I do a web site for a small magazineMy browser accepted that http:// link without "promoting" it to https://
I've had a few reports of people finding it impossible to access. The latest, from an Android phone, returns the message 'Your connection is not private' .
The site is: http://post16educator.org.uk
Andy Burns wrote:
SSL certificates can be had for free, e.g. from LetsEncrypt, where is
the site hosted?
Heart. I've only recently looked at this and their service looks pretty rubbish:
Think I'll go with Mythic Beasts.
On 21/07/2024 18:30, RJH wrote:
I do a web site for a small magazineMy browser accepted that http:// link without "promoting" it to https://
I've had a few reports of people finding it impossible to access. The latest,
from an Android phone, returns the message 'Your connection is not private' .
The site is: http://post16educator.org.uk
but many devices will try to use https, and then object because the site
only has a self-signed certificate, which nothing is going to trust.
SSL certificates can be had for free, e.g. from LetsEncrypt, where is
the site hosted?
Think I'll go with Mythic Beasts. I followed a thread on here about them >recently . . .
Cheers, Rob, Sheffield UK
Hope this isn't too far off-topic . . . I do a web site for a small magazine -
it's basically a repository for their articles, with a few pictures.
I've had a few reports of people finding it impossible to access. The latest, from an Android phone, returns the message 'Your connection is not private' . . . hackers might be trying to steal your data, passwords, credit cards (etc),
with the footnote NET::ERR_CERT_AUTHORITY_INVALID.
Could this be because it's an http address - and not https? Or some zealous protection on phones - also Windows users have reported the same problem? or maybe the site has been blacklisted somewhere.
Any ideas on how to get round this appreciated. I'm no expert, but the people accessing the site are pretty clueless when it comes to such things.
They give instructions for "the complicated way" which they say you
probably shouldn't use
<https://www.mythic-beasts.com/support/domains/letsencrypt_dns_01>
But I can't see instructions for "the straightforward way" ...
RJH <patchmoney@gmx.com> wrote:
Hope this isn't too far off-topic . . . I do a web site for a small magazine -
it's basically a repository for their articles, with a few pictures.
I've had a few reports of people finding it impossible to access. The latest,
from an Android phone, returns the message 'Your connection is not private' .
. . hackers might be trying to steal your data, passwords, credit cards (etc),
with the footnote NET::ERR_CERT_AUTHORITY_INVALID.
Could this be because it's an http address - and not https? Or some zealous >> protection on phones - also Windows users have reported the same problem? or >> maybe the site has been blacklisted somewhere.
Some browsers automatically upgrade http to https if there's something listening on the https port, which there is in this case. Unfortunately what's listening there is broken.
Any ideas on how to get round this appreciated. I'm no expert, but the people
accessing the site are pretty clueless when it comes to such things.
First step is to use an SSL/TLS checker:
https://www.ssllabs.com/ssltest/analyze.html?d=post16educator.org.uk&latest
which shows several problems:
Common names post16educator.ifyoucan.org.uk
Alternative names post16educator.ifyoucan.org.uk mail.post16educator.org.uk post16educator.org.uk www.post16educator.ifyoucan.org.uk www.post16educator.org.uk cpanel.post16educator.org.uk webmail.post16educator.org.uk webdisk.post16educator.org.uk cpcontacts.post16educator.org.uk cpcalendars.post16educator.org.uk autodiscover.post16educator.org.uk
Valid until Sat, 25 Jun 2022 02:34:21 UTC (expired 2 years ago) EXPIRED Trusted No NOT TRUSTED (Why?)
Mozilla Apple Android Java Windows
and the reason for that being:
1 Sent by server
Not in trust store post16educator.ifyoucan.org.uk Self-signed Fingerprint SHA256: 788d1ad2f35d76f27f5ae88bb8c67ef4e962c5df4af99aede3a8643c248811c4
Pin SHA256: GxRKjr83KTrgJxxC93UOz1AOin6srnmXGhAmxonOqVQ=
RSA 2048 bits (e 65537) / SHA256withRSA
Valid until: Sat, 25 Jun 2022 02:34:21 UTC
EXPIRED
So there's two problems. The main one is the certificate is self-signed,
not from a known certification authority. Roughly, that's a bit like the process where you might need to get your doctor to sign your passport photo as a true likeness, but instead you sign it yourself - now nobody can trust the photo. The other problem is that it's two years out of date.
The easier way to resolve this is to get a free certificate from Let's Encrypt, who will vouch for your site if you configure it a particular way.
You can't do this yourself on a shared server, but Heart should be able to
do it - ask them. If they refuse then they're clueless and you need a new host.
Theo
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 417 |
Nodes: | 16 (2 / 14) |
Uptime: | 09:38:39 |
Calls: | 8,759 |
Calls today: | 2 |
Files: | 13,285 |
Messages: | 5,963,353 |