Website not opening in Chrome


#1

Please fill out the fields below so we can help you better.

My domain is: www.bwdmedia.in and I installed the let’s encrypt certificate manually using https://gethttpsforfree.com/ I’m able to access https://www.bwdmedia.in on Firefox but chrome just refuses to open it up. It says

www.bwdmedia.in unexpectedly closed the connection

This was what I originally had in my httpd.conf file

<VirtualHost 198.46.87.211:80>
ServerName bwdmedia.in
ServerAlias www.bwdmedia.in
DocumentRoot /home/vipul/public_html
ServerAdmin webmaster@bwdmedia.in
UseCanonicalName Off
CustomLog /usr/local/apache/domlogs/bwdmedia.in combined
CustomLog /usr/local/apache/domlogs/bwdmedia.in-bytes_log "%{%s}t %I .\n%{%s}t %O ."
## User vipul # Needed for Cpanel::ApacheConf
UserDir enabled vipul
<IfModule mod_suphp.c>
    suPHP_UserGroup vipul vipul
</IfModule>
<IfModule !mod_disable_suexec.c>
    <IfModule !mod_ruid2.c>
        SuexecUserGroup vipul vipul
    </IfModule>
</IfModule>
<IfModule mod_ruid2.c>
    RMode config
    RUidGid vipul vipul
</IfModule>
<IfModule itk.c>
    # For more information on MPM ITK, please read:
    #   http://mpm-itk.sesse.net/
    AssignUserID vipul vipul
</IfModule>

ScriptAlias /cgi-bin/ /home/vipul/public_html/cgi-bin/

Include "/usr/local/apache/conf/userdata/std/2/vipul/*.conf"
</VirtualHost>

This is what I replaced it with

<VirtualHost 198.46.87.211:443>
   ServerName bwdmedia.in:443
   ServerAlias www.bwdmedia.in
   DocumentRoot /home/vipul/public_html
   SSLEngine on
   SSLCertificateFile    /etc/ssl/certs/bwdmedia-in.crt
   SSLCertificateKeyFile /etc/ssl/private/bwdmedia-in.key
   SSLCertificateChainFile /etc/ssl/certs/bwdmedia-in-intermediate.pem
   SSLProtocol all -SSLv2 -SSLv3
   SSLCipherSuite THE WHOLE CODED STRING$
   SSLHonorCipherOrder on
   <Directory /home/vipul/public_html>
         Options Indexes FollowSymLinks MultiViews
         AllowOverride All
         Order allow,deny
         allow from all
   </Directory>
   UserDir enabled vipul
    <IfModule mod_suphp.c>
        suPHP_UserGroup vipul vipul
    </IfModule>
    <IfModule !mod_disable_suexec.c>
        <IfModule !mod_ruid2.c>
            SuexecUserGroup vipul vipul
        </IfModule>
    </IfModule>
    <IfModule mod_ruid2.c>
        RMode config
        RUidGid vipul vipul
    </IfModule>
    <IfModule itk.c>
        # For more information on MPM ITK, please read:
        #   http://mpm-itk.sesse.net/
        AssignUserID vipul vipul
    </IfModule>

    ScriptAlias /cgi-bin/ /home/vipul/public_html/cgi-bin/

</VirtualHost>

And you can see the ssl report here at SSLLabs

Can anyone tell me what the reason is? And what the solution would be?


#2

It works OK in chrome for me - maybe just worth clearing your browser cache and refreshing ?


#3

Your certificate configuration seems ok, but you have some other major problem: https://www.ssllabs.com/ssltest/analyze.html?d=www.bwdmedia.in

You should update your server software as soon as possible


#4

Yeah I checked it on a mac and then on other windows systems and android phones as well. It doesn’t work on my computer specifically. The computer that did all this work lol

I’ve tried using Incognito Mode but the same result. I wonder what’s so specific about this device?


#5

Do you have any specific suggestion? My server is with inmotionhosting and it has many cPanels and domains. I don’t wanna be messing around too much with it


#6

I’m not an expert, but I think you should upgrade openssl first. This will close the problem “OpenSSL Padding Oracle vulnerability (CVE-2016-2107)” which is the major issue.

You may want to change you apache ssl configuration later to improve the overall security, but this can have some impact on some clients; you may want to look at https://mozilla.github.io/server-side-tls/ssl-config-generator/


#7

Thank you very much for that. If it’s not too much of a bother to you, can you answer this newb question :sweat_smile:?
I don’t know much about what exactly OpenSSL is. Can you tell me if updating it will affect my websites or databases or php or anything else? I don’t wanna run into compatibility issues.


#8

it’s a “program” or “package” on your operating system.

You don’t say what your operating system is. I’m guessing that as you use cpanel it’s probably CentOS.

if you run

yum update

it should update the main packages on your server. Do you know what version of CentOS ( or other operating system) you are running ?

and no, updating it won’t affect your website / database etc in a negative way.


#9

It’s CentOS 6.7 and openSSl is 1.0.1e


#10

Aright. Everything working perfectly. I got an A! :grinning:

Thank you everyone


#11

Add support for HSTS to get an A+ grade.

Additionally, I’d enable the cipher TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) (ECDHE-RSA-AES256-SHA in OpenSSL 1.0.1) for supporting IE10. Some people cannot or don’t want to update to IE11, and if they have enabled TLS 1.2 in their Internet Settings like suggested, they could access your server.


#12

Thanks for that chacha20 but I think for my situation, HSTS would be overkill.

And as for cipher suites, I’m really confused about which set should I be choosing. There’s different advice in every place. Would it be wise to use the intermediate set from mozilla’s TLS guide?


#13

HSTS is a pain for minor sites as you need to worry a lot more about your private keys.

You might want to enable OCSP stapling as that can help some with ssl performance. The intermediate settings from mozilla is a good practice imho. You might want to use https://mozilla.github.io/server-side-tls/ssl-config-generator/ as it makes your life easier just enter your version of apache and openssl and it will generate the apache configuration settings for you!


#14

HSTS is neven an overkill. Just set it up as described there, and no customer/client/user –who has ever connected with the HSTS setup– will ever again hit the http port again, safely staying on the https port only. As I see, you have redirection to https already activated, so the remaining part is only the one configuration line in your TLS VirtualHost:

Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"

Certainly you will get different advice, even I myself do suggest different sets of ciphers, depending on the purpose of the server, and also depending on collected wisdom and practice. :wink:

Some want to help you get 4*100 on SSL Labs and advise only AES256 ciphers, other will tell you that AES256 is bad and you should stick with AES128 only. Some like ECDSA keys, other don’t want to trust them before new curves have found their way into servers and clients. You know, the truth lies somewhere in the middle.

Finally, the choice of ciphers and protocols highly depends on client backward compatibility. If you look at the Handshake Simulation section of the SSL Labs output, you will see quite some browsers will not be able to connect to your server at all. If you can live with that, just stay with your set of ciphers.

Your protocol and cipher selection, which is actually Mozilla’s Modern Security, is concise and secure, just disregard my suggestion then.


#15

It seems you mix it up with HPKP, don’t you?

If I understand correctly, he is running CentOS 6.7, and the supplied Apache is not able to staple OCSP as far as I know.


#16

That I did.

If VeeK is still on cethos 6.7 stock apache then your right they won’t be able to use OCSP stapling.


#17

Well the problem with HSTS is if I for any reason want to/have to go back to http (which I can’t imagine right now) would mean a lot of trouble for say next 6 months. I could lose a lot of traffic. And my puny little experience has taught me that in terms of web development, you can never imagine what’s coming. So I want the flexibility of getting off the https wagon IF I have to. Makes sense?

And Yeah, I don’t care much about supporting ancient browsers so Modern ciphers are fine for me.


#18

@VeeK727 If in the futur you need http, you always can set-up a new domain.

In my opinion, not using HSTS for that reason is damaging for your visitors, as HSTS is the only protection against MitM/SSLStrip.

HSTS is a strong and very positive commitment for security.


#19

A’right Guys. I think I’ll go with HSTS but not at the moment. This is not a new site and I can’t afford to take a new domain and start over so I need to play it safe. I’ll wait out for atleast 3 months and see how the renewal process goes. Then I’ll commit to https with HSTS.

I must thank all of you guys to help me achieve this. I’m very happy.
Thank you


#20

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.