“Your connection is not private”

My Let's Encrypt certificate is valid, but I occasionally get a “Your connection is not private” error when accessing my site. This happens for all the domains where I have installed Let's Encrypt certificates, but for simplicity I will limit this topic to one domain.

It appears that the server occasionally serves an old certificate. When I refresh the browser, it serves the current valid certificate. Occasionally, I need to refresh the browser several times.

This issue first appeared last year. I have renewed the certificate several times, but the problem persists. I contacted Support of my hosting provider (Media Temple) several times, but they won't assist because Let's Encrypt is considered a "third party."

Domain: https://www.duits.co
Hosting provider: Media Temple
Web server: (gs) Grid-Service

This is the error message:

not-private1384×742 134 KB

This is the information when there is an error message:

cert-expired1813×3415 189 KB

This is the information after a refresh:

cert-active2208×3621 200 KB

This is the .htaccess file:

AddHandler php-stable .php

# BEGIN (mt) controlled settings
AddHandler php-latest .php
# END (mt) controlled settings

# NEW REWRITE RULE BY MEDIA TEMPLE (FORCE https PLUS www)
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.duits.co%{REQUEST_URI} [R,L]

That's an expensive service for them to rebuff you like that.

I'd look for another provider.

That is the plan, 9peppe. But I have already paid for a year. So, for now I need to have this issue solved with Media Temple.

It's a shared hosting, you might not have much power about that.

If you see more than one certificate in the interface, I'd make sure to delete any expired ones.

I am not sure I follow. Which interface are you referring to? And how would I delete an expired certificate?

I don't know if there is an interface.

I was just assuming there's a list of certificates you can add and remove. If there isn't one, well, I just assumed too much.

My thought is that they are clustering your site and some of the systems are using an old cert, notice the expired cert encountered below.
Furthermore, not all systems are configured the same, notice the etag entry and then none.

curl -Ii https://www.duits.co/
HTTP/2 200
server: nginx/1.16.1
date: Tue, 10 May 2022 07:43:53 GMT
content-type: text/html
content-length: 8015
last-modified: Wed, 20 Jan 2021 12:45:51 GMT
etag: "1f4f-5b95455c63dc0"
accept-ranges: bytes
vary: Accept-Encoding,User-Agent

curl -Ii https://www.duits.co/
HTTP/2 200
server: nginx/1.16.1
date: Tue, 10 May 2022 07:43:55 GMT
content-type: text/html
content-length: 8015
last-modified: Wed, 20 Jan 2021 12:45:51 GMT
accept-ranges: none
vary: Accept-Encoding,User-Agent

curl -Ii https://www.duits.co/
curl: (60) SSL certificate problem: certificate has expired

Assuming your hosting service are the ones who manage the webserver (nginx in this case) then the certificate is also their responsibility, unless you are uploading it yourself.

It could be they have a set of load balanced web servers internally and one of them is misconfigured or out of sync.

You could work around the problem by moving your DNS to Cloudflare (free), which then by default can "proxy" your website (which would still be hosted with the same company), making it faster in different countries and also providing an automated certificate.

Also note that your website currently uses some fonts from google which are loading via http, you need to update that to load via https instead otherwise some browsers will refuse to load the content or present the users with a mixed content warning.

Thank you. I will contact Support again and mention your suggestion.

Good eyes! I missed that completely. Thank you. I will fix that right away.

Thank you.

Thank you for the feedback. By the way, which service did you use to collate the information?

https://curl.se/

Thank you, 9peppe.

You probably have it already, no need to download it.

Actually, I don't… So thanks for the tip.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.