Website showing as insecure by Chrome, Firefox

Help
1

My domain is: outrightsoftware.com

My web server is (include version): Apache/2.4.27

The operating system my web server runs on is (include version): Debian GNU/Linux 8

My hosting provider, if applicable, is: Google

I can login to a root shell on my machine (yes or no, or I don’t know): yes

My website is showing as unsecured by almost all browsers, though SSL Lab result shows A. I have also tried using fullchain.pem instead of cert.pem with no result as suggested in one of the forum.

Please advise.

2

At this point you are sending the public cert and then the public cert and intermediate chain:

Certificate chain
0 s:/CN=outrightsoftware.com
i:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
1 s:/CN=outrightsoftware.com
i:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
2 s:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3

Please show the lines in the vhost file where you use the cert files.

3

Thanks for the quick reply. Mentioned below are the lines from httpd-vhosts.conf:

SSLCertificateFile /opt/bitnami/apps/wordpress/letsencrypt/live/outrightsoftware.com/cert.pem
SSLCertificateKeyFile /opt/bitnami/apps/wordpress/letsencrypt/live/outrightsoftware.com/private.pem
SSLCertificateChainFile /opt/bitnami/apps/wordpress/letsencrypt/live/outrightsoftware.com/fullchain.pem

4

Can you try this. This is what I use on Apache servers, not sure though how you have generated the certs.

SSLCertificateFile /opt/bitnami/apps/wordpress/letsencrypt/live/outrightsoftware.com/cert.pem
SSLCertificateKeyFile /opt/bitnami/apps/wordpress/letsencrypt/live/outrightsoftware.com/privkey.pem
SSLCertificateChainFile /opt/bitnami/apps/wordpress/letsencrypt/live/outrightsoftware.com/chain.pem
5

This is tried, it was the original config. I changed to fullchain.pem later.

6

Strange, was worth a shot because I use that on all Apache sites without issue. Did your original config also have privkey.pem instead of private.pem ?

7

My file is stored as private.pem so I have to change it that.

1 Like
8

Does fullchain.pem contain two certificates?

9

Ok I thought that might be the case.

10

Your web site shows as secure for me in Firefox, Chrome and Safari ??

09 PM
Screen Shot 2017-11-29 at 12.27.09 PM.png590×588 49.1 KB

55 PM
Screen Shot 2017-11-29 at 12.27.55 PM.png722×40 2.85 KB

45 PM

11

I opened it using vi editor, it has two begin and end certificate tags. So I guess yes.

12

Also no errors with Qualsys tests

22 PM
Screen Shot 2017-11-29 at 12.30.22 PM.png1093×630 51.2 KB

13

OK.
Use fullchain.pem with SSLCertificateFile (instead of cert.pem) and comment out SSLCertificateChainFile completely, then you should be right.

1 Like
14

@bytecamp his current config does not give me any errors, are you also seeing the site loading as insecure?

15

No, but I saw double-propagation of the certificate via openssl s_client. Now it seems to be correct at least from that point of view.

2 Likes
16

Okay gotya I didn’t dig that deep :slight_smile:

17

Thanks, it is working now. I have also observed that its working on outrightsoftware.com but not on www.outrightsoftware.com.

18

It's what rg305 posted.

$ openssl s_client -connect outrightsoftware.com:443 -servername outrightsoftware.com </dev/null | grep -A10 'Certificate chain'

1 Like
19

You seem to have configured a separate VirtualHost for this domain name, because it sends a self-signed certificate with wrong common name.

$ openssl s_client -connect outrightsoftware.com:443 -servername www.outrightsoftware.com </dev/null | grep -A10 'Certificate chain'
Certificate chain
0 s:/CN=www.example.com
i:/CN=www.example.com

20

Well, I have kept www.* as ServerAlias now. Should it solve the issue?