0

So I'm currently trying to set up a website over https. I have a webserver running Ubuntu and Apache2, and DNS records are set to direct example.com and www.example.com traffic. I have a valid certificate from GoDaddy configured on the website.

When I navigate to the website on Chrome on Windows 10 and 11, the website shows up just fine. On Google Chrome on Android it works as well. But on Safari on an iPhone, the website shows up as not secure, nor does it work for Chrome on Linux, even though wget on Linux doesn't complain. If I open the actual certificate on any of the machines, all of them are listed as valid. Other websites certified by GoDaddy, such as godaddy.com, work just fine on all machines.

The certificate itself has a CN of example.com, but neither www.example.com nor example.com work on Safari. My current Apache configuration points to the SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile.

Improve this question
2
  • 2
    You should give much more detailed information about your certificate, and if possible publish it for us.
    – harrymc
    Commented Dec 22, 2023 at 10:12
  • 2
    Check the site with SSLLabs and look out for problems. The problem you describe might be caused be an incomplete setup, where it is properly configured for IPv4 but improperly for IPv6.
    – Steffen Ullrich
    Commented Dec 22, 2023 at 13:11

1 Answer 1

Reset to default
2

Your operating system's certificate store might not consider the certification authority trustworthy, maybe the cipher strength is not enough etc. These trust evaluations often differ from OS to OS and between different points in time. So looking at the versions of the used software is very important.

Virtual hosters sometimes deliver their own certificate as a second certificate for their server which might cause the SSL connection to fail, despite the customer's certificate being valid and correctly configured.

You can test your server's certificate(s) and SSL setup with Qualys' SSL server test to find potential configuration issues.

If you want to achieve an A+ rating with a 100 score in each of the domains "Certificate", "Protocol Support", "Key Exchange" and "Cipher Strength", follow these guides from Qualys:

At the time of writing, at least 4096 bits of key or DH parameter strength are required for a 100% key exchange score and at least 256 bits of cipher strength for a 100% cipher strength score.

For an A+ score, HTTP Strict Transport Security (HSTS) with a max-age of 6 months or more is required, in addition to a good configuration without warnings.

Improve this answer
2
  • 1
    I suppose it does help to use something newer than the trusty old openssl x509 command. Thanks! In my case, the grade popped up a B, warning me I had trouble with forward secrecy. I poked around looking for modern sources on forward secrecy in Apache and found this link which bumped my grade to an A.
    – guninvalid
    Commented Dec 22, 2023 at 21:22
  • 1
    I added guides for achieving an A+ rating and 100% scores in Qualys' SSL server test.
    – Dominik Kierner
    Commented Dec 23, 2023 at 11:40

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .