I am facing the following issue: I manage a WordPress website (https://mhm.nl), with an installed SSL certificated. I recently changed the website domain from https://mhm-og.nl to https://mhm.nl, since then the website cannot be accessed from Safari or Internet Explorer anymore, whereas it works perfectly in Chrome (and apparently also in Firefox). The error Safari gives is: "can't establish a secure connection".
I checked several tools like why no padlock, test SSL etc., but everything seems to be configured properly. I also cleared all the caches a hundres times, but this doesn't solve the issue.
Web server: Apache/2
The operating system my web server runs on is (include version): Linux 3.10.0-962.3.2.lve1.5.28.el7.x86_64 x86_64
My hosting provider, if applicable, is: Transip
I can login to a root shell on my machine: Yes
I’m using a control panel to manage my site: No
The version of my client: N/A (I think, because I HTTPS is built in)
Does anyone have an idea what this issue could be? If you need any more information, please let me know!
Hi @hansvmourik, Welcome to the forum.
Seems you have already created a redirect from https://mhm-og.nl to https://mhm.nl so I cant reproduce your issue at this time.
Also I notice your servers are seperated with different ips.
Same Server 2 IPS?
Different Servers/locations/configurations?
I ran this command:
It produced this output:
My web server(s) are (include versions):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know):
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
I will try to answer your questions as good as I can.
Web server: Apache/2
The operating system my web server runs on is (include version): Linux 3.10.0-962.3.2.lve1.5.28.el7.x86_64 x86_64
My hosting provider, if applicable, is: Transip
I can login to a root shell on my machine: Yes
I’m using a control panel to manage my site: No
The version of my client: N/A (I think, because I HTTPS is built in)
I recently changed the website domain from https://mhm-og.nl to https://mhm.nl , since then the website cannot be accessed from Safari or Internet Explorer....
I don't have a clue how to help you debug your issue as long as your redirect is in place.
Someone else here might be able to assist... but I don't fly blindfolded.
link
apple-touch-icon
https://nlmhmo-chosongni.savviihq.com/wp-content/uploads/2018/03/mhm_logo.jpg
-1
NameResolutionFailure - The remote name could not be resolved: 'nlmhmo-chosongni.savviihq.com'
1
NameResolutionFailure - The remote name could not be resolved: 'nlmhmo-chosongni.savviihq.com'
Chrome doesn't use that. Safari may fail.
Same:
link
shortcut icon
https://nlmhmo-chosongni.savviihq.com/wp-content/uploads/2018/03/mhm_logo.jpg
-1
NameResolutionFailure - The remote name could not be resolved: 'nlmhmo-chosongni.savviihq.com'
1
NameResolutionFailure - The remote name could not be resolved: 'nlmhmo-chosongni.savviihq.com'
May be IE checks that.
So change / remove these entries, then check, if the error comes again.
I unfortunately didn't create the restricted configuration, someone else (don't know who) did. Could you (or someone else) maybe point me in the right direction? Thanks a lot!
Thanks a lot, that makes sense. I think I am getting there, I just need some help with the final step: where do I add these cipher suites? I tried to add it to the .htacces file, but that leads to an 'internal server error'.
Thanks a lot for your reply! I indeed find some files containing Cipher Suites. The most promising one (i believe) has the name '/etc//apache2/original/extra/httpd-ssl.conf'.
I found the following lines:
# SSL Cipher Suite:
# List the ciphers that the client is permitted to negotiate,
# and that httpd will negotiate as the client of a proxied server.
# See the OpenSSL documentation for a complete list of ciphers, and
# ensure these follow appropriate best practices for this deployment.
# httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP ciphers,
# while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a.
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4
However, I apparently don't have the permission to change them. As I receive the following message: 'Failed to save 'httpd-ssl.conf': Insufficient permissions. Select 'Retry as Sudo' to retry as superuser.'
Is there another way to change these settings, for example using the specific .htaccess file?
You're getting a permission denied error because you need to be root to edit that particular file. That's accomplished by using the 'sudo" string in the command line.
Also your .htaccess file is not the place for cipher information and it will likely break your Apache configuration.
But First let's run few commands to get a good idea of the status of your configuration, and the tools you have to use.
Earlier you stated that you don't think you and Acme client, but since you have a let's encrypt certificate we need to verify that.
Can you please show the output from these commands:
sudo whereis certbot
sudo apache2ctl configtest
sudo apache2ctl -S
(You might not need the sudo string for these commands but it won't hurt to use it.)
What other files show when running the command: grep -Ri SSLProtocol /etc/
besides the one you posted? There should be results in /etc/letsencrypt/....
