Safari users get "Connection is not Private" error

ontop · March 15, 2022, 5:50pm

Safari users sometimes get "Connection is not Private" error when accessing my site (which uses NGinX and Let's Entcrypt).

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: s4w.paylex.com

I ran this command:

It produced this output:

My web server is (include version): OpenSSL-based APP

The operating system my web server runs on is (include version): Windows Server 2012

My hosting provider, if applicable, is: AWS

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

9peppe · March 15, 2022, 5:54pm

You are sending the leaf certificate alone. You need to send the intermediate(s) as well. If you use certbot and your app supports it, send fullchain.pem. If you have to use cert.pem, then you have to use chain.pem as well.

https://www.ssllabs.com/ssltest/analyze.html?d=s4w.paylex.com&hideResults=on&latest

ontop · March 15, 2022, 8:03pm

I was able to improve the configuration, as per your suggestion, and am now getting a better result on ssllabs. Hopefully this will also resolve the issue with Safari browsers, Thank you so much.

MikeMcQ · March 15, 2022, 8:14pm

You should check again. I am seeing only a leaf sent by your server for s4w.paylex.com

There is still no cert chain sent.

If you show us results of this command we could describe what is wrong:

sudo nginx -T

9peppe · March 15, 2022, 8:14pm

your certificate chain is still incomplete. safari doesn't like that.

ontop · March 16, 2022, 12:32am

I have a test server hosting t4.paylex.com and t4w.paylex.com. This seems to be working properly.

The difference in the configurations involves the Alternative Name, which has both names in the case of t4.

Would like to create that same result, but not sure how to get WinAcme Windows to add both Alternative names to the cert.

ontop · March 16, 2022, 2:19am

We activated both sites simultaneously in IIS before launching LetsEncrypt (via WinAcme 2.1). This achieved the goal, both sites added to the Subject Alternative Name (SAN) List.

Thank you all!

system · April 15, 2022, 2:19am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Safari Error This connection is not Private Help	5	1899	September 22, 2020
iOS / Safari handshake failure Help	18	4735	November 27, 2020
Ssl certificate not working on multisite safari Help	2	550	June 11, 2022
Problem with safari browser since last cert. update! Help	5	1795	November 5, 2021
Let's Encrypt cert works in Chrome, pops warning in Safari Help	6	7210	June 13, 2018

Safari users get "Connection is not Private" error

Related topics