Some browsers get "Not secure" message

billc108 · May 17, 2018, 4:32am

My domain is: Example domain: https://zookeeperspetsitting.com/

I ran this command: (successful certificate command)

It produced this output:

My web server is (include version): Apache 2.2.34_0

The operating system my web server runs on is (include version): Mac OS 10.13

My hosting provider, if applicable, is: Self

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

Problem: some browsers get “Site Not Secure” and similar messages, which tends to get visitors concerned about the safety of the site (and thus go elsewhere) and owners upset about potential lost business.

I suspect that this either has something to do with the configuration of the server, or possibly the age of the browser. All my older browsers choke. The current TOR browser chokes. Newer browsers on recent OS versions tend to serve OK.

Example message from TOR: https://zookeeperspetsitting.com/wp-content/uploads/2018/05/TOR-NotSecure.png

Any ideas on what might be missing or what I can do to have all or most all visitors accept the Cert without having to click on scary warning messages?

Thanks.

mnordhoff · May 17, 2018, 4:44am

What ACME client was used? What are the current Apache SSL settings?

The web server needs to serve the certificate and intermediate.

For example, if you were using Certbot, you would have to change:

SSLCertificateFile /path/to/cert.pem
SSLCertificateKeyFile /path/to/privkey.pem

to:

SSLCertificateFile /path/to/cert.pem
SSLCertificateChainFile /path/to/chain.pem
SSLCertificateKeyFile /path/to/privkey.pem

But your files might have different names.

stevenzhu · May 17, 2018, 5:43am

Hi,

This because your website was having mixed contents, as well as chain error.
Your site also requesting a client certificate…

I’m not sure if you really want to set it up like this…

Thank you

rg305 · May 17, 2018, 5:43am

Why No Padlock agrees: https://www.whynopadlock.com/results/4f8abf29-71c1-4d3f-aa7c-e711d588d6b9

[EDIT]
The site also needs:
SSLHonorCipherOrder On
And a better
SSLCipherSuite

see: https://www.ssllabs.com/ssltest/analyze.html?d=zookeeperspetsitting.com

billc108 · June 7, 2018, 3:14am

Thanks for the responses. Sorry, I thought I had thanked you earlier. Some of them are working better already.

I’m not worried about the mixed content - that’ll be taken care of once I get the other problems fixed and can safely force SSL on everything.

@rg305, you say I need a better SSLCipherSuite. Can someone point me to documentation on how to determine what is an appropriate SSLCipherSuite? What is “better”?

Thanks!

danb35 · June 7, 2018, 8:25am

https://mozilla.github.io/server-side-tls/ssl-config-generator/

billc108 · June 12, 2018, 1:50am

Cool! Thanks a lot! That one's getting bookmarked for sure!

system · July 12, 2018, 2:04am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.