SSL certificate doesn't work in some browsers

I am facing the following issue: I manage a WordPress website (https://mhm.nl), with an installed SSL certificated. I recently changed the website domain from https://mhm-og.nl to https://mhm.nl, since then the website cannot be accessed from Safari or Internet Explorer anymore, whereas it works perfectly in Chrome (and apparently also in Firefox). The error Safari gives is: "can't establish a secure connection".

I checked several tools like why no padlock, test SSL etc., but everything seems to be configured properly. I also cleared all the caches a hundres times, but this doesn't solve the issue.

Web server: Apache/2
The operating system my web server runs on is (include version): Linux 3.10.0-962.3.2.lve1.5.28.el7.x86_64 x86_64
My hosting provider, if applicable, is: Transip
I can login to a root shell on my machine: Yes
I’m using a control panel to manage my site: No
The version of my client: N/A (I think, because I HTTPS is built in)

Does anyone have an idea what this issue could be? If you need any more information, please let me know!

Cheers!

1 Like

Hi @hansvmourik, Welcome to the forum.
Seems you have already created a redirect from https://mhm-og.nl to https://mhm.nl so I cant reproduce your issue at this time.
Also I notice your servers are seperated with different ips.
Same Server 2 IPS?
Different Servers/locations/configurations?

I ran this command:

It produced this output:

My web server(s) are (include versions):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

1 Like

Thans a lot for your answer!

I will try to answer your questions as good as I can.

Web server: Apache/2
The operating system my web server runs on is (include version): Linux 3.10.0-962.3.2.lve1.5.28.el7.x86_64 x86_64
My hosting provider, if applicable, is: Transip
I can login to a root shell on my machine: Yes
I’m using a control panel to manage my site: No
The version of my client: N/A (I think, because I HTTPS is built in)

Let me know if this helps!!

2 Likes

Thanks for the additional information. However,

I recently changed the website domain from https://mhm-og.nl to https://mhm.nl , since then the website cannot be accessed from Safari or Internet Explorer....

I don't have a clue how to help you debug your issue as long as your redirect is in place.
Someone else here might be able to assist... but I don't fly blindfolded.

2 Likes

Hi @hansvmourik

checked your old domain - https://check-your-website.server-daten.de/?q=mhm-og.nl

Checked your new domain some hours earlier, there was a Grade I - https://check-your-website.server-daten.de/?q=mhm.nl - now the same with your old.

But:

  • The redirects are correct
  • all certificates are correct

May be the problem:

Your Grade I (see the Html-Content - part):

link
	apple-touch-icon
	https://nlmhmo-chosongni.savviihq.com/wp-content/uploads/2018/03/mhm_logo.jpg
	-1
	NameResolutionFailure - The remote name could not be resolved: 'nlmhmo-chosongni.savviihq.com'
	1
	NameResolutionFailure - The remote name could not be resolved: 'nlmhmo-chosongni.savviihq.com'

Chrome doesn't use that. Safari may fail.

Same:

link
	shortcut icon
	https://nlmhmo-chosongni.savviihq.com/wp-content/uploads/2018/03/mhm_logo.jpg
	-1
	NameResolutionFailure - The remote name could not be resolved: 'nlmhmo-chosongni.savviihq.com'
	1
	NameResolutionFailure - The remote name could not be resolved: 'nlmhmo-chosongni.savviihq.com'

May be IE checks that.

So change / remove these entries, then check, if the error comes again.

If yes, share a screenshot.

3 Likes

Thanks a lot for your answer!

I removed all the links pointing to 'nlmhmo-chosongni.savviihq.com' which made the error disappear in the tool you mention.

However, (unfortunately) the error comes again.

Do you mean a screenshot of the error? If yes see below, if you mean another screenshot, please let me know.

Translated from Dutch: Safari cannot open the page because no secured connection can be established.

Hope to hear from you!

I don't use Safari. Isn't there a more detailed error? No click "advanced" possible.

Or something like the Chrome or FireFox console with more informations?

Chrome / FF: Ctrl + Shift + I.

The only thing the console returns is the following (see the bottom of the image):

If that doesn't show details, only (last and speculative) idea:

You have something like a hosts - file, so that client uses the wrong ip address.

But I don't know if iOS supports such a hosts file.

Oh, what's that. Now it looks simple - see https://www.ssllabs.com/ssltest/analyze.html?d=www.mhm.nl

You have only Tls.1.2 allowed.

And you use very restricted Cipher Suites.

LS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp256r1 (eq. 3072 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp256r1 (eq. 3072 bits RSA) FS 256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 4096 bits FS 256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 4096 bits FS 128

Older clients don't support GCM-Ciphers.

Allow some CBC.

Without CBC the result is expected.

Thanks for your reply!

Could you tell me what / how I can change these?

You have created that restricted configuration.

So you know how to change it.

I unfortunately didn't create the restricted configuration, someone else (don't know who) did. Could you (or someone else) maybe point me in the right direction? Thanks a lot!

@hansvmourik


Take a look at Mozilla's SSL configuration generator and pay special attention to your environment and versions of things.
Good place to start.

Thanks a lot, that makes sense. I think I am getting there, I just need some help with the final step: where do I add these cipher suites? I tried to add it to the .htacces file, but that leads to an 'internal server error'.

I hope someone can help me out here!

Hi @hansvmourik!

You can locate the file containing the Cipher Suites with :

grep -Ri SSLCipherSuite /etc/

and the protocols config with :

grep -Ri SSLProtocol /etc/

Odds are you'll find that more than one file contains the config data.
Let us know if you need help sorting it all out.

Hi Rip,

Thanks a lot for your reply! I indeed find some files containing Cipher Suites. The most promising one (i believe) has the name '/etc//apache2/original/extra/httpd-ssl.conf'.

I found the following lines:

#   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate,
#   and that httpd will negotiate as the client of a proxied server.
#   See the OpenSSL documentation for a complete list of ciphers, and
#   ensure these follow appropriate best practices for this deployment.
#   httpd 2.2.30, 2.4.13 and later force-disable aNULL, eNULL and EXP ciphers,
#   while OpenSSL disabled these by default in 0.9.8zf/1.0.0r/1.0.1m/1.0.2a.
SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4

However, I apparently don't have the permission to change them. As I receive the following message: 'Failed to save 'httpd-ssl.conf': Insufficient permissions. Select 'Retry as Sudo' to retry as superuser.'

Is there another way to change these settings, for example using the specific .htaccess file?

Hope to hear from you soon!

Hello @hansvmourik

You're getting a permission denied error because you need to be root to edit that particular file. That's accomplished by using the 'sudo" string in the command line.

Also your .htaccess file is not the place for cipher information and it will likely break your Apache configuration.

But First let's run few commands to get a good idea of the status of your configuration, and the tools you have to use.

Earlier you stated that you don't think you and Acme client, but since you have a let's encrypt certificate we need to verify that.

Can you please show the output from these commands:

sudo whereis certbot

sudo apache2ctl configtest

sudo apache2ctl -S

(You might not need the sudo string for these commands but it won't hurt to use it.)

ALSO!

What other files show when running the command:
grep -Ri SSLProtocol /etc/
besides the one you posted? There should be results in /etc/letsencrypt/....

In the case of Safari, this would be Safari 8 or older.. Which is ancient.

@hansvmourik Could you please give us the version of the Safari and the OS it's running on where you get the error?

1 Like