I have two computers both being a Mac that say the SSL Certificate are "Not Valid". We have set the date and time. Changed the wireless network, cleared the cash, Updated the browsers. The Mac OS is version 10.15.7 What can I do to resolve this issue or is the help somewhere that can help me with it,
The buffalochip.com Short Name is redirected to www.buffalochip.com in my Chrome & Edge and the ISRG Root X1 appears valid in the short/alternate chain .Would that explain the error from the 10.15.7 on Chrome & Safari? How does a novice repair the "items listed glaringly at the top" or find an expert to do so?
The link I provided in my previous post should help clear up the insecure TLS versions and cipher suites being used. It's not extremely complicated or lengthy to do (less than an hour), but understandably that depends on the familiarity and comfort of those making the changes.
As far as the chain is concerned, there's nothing per se wrong with using the short chain. It's just recommended to use the long chain for maximum compatibility with certain older Android devices. @schoen was on the right track with his questions here as there seems to be no imminent reason for the systems in question to be considering the certificate to be invalid. I was simply pointing out several factors that could greatly improve the TLS/SSL functionality of the website.
Hi @BrettP, I didn't understand whether you are connected to the site @Mikek is asking about (and/or to @Mikek himself).
Although the SSL Labs report indicates some things that would be good to fix for general security purposes, none of them appear to be things that should cause an actual error or warning message in Safari or Chrome on macOS 10.15.7. So, I'm still not sure how to explain the original error report. It would be helpful to see a screenshot of the associated error message.
Your web server needs a reboot: if you're using Certify The Web ideally also make sure you have the latest version installed and set your renewal interval to 30 days or higher. If you are using win-acme just try a reboot.
I was referring to the UI if they happen to use Certify The Web, which can do either N days since last renewal or N days before expiry, defaulting to days since last renewal. Certify The Web historically had a high renewal frequency in older versions but now defaults to every 30 days (max 60). It will limit how close you can set the renewal to actual expiry because lots of folks struggle to resolve renewal issues early on (what do you mean I can't close port 80, I have 20 domains on one cert and 1 is failing validation etc).
So while buffalochip.com was fine, it was being redirected to www.buffalochip.comafter the DNS check (on the apex) which resulted in another DNS check (on the www) that was returning the expired R3 cert? So the redirect should have taken place before the DNS check happens? Failing to reboot missed the updated rewrite rule and thus failed to serve the correct root cert. One for the MAC book. (no pun intended).