Ssl – How to an SSL certificate work for some clients only

My hosting provider has recently re-issued and re-installed an SSL certificate for my domain, after they let the old one expire by mistake.

I am now able to browse the website over HTTPS again, and so is my host, and so are a number of other users.

However, some users (at least a dozen out of hundreds) are still getting Your connection is not secure error messages on different browsers and platforms. (It is proving difficult to diagnose an issue I cannot reproduce.)

I understand different browsers use different lists of Certification Authorities (CA.)

How come a user running the same version of Firefox as I am (45.0.1 on OS X) is getting a SEC_ERROR_UNKNOWN_ISSUER error (for my site only) while I'm not? What makes it possible? Said user cleared his cache and rebooted his laptop.

I ran an SSL check on digicert.com. The result is this:

SSL Certificate is not trusted

The certificate is not signed by a trusted authority (checking against
Mozilla's root store). If you bought the certificate from a trusted
authority, you probably just need to install one or more Intermediate
certificates. Contact your certificate provider for assistance doing
this for your server platform.

How come I am able to connect to the site without SSL error if this is the case?

Best Answer

The certificate chain of your certificate is incomplete. Most likely your provider failed to install some intermediate certificate when installing the new certificate.

Most times such intermediate certificates are provided by the SSL authority, to provide support for some older browsers and operating systems. That's the reason, that while it works for you, it doesn't work for some of your clients.

An really great utility to check for SSL issues with your website is the SSL Server test by SSLlabs. As you can see in the link above, not only are you having a chain issue here, but also the signature algorithm used to create your cert is a weak one, your webserver is still vulnarable to the POODLE attack and still supports RC4, which is also considered unsecure ...

I don't want to say anything against your webserver provider, but in your position I would mail them, that they fix all this issues ASAP, or change to another provider ...

Best Answer

Related Solutions

Ssl – How to troubleshoot this SSL certificate error

How to trust a certificate for all users on a citrix server

Related Topic