Website showing as insecure by Chrome, Firefox


#1

My domain is: outrightsoftware.com

My web server is (include version): Apache/2.4.27

The operating system my web server runs on is (include version): Debian GNU/Linux 8

My hosting provider, if applicable, is: Google

I can login to a root shell on my machine (yes or no, or I don’t know): yes

My website is showing as unsecured by almost all browsers, though SSL Lab result shows A. I have also tried using fullchain.pem instead of cert.pem with no result as suggested in one of the forum.

Please advise.


#2

At this point you are sending the public cert and then the public cert and intermediate chain:

Certificate chain
0 s:/CN=outrightsoftware.com
i:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
1 s:/CN=outrightsoftware.com
i:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
2 s:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3

Please show the lines in the vhost file where you use the cert files.


#3

Thanks for the quick reply. Mentioned below are the lines from httpd-vhosts.conf:

SSLCertificateFile /opt/bitnami/apps/wordpress/letsencrypt/live/outrightsoftware.com/cert.pem
SSLCertificateKeyFile /opt/bitnami/apps/wordpress/letsencrypt/live/outrightsoftware.com/private.pem
SSLCertificateChainFile /opt/bitnami/apps/wordpress/letsencrypt/live/outrightsoftware.com/fullchain.pem


#4

Can you try this. This is what I use on Apache servers, not sure though how you have generated the certs.

SSLCertificateFile /opt/bitnami/apps/wordpress/letsencrypt/live/outrightsoftware.com/cert.pem
SSLCertificateKeyFile /opt/bitnami/apps/wordpress/letsencrypt/live/outrightsoftware.com/privkey.pem
SSLCertificateChainFile /opt/bitnami/apps/wordpress/letsencrypt/live/outrightsoftware.com/chain.pem

#5

This is tried, it was the original config. I changed to fullchain.pem later.


#6

Strange, was worth a shot because I use that on all Apache sites without issue. Did your original config also have privkey.pem instead of private.pem ?


#7

My file is stored as private.pem so I have to change it that.


#8

Does fullchain.pem contain two certificates?


#9

Ok I thought that might be the case.


#10

Your web site shows as secure for me in Firefox, Chrome and Safari ??

45 PM


#11

I opened it using vi editor, it has two begin and end certificate tags. So I guess yes.


#12

Also no errors with Qualsys tests


#13

OK.
Use fullchain.pem with SSLCertificateFile (instead of cert.pem) and comment out SSLCertificateChainFile completely, then you should be right.


#14

@bytecamp his current config does not give me any errors, are you also seeing the site loading as insecure?


#15

No, but I saw double-propagation of the certificate via openssl s_client. Now it seems to be correct at least from that point of view.


#16

Okay gotya I didn’t dig that deep :slight_smile:


#17

Thanks, it is working now. I have also observed that its working on outrightsoftware.com but not on www.outrightsoftware.com.


#18

It’s what rg305 posted.

$ openssl s_client -connect outrightsoftware.com:443 -servername outrightsoftware.com </dev/null | grep -A10 ‘Certificate chain’


#19

You seem to have configured a separate VirtualHost for this domain name, because it sends a self-signed certificate with wrong common name.

$ openssl s_client -connect outrightsoftware.com:443 -servername www.outrightsoftware.com </dev/null | grep -A10 'Certificate chain’
Certificate chain
0 s:/CN=www.example.com
i:/CN=www.example.com


#20

Well, I have kept www.* as ServerAlias now. Should it solve the issue?