SSL problem with only the domain

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: concretise.ca

I ran this command: go to http://concretise.ca or http://www.concretise.ca

It produced this output: redirection to https:// but not secure but all my subdomain is correct (je.concretise.ca - pixabay.concretise.ca - etc) with same configuration. I tried force SSL on .htaccess. I tried on many device and browser... Some browser and device is OK but when I use Chrome on desktop it's doesnt work.... I also tried many SSL checker online and they say my site is secured.... but why chrome on desktop on a http:// doesn't work?

My web server is (include version): Server version: Apache/2.4.53 (Debian)

The operating system my web server runs on is (include version): Debian GNU/Linux 11 (bullseye)

My hosting provider, if applicable, is: -

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.12.0

2

concretise.ca resolves to 168.235.68.182

Server Type: Apache/2.4.53 (Debian)

The certificate should be trusted by all major web browsers (all the correct intermediate certificates are installed).

The certificate was issued by Let's Encrypt.

The certificate will expire in 89 days.

The hostname (concretise.ca) is correctly listed in the certificate.
Common name: concretise.ca
SANs: concretise.ca, discord.concretise.ca, je.concretise.ca, mokatkreation.tk, pixabay.concretise.ca, webmail.concretise.ca, www.concretise.ca, www.intensy.org, www.mokatkreation.tk
Valid from June 3, 2022 to September 1, 2022
Serial Number: 04da7ba7a9660858b7cca13744955352ad94
Signature Algorithm: sha256WithRSAEncryption
Issuer: R3

Common name: R3

Organization: Let's Encrypt
Location: US
Valid from September 3, 2020 to September 15, 2025
Serial Number: 912b084acf0c18a753f6d62e25a75f5a
Signature Algorithm: sha256WithRSAEncryption
Issuer: ISRG Root X1

Common name: ISRG Root X1

Organization: Internet Security Research Group
Location: US
Valid from January 20, 2021 to September 30, 2024
Serial Number: 4001772137d4e942b8ee76aa3c640ab7
Signature Algorithm: sha256WithRSAEncryption
Issuer: DST Root CA X3

1 Like
3

fsdfsd
fsdfsd1680×994 27.4 KB

4

Redirects: 1
301 http://www.concretise.ca/
redirect301 Redirect
200 https://www.concretise.ca/
Trace Complete

https://wheregoes.com/trace/20222964491/

5

It seems the client computer doesn't like the long LE chain.

Try removing the last cert in the fullchain.pem file and restarting Apache
OR
Ensure that the client system trusts the self-signed ISRG Root X1 cert.

4 Likes
6

I tried but change nothing.... furthermore, http://je.concretise.ca work with same certificate and work fine

1 Like
7

That one uses the same cert, but it doesn't use the same chain.

3 Likes
8

I remove the bad block in my fullchain.pem

I tried to update the file with a certbot renew and certbot say that fullchain.pem cannot be empty...i tried to uninstall certbot and reinstall... and now...

An unexpected error occurred:
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1123)')))

arfffffffffff......... :frowning:

10

Please show the fullchain.pem file.

And welcome to the LE community forum :slight_smile:

4 Likes
11

Thanks you :wink:

But I tried to understand in same time... I managed to rewind and I'm now at the beginning...

My fullchain.pem have 3 blocks of characters ---BEGIN --- -- END----

How to know which I remove?

chain.pem have 2 blocks

1 Like
12

You should remove the last block from fullchain.pem, which is ISRG Root X1 signed by DST Root CA X3. Keep in mind that fullchain.pem, cert.pem, and chain.pem are symlinks. It's the target file of the symlink for fullchain.pem that you want to modify.

fullchain.pem = cert.pem + chain.pem

5 Likes
13

Make sure to run sudo apachectl -k graceful once you've made the change.

5 Likes
14

I removed the last block of Chain.pem and fullchain.pem (same character) and reload.... Qualys labs say that ISRG is still there...

15

Looks fine to me:

Did you refresh the SSL Server Test?

5 Likes
16

Done....

50% correct... I tried http:// it was OK... another tied... not ok...

1 Like
17

You tried twice in a row and got different results?

4 Likes
18

yes... I'm trying...

1 Like
19

Additional Certificates (if supplied)
Certificates provided 2 (2787 bytes)
Chain issues None
#2
Subject R3
Fingerprint SHA256: 67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd
Pin SHA256: jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=
Valid until Mon, 15 Sep 2025 16:00:00 UTC (expires in 3 years and 3 months)
Key RSA 2048 bits (e 65537)
Issuer ISRG Root X1
Signature algorithm SHA256withRSA

this is the SSL server test

1 Like
20

Yes... sometime it's secured and sometime not secured when we tried http://

this is strange...

1 Like
21

Qualys SSL Server Test looks great... :thinking:

https://www.ssllabs.com/ssltest/analyze.html?d=concretise.ca&hideResults=on

4 Likes