Sites are insecure, should be secure

Doug Easterbrook doug at artsman.com
Sat Mar 5 15:48:33 UTC 2022 

one of the tools we use when people complain of a web site insecure is

https://www.ssllabs.com/ssltest/ <https://www.ssllabs.com/ssltest/>

just stick in your domain name like goravani.com <http://goravani.com/>   … it will tell you what issues exist in your domain name.  you’ll have to click on the two ‘click here to expand’ messages in the report that this web site generates.

here’s a quick link to get to it.   but book mark the link above so you can re-issue any test if you change settings or fix the intermediate certificates.

https://www.ssllabs.com/ssltest/analyze.html?d=goravani.com&hideResults=on&latest <https://www.ssllabs.com/ssltest/analyze.html?d=goravani.com&hideResults=on&latest>




in your case:   certificate 1 has the following problem

Path #2: Not trusted (invalid certificate [Fingerprint SHA256: 0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739])  <https://www.ssllabs.com/ssltest/getTestTrustPath?d=goravani.com&cid=021242d943cbcabeb84e13af66455d3cc130fafb509d44b891363f9101141bda&time=1646494796487&id=2&trustStore=1>
1	Sent by server 	goravani.com 
Fingerprint SHA256: 26921fc6c4659b47295aa6cafbd05cf66dda43afe093555cd84ecd36760ed2a4
Pin SHA256: vWNFCHdjq8e6U2A3c+saPpbzNTMEt/mTnIaIXxQ91Xs= 
RSA 2048 bits (e 65537) / SHA256withRSA
2	Sent by server 	R3 
Fingerprint SHA256: 67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd
Pin SHA256: jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0= 
RSA 2048 bits (e 65537) / SHA256withRSA
3	Sent by server 	ISRG Root X1 
Fingerprint SHA256: 6d99fb265eb1c5b3744765fcbc648f3cd8e1bffafdc4c2f99b9d47cf7ff1c24f
Pin SHA256: C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M= 
RSA 4096 bits (e 65537) / SHA256withRSA
4	In trust store	DST Root CA X3   Self-signed 
Fingerprint SHA256: 0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739
Pin SHA256: Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys= 
RSA 2048 bits (e 65537) / SHA1withRSA 
Valid until: Thu, 30 Sep 2021 14:01:15 UTC 
EXPIRED 
Weak or insecure signature, but no impact on root certificate


and server certificate # 1 says


Server Key and Certificate #1 <https://www.ssllabs.com/ssltest/getTestCertificate?d=goravani.com&cid=ce4f89d0970aeaf7cc8271edd8f122ecce7ad99b00bd99e9f30f98a4b4ae1ffb&time=1646494796487>
Subject	default 
Fingerprint SHA256: ddf9d5b36c4927c70cee758c24f616fc89199747f57b8af3330ee0b648302df2
Pin SHA256: rWb91VJ5W44aSZDmmqS2e8GteKp9d+7c6uoIK6uu1zA=
Common names	default
Alternative names	default   MISMATCH
Serial Number	00dd46513f732a9533
Valid from	Thu, 29 Jun 2017 09:37:49 UTC
Valid until	Fri, 29 Jun 2018 09:37:49 UTC (expired 3 years and 8 months ago)   EXPIRED
Key	RSA 2048 bits (e 65537)
Weak key (Debian) 	No 
Issuer	default   Self-signed  
Signature algorithm	SHA256withRSA
Extended Validation	No
Certificate Transparency	No
OCSP Must Staple	No
Revocation information	None  
Trusted	No   NOT TRUSTED 
Mozilla  Apple  Android  Java  Windows 



I can’t tell you how to solve it …. yo’ll have to look that up, but one of the intermediate certificates in use looks to be well out of date and not trusted.

so, while the site gets an A+ for security … there are issues with the certificate that make the site suspect to some browsers.   and others don’t care.







Doug Easterbrook
Arts Management Systems Ltd.
mailto:doug at artsman.com
http://www.artsman.com
Phone (403) 650-1978

> On March 4, 2022, at 7:28 PM, Bastiaan Olij <bastiaan at muxworks.com.au> wrote:
> 
> Hey Das,
> 
> Just checked https://goravani.com and it looks fine. Note that you keep putting http:// as the link in all your emails. When you go through http you do not get an encrypted website. It doesn't automatically switch to https unless you configure your webserver to do so. I noticed this is happening for your readmyastrology.com site.
> 
> So I think you're looking at the wrong issue here, it isn't your SSL certificate, its your site not redirecting to https.
> 
> Cheers,
> 
> Bas
> 
> On 5/03/2022 1:03 pm, Das Goravani wrote:
>> Well it’s odd, but this cert was auto named Goravani.com because that is the first domain I entered when making the cert.
>> 
>> Now it doesn’t work for Goravani.com <http://goravani.com/> either. It too has started showing an insecure logo.
>> 
>> Now only readmyastrology.com <http://readmyastrology.com/> is secure.
>> 
>> And I opened it in Chrome as you started, looked at what you stated, and it only lists readmyastrology.com <http://readmyastrology.com/> and www variant.
>> 
>> I think that place shows you only the current website, and not the other sites covered by the cert.
>> 
>> Because I entered all 4 sites into the command when I made this cert.
>> 
>> This puzzle has some other cause. I used a multi domain for years and all my sites were secure.
>> 
>> Certbot wouldn’t make them if they didn’t work. They work. And they cover all their sites.
>> 
>> Something else is afoot.
>> 
>> It WAS securing Goravani.com <http://goravani.com/>, now that too has gone down for some reason.
>> 
>> 
>> 
>>> On Mar 4, 2022, at 6:41 PM, Andrew Stolarz <stolarz at gmail.com> wrote:
>>> 
>>> Das,
>>> 
>>> I dont think your SSL cert covers all your domains like you think they do.
>>> 
>>> To answer your question "If there was a command that would let you see what
>>> domains are covered by a cert, I’m sure you would see mine has all 4
>>> domains in it with their www counterparts. 8 domains total."
>>> 
>>> You can see what domains are covered in the SSL within your browser.
>>> 
>>> Using google Chrome browser....
>>> 
>>> Go to a secure site and when you click the lock in the browser bar and
>>> select connection is secure > certificate is valid.
>>> 
>>> 
>>> Expand the certificate details and find an area that states "subject
>>> alternative names" ....it will list all the DNS names that the cert covers.
>>> 
>>> 
>>> 
>>> Andrew
>>> 
>>> 
>>> 
>>> 
>>> On Fri, Mar 4, 2022 at 5:43 PM Das Goravani <goravanis at gmail.com <mailto:goravanis at gmail.com>> wrote:
>>> 
>>>> Andrew, I hear ya.
>>>> 
>>>> However, I have used a multi domain cert from Certbot for nearly 2 years
>>>> through many renewals.
>>>> 
>>>> Certbot issues individual or multi domain certs. Multi domain is totally
>>>> normal.
>>>> 
>>>> It’s working for Goravani.com and readmyastrology.com <
>>>> http://readmyastrology.com/ <http://readmyastrology.com/>>, off the same cert, right now.
>>>> 
>>>> The other two should be secure. It’s their cert too.
>>>> 
>>>> Only the name is Goravani.com <http://goravani.com/> because certbot uses the first domain in the
>>>> cert as the name of the cert, that is all.
>>>> 
>>>> It’s really a cert for 4 sites. No problem, normally.
>>>> 
>>>> It’s supposed to work, but something is wrong somewhere.
>>>> 
>>>> If there was a command that would let you see what domains are covered by
>>>> a cert, I’m sure you would see mine has all 4 domains in it with their www
>>>> counterparts. 8 domains total.
>>>> 
>>>> I don’t think that’s the reason 2 of my sites say insecure. I don’t know
>>>> the reason but that is not supposed to be the reason.
>>>> 
>>>> 
>>>>> On Mar 4, 2022, at 2:09 PM, Andrew Stolarz <stolarz at gmail.com <mailto:stolarz at gmail.com>> wrote:
>>>>> 
>>>>> Das,
>>>>> 
>>>>> I use lets encrypt for my sites as well (except on windows servers). I
>>>> set
>>>>> up different SSL certs for each site and in the domain setup area, I
>>>> select
>>>>> which SSL cert it will use. Im assuming its similar on the mac side.
>>>>> 
>>>>> When I look at  GoravaniJyotish.com <http://goravanijyotish.com/> <http://goravanijyotish.com/ <http://goravanijyotish.com/>>, it
>>>> staying its insecure because its
>>>>> trying to use the SSL cert for Goravani.com <http://goravani.com/> <http://goravani.com/ <http://goravani.com/>>....instead
>>>> of itss own domains
>>>>> GoravaniJyotish.com <http://goravanijyotish.com/> <http://goravanijyotish.com/ <http://goravanijyotish.com/>>,
>>>>> 
>>>>> 
>>>>> I have always created individual ssl certs for each domain and never ran
>>>>> into this issue.
>>>>> 
>>>>> 
>>>>> Andrew
>>>>> 
>>>>> 
>>>>> 
>>>>> On Fri, Mar 4, 2022 at 1:35 PM Das Goravani <goravanis at gmail.com <mailto:goravanis at gmail.com>
>>>> <mailto:goravanis at gmail.com <mailto:goravanis at gmail.com>>> wrote:
>>>>>> Hello $all,
>>>>>> 
>>>>>> I have 4 websites served through my Mac server.
>>>>>> They are all set up identically in all places.
>>>>>> They are all 4 covered in my SSL Certificate
>>>>>> 
>>>>>> Yet 2 of them are insecure when you access them.
>>>>>> Like the other 2, they should be secure.
>>>>>> 
>>>>>> How is it possible? They are all set up identically. That means that in
>>>> my
>>>>>> Web Server Software they have the exact same settings, which means in
>>>>>> Apache they have the same settings, they are all on the same
>>>> certificate,
>>>>>> their document root folders are together in the same place, everything
>>>>>> about the 4 is the same except their content of course.
>>>>>> 
>>>>>> 2 of them come up secure as they should.
>>>>>> 
>>>>>> Goravani.com
>>>>>> ReadMyAstrology.com
>>>>>> 
>>>>>> 2 of them come up insecure.
>>>>>> 
>>>>>> GoravaniJyotish.com <http://goravanijyotish.com/> <
>>>> http://goravanijyotish.com/ <http://goravanijyotish.com/> <http://goravanijyotish.com/ <http://goravanijyotish.com/>>>
>>>>>> JyotishStudio.com <http://jyotishstudio.com/> <http://jyotishstudio.com/ <http://jyotishstudio.com/>> <
>>>> http://jyotishstudio.com/ <http://jyotishstudio.com/> <http://jyotishstudio.com/ <http://jyotishstudio.com/>>>
>>>>>> They should all four be secure.
>>>>>> 
>>>>>> Can you think of anything that would do this odd behavior?
>>>>>> 
>>>>>> Thanks in advance,
>>>>>> 
>>>>>> Das Goravani
>>>>>> 
>>>>>> Ps: I worked out my web server and mail server problems.
>>>>>> _____________________________________________________________
>>>>>> Manage your list subscriptions at https://lists.omnis-dev.com <https://lists.omnis-dev.com/> <
>>>> https://lists.omnis-dev.com/ <https://lists.omnis-dev.com/>>
>>>>>> Start a new message -> mailto:omnisdev-en at lists.omnis-dev.com <mailto:omnisdev-en at lists.omnis-dev.com> <mailto:
>>>> omnisdev-en at lists.omnis-dev.com <mailto:omnisdev-en at lists.omnis-dev.com>>
>>>>> _____________________________________________________________
>>>>> Manage your list subscriptions at https://lists.omnis-dev.com <https://lists.omnis-dev.com/> <
>>>> https://lists.omnis-dev.com/ <https://lists.omnis-dev.com/>>
>>>>> Start a new message -> mailto:omnisdev-en at lists.omnis-dev.com <mailto:omnisdev-en at lists.omnis-dev.com> <mailto:
>>>> omnisdev-en at lists.omnis-dev.com <mailto:omnisdev-en at lists.omnis-dev.com>>
>>>> _____________________________________________________________
>>>> Manage your list subscriptions at https://lists.omnis-dev.com
>>>> Start a new message -> mailto:omnisdev-en at lists.omnis-dev.com
>>>> 
>>> _____________________________________________________________
>>> Manage your list subscriptions at https://lists.omnis-dev.com
>>> Start a new message -> mailto:omnisdev-en at lists.omnis-dev.com
>> _____________________________________________________________
>> Manage your list subscriptions at https://lists.omnis-dev.com
>> Start a new message -> mailto:omnisdev-en at lists.omnis-dev.com
> 
> -- 
> Kindest Regards,
> 
> Bastiaan Olij
> bastiaan at muxworks.com.au
> +61-432144833
> 
> _____________________________________________________________
> Manage your list subscriptions at https://lists.omnis-dev.com
> Start a new message -> mailto:omnisdev-en at lists.omnis-dev.com

More information about the omnisdev-en mailing list