Some browsers get "Not secure" message


#1

My domain is: Example domain: https://zookeeperspetsitting.com/

I ran this command: (successful certificate command)

It produced this output:

My web server is (include version): Apache 2.2.34_0

The operating system my web server runs on is (include version): Mac OS 10.13

My hosting provider, if applicable, is: Self

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

Problem: some browsers get “Site Not Secure” and similar messages, which tends to get visitors concerned about the safety of the site (and thus go elsewhere) and owners upset about potential lost business.

I suspect that this either has something to do with the configuration of the server, or possibly the age of the browser. All my older browsers choke. The current TOR browser chokes. Newer browsers on recent OS versions tend to serve OK.

Example message from TOR: https://zookeeperspetsitting.com/wp-content/uploads/2018/05/TOR-NotSecure.png

Any ideas on what might be missing or what I can do to have all or most all visitors accept the Cert without having to click on scary warning messages?

Thanks.


#2

What ACME client was used? What are the current Apache SSL settings?

The web server needs to serve the certificate and intermediate.

For example, if you were using Certbot, you would have to change:

SSLCertificateFile /path/to/cert.pem
SSLCertificateKeyFile /path/to/privkey.pem

to:

SSLCertificateFile /path/to/cert.pem
SSLCertificateChainFile /path/to/chain.pem
SSLCertificateKeyFile /path/to/privkey.pem

But your files might have different names.


#3

Hi,

This because your website was having mixed contents, as well as chain error.
Your site also requesting a client certificate…

I’m not sure if you really want to set it up like this…

Thank you


#4

Why No Padlock agrees: https://www.whynopadlock.com/results/4f8abf29-71c1-4d3f-aa7c-e711d588d6b9

[EDIT]
The site also needs:
SSLHonorCipherOrder On
And a better
SSLCipherSuite

see: https://www.ssllabs.com/ssltest/analyze.html?d=zookeeperspetsitting.com


#5

Thanks for the responses. Sorry, I thought I had thanked you earlier. Some of them are working better already.

I’m not worried about the mixed content - that’ll be taken care of once I get the other problems fixed and can safely force SSL on everything.

@rg305, you say I need a better SSLCipherSuite. Can someone point me to documentation on how to determine what is an appropriate SSLCipherSuite? What is “better”?

Thanks!


#6

https://mozilla.github.io/server-side-tls/ssl-config-generator/


#7

Cool! Thanks a lot! That one’s getting bookmarked for sure!


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.