1

I just added mod_ssl with a signed certificate, but I can't figure why Google chrome is marking my connection as untrusted

screenshot:

My website details

although, another website has almost the same details, but Google chrome is not marking it as untrusted:

The other website

Can someone help me, why google chrome is marking my website as untrusted?

EDIT 1 (Adding certificate information) Certificate information

Ahmed Wahba
  • 63
  • 8
  • Perhaps your site is embedding resources (scripts, stylesheets, images, …) that are not loaded via HTTPS as well? Check the browser console, that should tell you about such issues. – CBroe Jul 15 '15 at 10:44
  • Check with this: https://www.sslshopper.com/ssl-checker.html#hostname= Most likely you have to include the full trust chain in the certificate. – Alex Tartan Jul 15 '15 at 10:45
  • @CBroe no resources are loaded externally – Ahmed Wahba Jul 15 '15 at 11:20
  • @AlexTartan , I added the chain in apache httpd.conf, also I can see the chain in certificate details, and in certificate status: "certificate is ok" – Ahmed Wahba Jul 15 '15 at 11:23
  • The difference i see between the two examples you posted is that your site is internal (not accessible from the internet). Maybe this will help http://security.stackexchange.com/questions/73167/will-cas-still-validate-internal-ips-in-ssl-certs – Alex Tartan Jul 15 '15 at 11:32
  • @AlexTartan I hope you are correct, I noticed that IE and Firefox are not complaining, so the issue is related to Google chrome only. – Ahmed Wahba Jul 15 '15 at 13:15
  • Do you have a SHA1 certificate and does it (or any intermediate chain certificate) expire after 1/1/2017? Chrome had announced their SHA-1 deprecation plan last year. See http://googleonlinesecurity.blogspot.com/2014/09/gradually-sunsetting-sha-1.html – Anand Bhat Jul 15 '15 at 18:10
  • @AnandBhat , Thank you :) , I added certificate information to that post and yes, I expires 06/21/2018 as you mentioned, I can now understand , as the other site I am comparing with, has it's certificate ends in December 2016 , please add an answer so I can accept it :) – Ahmed Wahba Jul 16 '15 at 07:15

1 Answers1

1

Per Google's note on SHA-1 deprecation,

Sites with end-entity certificates that expire on or after 1 January 2017, and which include a SHA-1-based signature as part of the certificate chain, will be treated as “affirmatively insecure”. Subresources from such domain will be treated as “active mixed content”.

The current visual display for “affirmatively insecure” is a lock with a red X, and a red strike-through text treatment in the URL scheme.

Google Chrome showing and “affirmatively insecure” site

Community
  • 1
  • 1
Anand Bhat
  • 5,591
  • 26
  • 30