I am having this strange issue with SSL on my site. The domain is pointed towards Cloudflare and I am using flexible SSL settings. The universal default certificate is set on Cloudflare.
Now all my devices ( android, ios, windows, and any browser Edge, Chrome, Safari ) it works perfectly. But some users are complaining that they get NET::ERR_INVALID_CERT_AUTHORITY.
I have tried it with a lot of versions of google chrome(56-77). And both developers on the team all tried plus for other people I know it works. But some users ( according to client 70%) face this issue. Even the client is not having this issue.
Website is : https://beinhaoranim.co.il or https://www.beinhaoranim.co.il
please don't duplicate or something like that. I have serched through whole web and my problem is unique. Other solutions are most related to google chrome and its same on all devices.
I also faced the same issue long time ago which you can read in my post ERR_CERT_AUTHORITY_INVALID. I am explaining the same below.
The main reason is "SSL Certificate" conflict. What was happening is that
there was already a SSL on the hosting and sometime the SSL is
self-signed so make sure there is no other ssl certificate for that
site as it will conflict with the SSL provided by CloudFlare.
Download the SSL provided by CloudFlare and install on the
hosting. Remove any earlier SSL of that site first. Wait for upto 24
hours so that new changes are reflected everywhere.
Related
I have several devices that have invalid SSL certificates, mostly old routers,iDRAC,iLO etc.
It now appears to be impossible to access these devices via Chrome and Firefox.
In the past I have been able to add exceptions to access these devices, but I no longer seem to get the options.
Now I understand fully that these devices should be upgraded and I know there are very big risks when ignoring certificate errors, so please do not put a ton of replies telling me to upgrade, as this is not always possible, some of these devices do not any any upgrades available! also how do you upgrade a device that can be upgraded if you cant access it in the first place?
So the question is, is it possible to tell Chrome or Firefox to ignore all SSL/Certificate errors (like invalid certificate or incorrect SSL version), or is there an alternative browser that will work in there place that still allows things like javascript etc to run. I have tried a few browsers in the falcon/surf/hv3 but none of these work.
I cant find any method for the latest versions of chrome and the only thing I could find for firefox was 'security.ssl.enable_ocsp_stapling' and that didn't seem to make any difference :(
I would prefer to use my current install rather than creating a VM and running a totally outdated OS, which also creates problems with SSH and VPN access.
As request, example of error accessing old draytek router via firefox, no option given to bypass:
Secure Connection Failed
An error occurred during a connection to IP-ADDR.
The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the web site owners to inform them of this problem.
Chrome error when trying to access HP iLO, get option to ignore, but then get :
This site can’t be reached
The web page at https://IP-ADDR/login.htm might be temporarily down or it may have moved permanently to a new web address.
ERR_SSL_BAD_RECORD_MAC_ALERT
But in general looking to be able to access sites that chrome & firefox have decided in the last year or so that I am incapable of deciding if I trust the site (emphases on the 'I').
Both of these errors do not seem to be related to the certificate at all and can therefore not be solved by ignoring certificate problems. These are not trust problems but these are protocol incompatibility problems.
The problem with HP iLO is likely because the device supports only SSL 3.0 which is insecure for years and thus is not usable in any modern browser and OS. The problem with the Draytek router is not fully clear (there should be more information available in the browser) but it is likely similar, i.e. only SSL 3.0 or some unsupported because insecure cipher like RC4.
One option to deal with these devices is to install some older OS (like Ubuntu 12.04 or even older) in a virtual machine and use the browser from this machine to access the device. And of course note that these devices are long out of support and continued use might cause security risks.
We're having some issues on some machines related with ssl when connecting to our sites through https. sometimes, some of the users get the err_ssl_protocol_error when they try to load one of the sites. now, the weird thing is that hitting f5 solves the issue and the page that was returning the ssl error gets miraculous loaded. we've already tried most online suggestions (checking date and time, cleaning the browser/ssl cache, etc).
we have changed the ssl certificate recently (a month ago), but the issues have only started now. btw, all our requests go through our firewall (forti adc) which is responsible for enforcing the https to all our clients.
any clues on why we're getting this error?
edit: adding more info
sites are hosted in iis (windows server 2016)
our firewall is running forti adc
the requests go through a load balancer before hitting firewall
the firewall has the wildcard certificate used for ssl (all. sites)
sites are built with aspnet
it only happens on some pcs, and only with chrome (Firefox is working without any problems)
edit 2: More info from wireshark
So, I've used wireshark to capture the traffic and when I get the ERR_SSL_PROTOCOL_ERROR on chrome, I've noticed that wireshark is showing me an alert with a decrypt error in response to the server hello message:
Any clues on what's going on here?
After lots of digging and testing, it seems like there's an issue with openssl and ECDHE algorithms. Changing the algorithm to a non ECDHE seems to have solved the issue for our chrome users...
For the last few months we've has a client site working fine over HTTPS and HTTP, however as of a week or two ago we've had intermittent reports of it failing in Google Chrome.
As of last week I also got the issue, which is Chrome claiming ERR_EMPTY_RESPONSE to all requests sent through HTTPS.
This isn't replicated in any other browsers and the Security tab of the inspector declares the certificate valid and all page resources secure.
Anyone got some suggestions? I'm at a loss as to what to do, it feels like it might be a browser bug itself...
[Originally provided by a user called #daFlame, but it then got deleted within a few hours?]
The issue is caused by Chrome struggling with the cipher suites cPanel uses by default. CPanel are aware of the issue, and I've reported a ticket to Chrome.
CPanel's work around can be found here, but I'll provide a summary:
Go to WHM >> Service Configuration >> Apache Configuration >> Global Configuration
Then find the value SSL Cipher Suite and change it from the default to:
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS`
Once Apache is rebuilt, the errors stop.
When i tried to open my site (https://thaimeditationcenter.com/) by Google Chrome on My mac using macOS Sierra Version 10.12 i got an error like this.
Your connection is not private
Attackers might be trying to steal your information from thaimeditationcenter.com
(for example, passwords, messages, or credit cards). NET::ERR_CERT_AUTHORITY_INVALID
Automatically report details of possible security incidents to Google. Privacy policy
But when i open it on Firefox , Safari or Google chrome on my Iphone it seems fine there was no error at all.
How can i fix this?
Thanks!
According to SSLLabs your site is not configured properly:
Chain issues Incomplete
This means that a chain certificates is missing. Some browsers cache chain certificates when visiting other sites and therefore can work around this problem. Other browsers try to download the missing chain certificate. The rest will fail because the trust chain cannot be built.
To fix this you need to add the missing chain certificate to your server configuration. While doing that you should probably also fix all the other problems shown by the SSLLabs report which lead to a bad Grade F for your site.
I have been having an issue lately with Google Chrome. Some sites, seems to be completely random, are returning a 503 Service Unavailable error message. The last one I received was from my hosting provider when trying to access my CPanel. I can access the same URL completely fine in Firefox or IE. It seems to be isolated to Chrome.
I have tried the following:
Disabled all extensions
Logged in/out of my Google account
Cleared all cache and history
So far, nothing seems to correct the issue. It's becoming more and more aggravating from what was once a pretty reliable browser.
I am running:
Windows 7
Chrome Version 36.0.1985.143 m
I was hitting the same issue. Mostly, it would occur on intranet sites at work, but it happened with a few exterior sites. Loading in IE Tab would work fine.
I was able to solve the issue by upgrading to 64-bit Chrome. I'm not sure why that fixed it, but I think it had something to do with a conflict between Java and Chrome (It looks like I have both 64bit and 32bit Java installed side-by-side).
My solution:
Uninstall Chrome with clear personal data option selected
Install Chrome again but without admin right (install for your personal
user)
Use Chrome as normal