Safari users get "Connection is not Private" error

Safari users sometimes get "Connection is not Private" error when accessing my site (which uses NGinX and Let's Entcrypt).

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: s4w.paylex.com

I ran this command:

It produced this output:

My web server is (include version): OpenSSL-based APP

The operating system my web server runs on is (include version): Windows Server 2012

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

You are sending the leaf certificate alone. You need to send the intermediate(s) as well. If you use certbot and your app supports it, send fullchain.pem. If you have to use cert.pem, then you have to use chain.pem as well.

https://www.ssllabs.com/ssltest/analyze.html?d=s4w.paylex.com&hideResults=on&latest

3 Likes

I was able to improve the configuration, as per your suggestion, and am now getting a better result on ssllabs. Hopefully this will also resolve the issue with Safari browsers, Thank you so much.

You should check again. I am seeing only a leaf sent by your server for s4w.paylex.com

There is still no cert chain sent.

If you show us results of this command we could describe what is wrong:

sudo nginx -T
2 Likes

your certificate chain is still incomplete. safari doesn't like that.

1 Like

I have a test server hosting t4.paylex.com and t4w.paylex.com. This seems to be working properly.

The difference in the configurations involves the Alternative Name, which has both names in the case of t4.

Would like to create that same result, but not sure how to get WinAcme Windows to add both Alternative names to the cert.

We activated both sites simultaneously in IIS before launching LetsEncrypt (via WinAcme 2.1). This achieved the goal, both sites added to the Subject Alternative Name (SAN) List.

Thank you all!

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.