"Your connection is not private" - does it mean my connection is not secured?


#1

After much trouble, I configured my free HTTPS domain, but now if I enter it I get from chrome “Your connection is not private”.
I can by-pass it and continue (and even use JAVA to connect), but I wonder - does that warning means my connection is not secure? Or do I have something else I need to configure in my server? Or is this just a warning because my SSL is free and not paid?


#2

No. (assuming you are using a Let’s Encrypt certificate.

It’s most probably because of an incorrect configuration on your system. Can you provide your domain name ? then we can probably say which of the many causes it is.


#3

The IP I connect is 192.168.36.1


#4

Certificates are not issues to local IP addresses - they are for domain names. If you use an internal Ip address, not a domain name, then you will always get an error message. I can’t say if it’s installed correctly (and hence your data is secure) or not.


#5

It was also configured on app4u.ml, but it has the same warning. Also, its not guaranteed to be mine forever, so I rather use the IP.


#6

This isn’t a valid Let’s Encrypt certificate. Did you obtain a Let’s Encryt certificate ? or are you asking a generic question ?

It looks as if a Let’s Encrypt certificate has been issued for that domain - but the one that is being presented is a self signed cert, not the LE one.


#7

I’m sorry but I don’t know what you mean… If I try to HTTPS my site, I get a warning from chrome, but I can enter. Also, I can send/receive JAVA bytes. Can I self-sign a cert and still connect through HTTPS?


#8

I think you might need to provide some more details.

  • Is it a self-signed certificate or an actual Let’s Encrypt certificate?
  • To which domain name the certificate was issued (in case of self-signed certificate it could also be an IP)?

Considering that you are connecting to something with a local rather than public IP (the router, some other device or local computer):

  • How did you verify the ownership of the name if it is an LE certificate?
  • If it is for internal purposes, why would you need an LE certificate if self-signed would just work?

#9

Please just tell me if it can cause a problem with google - can I send confidential android user data over this HTTPS?


#10

Hi Ran

This is the process I use

A) Download the Certificate and Open it up in windows or linux. Check the certificate has not expired.
B) Check what domains and IPs the certificate will protect. For example a certificate I issue may protect my HOSTNAME (test1.domain.com) and it’s pubic IP (x.x.x.x). If I am browsing from within my network I may use a different host name and IP (in which case the certificate will not be treated as valid)
C) In order for the certificate to work the client (whether its a browser or a java based client) needs to trust the certificate authority. This is done via what’s called an intermediate certifiacte. You can review which clients trust Lets Encrypt here: Which browsers and operating systems support Let’s Encrypt
D) You may need to install the Lets Encrypt Intermediate Certificates in your app/client for it to trust Lets Encrypt. https://letsencrypt.org/certificates/

So in short:
Make sure the certificate hasn’t expired
Make sure the hostname or IP you are using to browse matches whats in the certificate
Make sure you are using a client that trusts the Lets Encrypt Certificate Authority


#11

From where can I download my certificate (I installed it weeks ago so I don’t remember)?
Also - I can make my JAVA program trust my HTTPS connection. But is the warning will be a problem if google checks it?


#12

Hi Ran

What client did you use yo generate the certificate? Most of the clients keep a copy of the certificate on the file system from where they were installed and where the request was processed.

Do you still have your Private Key and CSR?

Regarding whether it’s a problem or not I am not an expert on JAVA programming or google processes so can’t speak to that.

Andrei


#13

@RanCohen, I think people here are having a hard time helping you because it’s a bit difficult to understand what you’re trying to do. From what you’ve told us, we don’t understand what you got a certificate for, where the certificate was installed, or why you’re seeing that error. Without understanding these things, it’s difficult to know how to answer your other questoins.

Maybe you could start from the beginning – you said “I configured my free HTTPS domain”. How did you do that? Do you have a domain name that you own, and did you get a certificate from Let’s Encrypt for that name? What software or tools did you use to do that? What happened that convinced you that it was working?


#14

Just look here: https://104.200.19.19/ - you get a warning that you can skip.
Will google mind it?


#15

Hi Ran

This is a very common challenge. If you are going to access a service via ip you should have an IP in the V3 subjectaltname.

Your current certificate is also self signed so it will not be trusted. You should create a certificate issued by a public CA (such as Lets Encrypt) with the domain name and IP address in the subjectaltname.

You will need to verify with Google what their policy on self signed certificate is.

This ways you can use either a domain name or an ip to access the website and both will be valid.

Andrei


#16

I’m not familiar with the rules for Android app development (or rather the rules for the Play Store, I guess), but the certificate used by that site was not issued by Let’s Encrypt or any other publicly-trusted CA. It’s a self-signed certificate.

You’ll need to provide more details if you want help with obtaining and installing a certificate from Let’s Encrypt. What web server are you using, and what does the configuration look like? Which of the ACME clients did you use to get the certificate, and what where the options you used the client with?


#17

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.