Unsecured site messages

beanthere22 · October 20, 2021, 3:05pm

My domain is: inonl.org

I'm afraid I don't have answers to the technical questions. I did run a Qualys test and it returned and A rating.

I am adding the certificate automatically via Plesk at Media Temple.

I am getting feedback that it is showing up as not secure, mostly from hospitals when they try to access the site.

Is this a reaction to some sort of security software they are running? Maybe?

I have a ton of sites secured this way, and only this site has issues.

rmbolger · October 20, 2021, 3:33pm

Your site is properly configured with its certificate and chain. The feedback you are getting is likely from environments that have devices that are not getting Certificate Authority trust store updates either because they're too old or they've been disabled in some way by the administrator of that environment. Specifically, the devices having problems are most likely missing Let's Encrypt's root certificate, ISRG Root X1, in their trust stores.

A very old root certificate, DST Root CA X3, that many of these old devices were dependent on recently expired which is when this problem probably started. The devices in these environments are also likely having the same problem with many other sites on the Internet because Let's Encrypt is the largest certificate authority in the world. Since you don't control their environment, there's nothing you personally can do to help them other than relay this information and perhaps point them here for additional help.

Here's a post on the main Let's Encrypt site with more info.

I should probably add that the one thing you can do on your end is try switching to a different Certificate Authority such ZeroSSL which also supports ACME like Let's Encrypt. They use a different trust chain that may still be supported by these older devices.

rg305 · October 21, 2021, 1:02am

Hi @beanthere22 and welcome to the LE community forum

That is sad
[they are likely for profit businesses that only apply upgrades/updates when compliance requires them to do so]

webprofusion · October 21, 2021, 5:16am

It's worth pushing this back to the users to get them to tell their IT dept instead. If their desktop computers are being used to access the internet then they need to be up to date, or they need to disconnect them from the network.

system · November 20, 2021, 5:16am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.