My domain is: https://www.todaysordersystem.com
I run my page through netlify. On my computer the page loads successfully on any browser, but on our university computers firefox shows an error: insecure connection. On mozilla observation I get the same error. Ive checked the SSL and my complete project but can't find the error.
But on the explainer I can't see any error.
For me, its not explainable.
Can someone can help me?
The observatory doesn't analyze every (or maybe it does) certificate. If you send out a self-signed or otherwise invalid (different names?) certificate, it will complain.
And "certificate #2" is exactly that: SSL Server Test: www.todaysordersystem.com (Powered by Qualys SSL Labs)
I also see similar results with The Mozilla Observatory
And here are my SSL Labs SSL Server Test
https://www.ssllabs.com/ssltest/analyze.html?d=hp-67.com
Thanks for your fast help.
I redirect my page from 'strato' to netlify by DNS, is it related to that? I have no idea why the website sends two certificates.
Thanks for your fast help.
I redirect my page from 'strato' to netlify by DNS, is it related to that? I have no idea why the website sends two certificates.
When you use a SaaS service to host a website on your domain it's very common to have a certificate for your domain and a certificate for the hoster's domain.
Well, I use the firebase database. Do you think this is the reason? Is there any way to solve the problem?
No. It's because you host the website on netlify.
And it's not a problem, it's fine.
Ok, thanks! But there is no way to bypass the message from Observatory? Because the computers of my university do not load the pages because of the error
Mozilla TLS Observatory Certificate Explainer
shows this certsplainer: x509 certificate viewer
for your site.
It doesn't really say WHY the site would use an untrusted or invalid cert.. I really hate applications or sites without verbosity.. With just this info, the Observatory is USELESS.
Thanks for your answer, but any other page says that my page is safe.
Because it is. SSLLabs does mention a certificate issue when no SNI is used (the netlify cert), but webbrowsers and other clients nowadays all use SNI, so your site is fine.
What actual error are they complaining about?
I don't fully understand, but it might be due to the fact the certificate is ECDSA. Seems to me it's a bug in the observatory, as mentioned here: Let's encrypt ECDSA certificate always gives untrusted or invalid certificate error. · Issue #263 · mozilla/http-observatory-website · GitHub
This, I don't get: you have a single P-384 certificate with the right domain name.
The only thing I get from a verbose result is:
{
"id": 127462215,
"analyzer": "symantecDistrust",
"result": {
"reasons": [
"path uses a root not trusted by Mozilla: C=US, O=Internet Security Research Group, CN=ISRG Root X1 (id=188459944)"
],
"isDistrusted": false
},
"success": true
},
However, I don't understand why the message says it's not good, while the isDistrusted result is false, which IS good, right?
What a stupid TLS checker...
Edit: It might be due to the fact the Observatory chokes on the expired DST Root X3 root certificate by the way... Which is also stupid, as most clients can handle this perfectly.. Why not the TLS Observatory? That's just sad..
Made a comment on their Github page on a previously issued issue: Let's encrypt ECDSA certificate always gives untrusted or invalid certificate error. · Issue #263 · mozilla/http-observatory-website · GitHub
So, this is really frustrating, but okay. Then I will wait, hoping they will fix the error. I have no idea what my university does with their PCs, because it works fine on my friends' PCs. Thanks for your help!
I would suggest to just ignore the error. Mozilla might sound trustworthy, but it seems they are letting everybody down in this case. If you look at the SSLLabs result with an "A+", you're good to go.
TL;DR: ignore Mozilla, trust SSLLabs 
(And I don't even own SSLLabs stocks! 
)
@louism.1998 what type of Certificate(s) does your friend use?
As your cert is Certificate #1: EC 256 bits (SHA256withRSA)
and my cert is Certificate #1: EC 384 bits (SHA384withECDSA)
your friend might not be using an EC certificate.