works.

But, your server redirects the HTTPS request to HTTP which is poor practice and browsers may warn about.

And, the HTTPS connection is using a cert from apnigiftshop.com. Do you know what that is?

I think you should start be rebooting your server. And, please let us know what operating system and version and openssl version you have. I don't see any problems with your certs but likely problems with ciphers or other server config.

Your nginx says it is 1.4.6 which is like 10 years old.

curl -i https://recruitopen.com
curl: (56) OpenSSL SSL_read: error:0A000126:SSL routines::unexpected eof while reading, errno 0

# and just 1 minute later connection works but wrong cert
curl -i https://recruitopen.com
curl: (60) SSL: no alternative certificate subject name matches target host name 'recruitopen.com'
More details here: https://curl.se/docs/sslcerts.html

# Is this cert
subject=CN = apnigiftshop.com
issuer=C = US, O = Let's Encrypt, CN = R3
notBefore=Dec 19 09:05:48 2023 GMT
notAfter=Mar 18 09:05:47 2024 GMT

Bruce5051 · January 24, 2024, 7:11pm

Well to start with, to help other more knowledgeable Let's Encrypt community volunteers to assist,

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: recruitopen.com

I ran this command:

It produced this output:

My web server is (include version): nginx/1.4.6 (Ubuntu)

The operating system my web server runs on is (include version): ? Ubuntu

My hosting provider, if applicable, is: ? DIGITALOCEAN

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Thank you for assisting us in helping YOU!

MikeMcQ · January 24, 2024, 7:12pm

Your system is very unstable. I suggested restart and still do.

Here's one response I saw. Note a connect to recruitopen on HTTPS but it redirected to ww12 subdomain as HTTP

And, nginx version for ww12 is 1.10.3 but your other nginx is 1.4

curl -Ik https://recruitopen.com
HTTP/1.1 302 Found
content-length: 0
location: http://ww12.recruitopen.com/
cache-control: no-cache

Viswa · January 24, 2024, 7:16pm

That is the issue ,I havent made any changes. i dont no why its using the certificate from apnigiftshop.com . It keep on changing . sometimes the site opens smoothly but then sometimes its shows as not secured

MikeMcQ · January 24, 2024, 7:23pm

Who hosts your server? Something has obviously changed.

I get a valid TLS connect (using cert) from openssl on my own system but yet curl fails. Makes me think of something like a changed openssl version on your system. Or some other operating system component.

echo | openssl s_client -connect recruitopen.com:443  | (head -20)
---
Certificate chain
 0 s:CN = recruitopen.com
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 24 09:41:45 2024 GMT; NotAfter: Apr 23 09:41:44 2024 GMT

# yet curl right after that fails
curl -i https://recruitopen.com
curl: (56) OpenSSL SSL_read: error:0A000126:SSL 
routines::unexpected eof while reading, errno 0

Bruce5051 · January 24, 2024, 7:31pm

This https://check-your-website.server-daten.de/?q=recruitopen.com shows "old / weak connection"

Viswa · January 24, 2024, 7:59pm

How to rectify it?

MikeMcQ · January 24, 2024, 8:04pm

I don't know. Your problems don't look related to Let's Encrypt certs

Sounds like your problems started before you got your fresh certs today. Look at all the recent changes to your system. Consult with your hosting company. Or, consult a server or networking specialist.

Bruce5051 · January 24, 2024, 8:05pm

I am guessing DIGITALOCEAN-143-110-128-0 ARIN Whois/RDAP - American Registry for Internet Numbers

Viswa · January 24, 2024, 8:17pm

Yes , i got the fresh certificate assuming that its the issue to ssl certificate as the brower showed insecure connection

Bruce5051 · January 24, 2024, 8:23pm

I suggest starting by contacting Digital Ocean

ICANN shows:

Viswa · January 24, 2024, 8:28pm

Thank you , I will contact digital ocean

Scoth42 · February 8, 2024, 5:50pm

Found this topic just now myself looking for apnigiftshop.com when I got cert errors on some of my stuff. I self-host everything with a certbot docker image to renew my certs. I got several cert error popups about mismatching hostnames on some of my stuff. I'm also getting the same issue for all my domains under the cert, also issued in December. I forced it to do a renew on the certs and it seems fine, but it's still weird. I wonder if certbot had an issue and gave everybody certs for that domain? Googling on it I see a bunch of SSL reports of random domains with that as the cert name.

Alternatively I guess it could be a DNS issue, I wonder if some root server somewhere started resolving hostnames to the wrong place. Sadly I didn't keep any of the error popup contents that had cert details, I'll see if I can dig them up.

Scoth42 · February 8, 2024, 6:05pm

Actually, I just figured out the issue I'm pretty sure. Both my domain and recruitopen.com are registered with Namecheap. My autorenew failed and my domain was close to expiration (today, actually), and it looks like Namecheap helpfully starts randomly redirecting nearly-expired domains to various sponsors and parking websites informing about the impending expiration. Once I renewed my domain all the weirdness went away and it's back to normal. I'd guess my manual renewing of my certs didn't actually do anything and was coincidental with the random redirection Namecheap does.

Of course, with any sort of sensible certificate validation turned on, things get very cranky when an https URL redirects to an unexpected location, and I'd guess apnigiftshop[.]com is one of the sponsors it redirected to. Not sure how I feel about that, I wonder if I can disable that redirection with Namecheap.

smyja · February 10, 2024, 7:11pm

I think this should be the issue, my domain is about to expire or probably has expired and it's from namecheap too. Got that apnigiftshop message and certbot notification.

rg305 · February 10, 2024, 9:34pm

@Scoth42, @smyja

Be warned:

VirusTotal - URL

That site might be malicious.

Topic		Replies	Views
Website not secure Help	28	1091	June 29, 2022
Certificate is NOT trusted by Firefox Help	4	6825	September 27, 2018
Connection showing not secure Help	13	356	July 13, 2023
Lets encrypt not working Help	8	703	February 17, 2022
After install Let's encrypt SSl domain show not secure Help	4	448	May 15, 2020

My site showing not secured in for some users

Be warned:

That site might be malicious.

Related topics