Website Not Secure

Hi,

I hope you don’t mind me posting directly however I am getting stuck with my website. I have set-up LetsEncrypt on my lightsail bitnami instance and everything was working fine however I’ve noticed recently that the website in Chrome says ‘Not Secure’ though in Safari I see the padlock. i have ran a few tests and I get the following

SSL Shopper
One of the root or intermediate certificates has expired (87 days ago).

Unbound
Aug 08 19:02:00 unbound[3643:0] notice: init module 0: validator
Aug 08 19:02:00 unbound[3643:0] notice: init module 1: iterator
Aug 08 19:02:00 unbound[3643:0] info: start of service (unbound 1.10.1).
Aug 08 19:02:01 unbound[3643:0] info: 127.0.0.1 onforfeit.co. CAA IN
Aug 08 19:02:01 unbound[3643:0] info: resolving onforfeit.co. CAA IN
Aug 08 19:02:01 unbound[3643:0] info: priming . IN NS
Aug 08 19:02:01 unbound[3643:0] info: response for . NS IN
Aug 08 19:02:01 unbound[3643:0] info: reply from <.> 192.58.128.30#53
Aug 08 19:02:01 unbound[3643:0] info: query response was ANSWER
Aug 08 19:02:01 unbound[3643:0] info: priming successful for . NS IN
Aug 08 19:02:01 unbound[3643:0] info: response for onforfeit.co. CAA IN
Aug 08 19:02:01 unbound[3643:0] info: reply from <.> 192.112.36.4#53
Aug 08 19:02:01 unbound[3643:0] info: query response was REFERRAL
Aug 08 19:02:01 unbound[3643:0] info: response for onforfeit.co. CAA IN
Aug 08 19:02:01 unbound[3643:0] info: reply from <co.> 156.154.100.25#53
Aug 08 19:02:01 unbound[3643:0] info: query response was REFERRAL
Aug 08 19:02:01 unbound[3643:0] info: resolving ns-203.awsdns-25.com. AAAA IN
Aug 08 19:02:01 unbound[3643:0] info: resolving ns-899.awsdns-48.net. AAAA IN
Aug 08 19:02:01 unbound[3643:0] info: resolving ns-899.awsdns-48.net. A IN
Aug 08 19:02:01 unbound[3643:0] info: resolving ns-1476.awsdns-56.org. A IN
Aug 08 19:02:01 unbound[3643:0] info: resolving ns-1476.awsdns-56.org. AAAA IN
Aug 08 19:02:01 unbound[3643:0] info: resolving ns-203.awsdns-25.com. A IN
Aug 08 19:02:01 unbound[3643:0] info: response for ns-1476.awsdns-56.org. AAAA IN
Aug 08 19:02:01 unbound[3643:0] info: reply from <.> 199.7.91.13#53
Aug 08 19:02:01 unbound[3643:0] info: query response was REFERRAL
Aug 08 19:02:01 unbound[3643:0] info: response for ns-899.awsdns-48.net. A IN
Aug 08 19:02:01 unbound[3643:0] info: reply from <.> 202.12.27.33#53
Aug 08 19:02:01 unbound[3643:0] info: query response was REFERRAL
Aug 08 19:02:01 unbound[3643:0] info: response for ns-1476.awsdns-56.org. A IN
Aug 08 19:02:01 unbound[3643:0] info: reply from <.> 2001:dc3::35#53
Aug 08 19:02:01 unbound[3643:0] info: query response was REFERRAL
Aug 08 19:02:01 unbound[3643:0] info: response for ns-1476.awsdns-56.org. A IN
Aug 08 19:02:01 unbound[3643:0] info: reply from <org.> 2001:500:b::1#53
Aug 08 19:02:01 unbound[3643:0] info: query response was REFERRAL
Aug 08 19:02:01 unbound[3643:0] info: response for ns-1476.awsdns-56.org. AAAA IN
Aug 08 19:02:01 unbound[3643:0] info: reply from <org.> 2001:500:b::1#53
Aug 08 19:02:01 unbound[3643:0] info: query response was REFERRAL
Aug 08 19:02:01 unbound[3643:0] info: response for ns-899.awsdns-48.net. A IN
Aug 08 19:02:01 unbound[3643:0] info: reply from <net.> 2001:501:b1f9::30#53
Aug 08 19:02:01 unbound[3643:0] info: query response was REFERRAL
Aug 08 19:02:01 unbound[3643:0] info: response for ns-203.awsdns-25.com. A IN
Aug 08 19:02:01 unbound[3643:0] info: reply from <.> 192.5.5.241#53
Aug 08 19:02:01 unbound[3643:0] info: query response was REFERRAL
Aug 08 19:02:01 unbound[3643:0] info: response for ns-1476.awsdns-56.org. AAAA IN
Aug 08 19:02:01 unbound[3643:0] info: reply from <awsdns-56.org.> 2600:9000:5304:3b00::1#53
Aug 08 19:02:01 unbound[3643:0] info: query response was ANSWER
Aug 08 19:02:01 unbound[3643:0] info: response for ns-899.awsdns-48.net. A IN
Aug 08 19:02:01 unbound[3643:0] info: reply from <awsdns-48.net.> 205.251.199.176#53
Aug 08 19:02:01 unbound[3643:0] info: query response was ANSWER
Aug 08 19:02:01 unbound[3643:0] info: response for onforfeit.co. CAA IN
Aug 08 19:02:01 unbound[3643:0] info: reply from <onforfeit.co.> 205.251.195.131#53
Aug 08 19:02:01 unbound[3643:0] info: query response was nodata ANSWER
Aug 08 19:02:01 unbound[3643:0] info: prime trust anchor
Aug 08 19:02:01 unbound[3643:0] info: generate keytag query _ta-4f66. NULL IN
Aug 08 19:02:01 unbound[3643:0] info: resolving . DNSKEY IN
Aug 08 19:02:01 unbound[3643:0] info: resolving _ta-4f66. NULL IN
Aug 08 19:02:01 unbound[3643:0] info: response for ns-203.awsdns-25.com. AAAA IN
Aug 08 19:02:01 unbound[3643:0] info: reply from <.> 2001:500:2f::f#53
Aug 08 19:02:01 unbound[3643:0] info: query response was REFERRAL
Aug 08 19:02:01 unbound[3643:0] info: response for . DNSKEY IN
Aug 08 19:02:01 unbound[3643:0] info: reply from <.> 2001:500:2d::d#53
Aug 08 19:02:01 unbound[3643:0] info: query response was ANSWER
Aug 08 19:02:01 unbound[3643:0] info: validate keys with anchor(DS): sec_status_secure
Aug 08 19:02:01 unbound[3643:0] info: Successfully primed trust anchor . DNSKEY IN
Aug 08 19:02:01 unbound[3643:0] info: validated DS co. DS IN
Aug 08 19:02:01 unbound[3643:0] info: resolving co. DNSKEY IN
Aug 08 19:02:01 unbound[3643:0] info: response for ns-203.awsdns-25.com. A IN
Aug 08 19:02:01 unbound[3643:0] info: reply from <com.> 2001:501:b1f9::30#53
Aug 08 19:02:01 unbound[3643:0] info: query response was REFERRAL
Aug 08 19:02:01 unbound[3643:0] info: response for ns-203.awsdns-25.com. A IN
Aug 08 19:02:01 unbound[3643:0] info: reply from <awsdns-25.com.> 205.251.192.26#53
Aug 08 19:02:01 unbound[3643:0] info: query response was ANSWER
Aug 08 19:02:01 unbound[3643:0] info: response for co. DNSKEY IN
Aug 08 19:02:01 unbound[3643:0] info: reply from <co.> 2610:a1:1011::21#53
Aug 08 19:02:01 unbound[3643:0] info: query response was ANSWER
Aug 08 19:02:01 unbound[3643:0] info: validated DNSKEY co. DNSKEY IN
Aug 08 19:02:01 unbound[3643:0] info: resolving onforfeit.co. DS IN
Aug 08 19:02:02 unbound[3643:0] info: response for onforfeit.co. DS IN
Aug 08 19:02:02 unbound[3643:0] info: reply from <co.> 2610:a1:1011::21#53
Aug 08 19:02:02 unbound[3643:0] info: query response was nodata ANSWER
Aug 08 19:02:02 unbound[3643:0] info: NSEC3s for the referral proved no DS.
Aug 08 19:02:02 unbound[3643:0] info: Verified that unsigned response is INSECURE

Any help would be greatly appreciated?

My domain is: onforfeit.co

I ran this command: sudo /opt/bitnami/bncert-tool

It produced this output: /tmp/bncert-202008081856.log

My web server is (include version): Wordpress by Bitnami, Lightsail AWS (Apache/2.4.41)

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is: Amazon

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): n/a - certbot not found

For some reason, you’re sending two end leaf certificates:

osiris@erazer ~ $ openssl s_client -connect onforfeit.co:443 
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = www.onforfeit.co
verify return:1
---
Certificate chain
 0 s:CN = www.onforfeit.co
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
 1 s:CN = onforfeit.co
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
 2 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
(...)

The first one is fine: valid since today for the next 90 days. The second one however, has expired all the way back in May this year!

Please fix your webserver configuration to not include the expired certificate.

Oh and by the way: the reason Google Chrome says your website is insecure is because of mixed content: some of the content of your site is loaded through HTTP in stead of HTTPS.

Hi @aniquerehman

looks like you have a browser switch. With https://check-your-website.server-daten.de/?q=onforfeit.co there is no problem visible, Grade B.

But Chrome has an image:

http://demo3.drfuri.com/supro2/wp-content/uploads/sites/5/2018/06/bg_megamenu.jpg

loaded via http, that’s your mixed content.

Curious: The screenshot of “check-your-website” uses the headless Chrome. There is no Chrome error visible.

PS: The Unbound result isn’t relevant. That’s not a DNS problem, it’s a problem of your website / html-code.

1 Like

Thanks so much for taking a look. How would I go about removing the expired certificate?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.