SSL certificate is invalid on some computers

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://baby1.kz/

I ran this command: open the site on different computers

It produced this output: SSL certificate is invalid. On my computer, it's ok, no problems, but this is an internet shop. So, some people don't trust it and we are having more actions. Can you check please, what is a problem with certificate?

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: https://hoster.kz/

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

2 Likes

I can't find anything wrong with the site, cert, chain, protocols, ciphers, IP stacks.
Can you show a screenshot of the message?

2 Likes

so its always asks if someone need another domain name. What can I do with it?

ср, 6 янв. 2021 г. в 11:19, Rudy Gomez via Let's Encrypt Community Support <letsencrypt@discoursemail.com>:

1 Like

Can you put that into text (so I can translate it):
[it is too blurry to read]
image

1 Like

Certificate looks fine to me.

You don't have an http to https redirect for these though...

http://baby1.kz
http://www.baby1.kz

My Google Translate from the screenshot translates to:

Do you need a babyk.kz domain? Inokde cybercriminals sezdeyut copy of sites. easily changing Pedroble's web address

It doesn't look like a TLS/security error? More like some kind of advertisement from the browser, perhaps a (malicious) plugin?

2 Likes

Вам нужен домен babyk.kz?
Иногда злоумышленники создают копии сайтов, слегка изменив веб-адрес
Подробнее
Да, продолжить

ср, 6 янв. 2021 г. в 12:21, Rudy Gomez via Let's Encrypt Community Support <letsencrypt@discoursemail.com>:

1 Like

Translates to:

What about this makes you think the certificate is invalid?

1 Like

Words about attackers. I just dont know where can be a problem. We are working with Opencart - nothing more

ср, 6 янв. 2021 г. в 15:26, danb35 via Let's Encrypt Community Support <letsencrypt@discoursemail.com>:

1 Like

I think it may be a plugin that is installed into your browser.
Try it on another browser or on another computer.

2 Likes

Or, if possible, start your browser in a "safe mode" where it doesn't load any plugin at all.

2 Likes

Hi @Alisa

that's a kz domain from Kazakhstan.

Are you sure it's not this problem?

Apple, Google, Microsoft, and Mozilla ban Kazakhstan's MitM HTTPS certificate

If some users have installed that MitM - certificate, the result is expected.

2 Likes

It looks like this is a message that can be displayed by the Russian version of Chrome (not a security add-on):

The English version of this file is at

I found that this is a Chrome feature called "Safety Tips" which was implemented last year. There are lots of (very technical) details about it available online.

I'm not sure whether this was triggered by the "edit distance of 1" rule (that means changing a single character in the domain name) or by the "skeleton similarity" rule (I don't know what that means and I think the Chrome developers made it up).

Anyway, this is NOT a problem with your site or certificate, nor is it related to the MITM interception certificate that the government of Kazakhstan has been testing. It is a problem about Chrome containing code that is inherently skeptical of this domain name, based on software rules that make Chrome think it's likely to be a fake site.

If that's wrong, it would need to be addressed by the Chrome developers... who have not necessarily come up with a way for web site administrators in Kazakhstan to easily offer them feedback about this kind of problem. Maybe we could help figure that out somehow even though it's not actually a Let's Encrypt issue.

3 Likes

Looking at this a little more closely, I think the Chrome warning is triggered when

  • a Chrome user has previously actively interacted with the other site (babyk.kz) to a certain extent (I think that's what "engaged domain" means, one that a user previously deliberately interacted with in the same browser), and
  • that same user then follows a link to the similarly-named site (baby1.kz).

I wasn't able to reproduce the exact behavior easily, but I can't really interact that much realistically with babyk.kz because I don't speak Kazakh, and I think there may be other conditions for the warning message to be displayed.

@Alisa I can see that your site is quite different from the other one in design and content and does not seem to be meant to trick visitors into thinking that they're using the other site. However, this warning is a behavior of the Chrome browser itself based on the similarity of the domain names of the two sites. I think Chrome is wrong to display this warning in this case, but Let's Encrypt has no power to affect that directly. If my interpretation is right, you will have to change your domain name (!), or get visitors to visit your site using a different browser (!), or contact the Chrome developers to get them to change the rules for when this warning is shown (!). I can try to help you with the last option if you want to do it, but I can't guarantee that the developers will care about this problem, or that they'll fix it very quickly if they do care.

4 Likes

I didn't expect this help! Thank you very very very much!
I will try to solve the problem because I really couldn't understand why it can be so, but now I see.

чт, 7 янв. 2021 г. в 09:39, Seth Schoen via Let's Encrypt Community Support <letsencrypt@discoursemail.com>:

1 Like