Problem with ssl connection is not private

gabrielalex · January 25, 2018, 12:59pm

Since my hosting provider (2 days ago) installed ssl let’s encypt i am gatting error with the SSL:

Your connection is not private
Attackers might be trying to steal your information from proiectecaselacheie.ro (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_AUTHORITY_INVALID

But this error is not showing always. Just after a few page refresh’s.

The website is on Prestashop 1.6x

Does anyone now why?

Thanks.

danb35 · January 25, 2018, 1:05pm

For some reason, in addition to serving the Let’s Encrypt cert and its intermediate, your site is also serving a self-signed certificate. It’s no doubt this that’s causing the problem.
https://www.ssllabs.com/ssltest/analyze.html?d=proiectecaselacheie.ro

gabrielalex · January 26, 2018, 6:31am

I’ve removed the self-signed certificate. But still the same after a few refresh’s and with clear cache still getting Conexion is not secure

But now i’m getting error: SEC_ERROR_UNKNOWN_ISSUER

_az · January 26, 2018, 8:24am

Hi,

Based on having seen this kind of issue with cPanel before, here is my theory.

The web host has two instances of the httpd process group running:

One group is using the former Apache configuration, which had the self signed certificate
One group is using a newer Apache configuration, that has your Let’s Encrypt certificate

When the newer configuration was loaded, the first httpd process group was not properly reloaded.

This is why if you connect to your site 100 times, you will randomly see the self signed certificate, and randomly see the Let’s Encrypt certificate. You will NOT see both certificates in one connection/TLS session. This can be proven by doing a packet capture across 2 TLS sessions - I have attached one of each.

tshark-2.txt (76.3 KB)
tshark-1.txt (88.3 KB)

The way that Qualys displays the result (2 distinct certificates) is probably a result of the non-deterministic certificates across many connection attempts.

Your host needs to fully kill all httpd process groups and ensure that Apache starts up correctly, or get in contact with cPanel.

Edit: it looks like your host are using some third party nginx integration with cPanel. The explanation remains the same, but they will need to solve it according to their own setup.

system · February 25, 2018, 8:24am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.