Self signed SSL/TLS certificate


#1

We are using Let’s Encrypt SSL. But google Search sent us this notification.

Google has detected that the SSL/TLS certificate used on https://edupediapublications.org/ is self-signed, which means that it was issued by your server rather than by a Certificate Authority.

Please help us how to resolve this and when Let’s Encrypt will be full fledged SSL


#2

Hi @editorsnsharma,

This means that your site isn’t using the Let’s Encrypt-issued certificate. Let’s Encrypt certificates are already trusted by browsers and over 25,000,000 of them are in use today! It’s possible that you obtained a certificate successfully but that the certificate hasn’t yet been successfully configured for use on your web server.

(Edited): Can you tell us some information about how you obtained the certificate and tried to install it?


#3

I looked at the site and it looks like you are successfully using the Let’s Encrypt certificate there, and I don’t see any problem with the configuration. You didn’t fix anything in the last few minutes, did you?


Problem to https:// in SSL Let's Encrypt
#4

The SSL labs scan at https://www.ssllabs.com/ssltest/analyze.html?d=edupediapublications.org shows that you sent a different certificate for clients that connect without SNI support (which is true of older web browsers). That certificate is self-signed and is different from the Let’s Encrypt certificate that you correctly send when a modern SNI-capable client connects to edupediapublications.org. If you have a Unix command line you can see the difference with

openssl s_client -connect edupediapublications.org:443 -servername edupediapublications.org # ← OK

openssl s_client -connect edupediapublications.org:443 # ← returns self-signed cert

although the SSL Labs report already explains this correctly. I’m pretty sure that the second one is what Google is complaining about. Even though Google itself is capable of using SNI, they must regard the self-signed cert in the non-SNI case as invalid enough to warn about.

This is not necessarily an urgent problem to fix because both Google and most browsers will be able to connect with no error, but you could look at your configuration to figure out where and why the older self-signed certificate is still configured as the default certificate when no hostname is specified by the client.


Google nags me about the certificate being self-signed?
#5

Thanks for looking into the issue. And resolving query.


#6

nice catch

:smiley:

@Osiris and I were discussing whether SNI is is still a relevant issue in another post

seems like it is something that can still catch you out


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.