How to Solve the Most Common SSL-Related Browser Warnings

by sslstreet admin


Posted on August 13,2018 05:48 am


The SSL Street

Common SSL-Related Browser warnings- are something that everyone comes across at some point. These warnings are generated to prevent users from an unsecured connection. Without appropriate knowledge, the user tends to ignore these warnings. It is difficult for a common man to distinguish between normal warnings and serious ones. This can result in a bad user experience. So, to resolve this issue, Google has released the result of a study on browser warnings under the heading ‘where the wild warnings are: The Root cause of Chrome HTTPS certificate errors’. The main idea behind such investigation was to resolve benign errors without affecting legitimate errors.

Without wasting time let’s discuss most common SSL related browser warnings and possible solutions.

Common SSL related browser warnings

Google collected the sample of around 300 million errors within one year. Cause of 2/3rd of these errors was classified and was organized into three categories, these are:

  1. Server error: It arises when server presents an invalid/incomplete certificate chain. For example:

    1. Server date error

    2. Server name mismatch error

    3. Server authority invalid error

  2. Client error: It occurs when a certificate chain is not validated by the client from a properly configured server. For example:

    1. Incorrect client clock

    2. Anti-virus errors

  3. Network error: This type of error arises when a network appliance replaces certificate chain with one that client can’t validate while intercepting an https:// connection.

Solutions to most common SSL related browser warnings

  1. Server Data Error: Expired certificates are the main cause of almost all the server data errors. Simple solution for such errors is ‘do not let your SSL certificate expire’. It is possible that you have certificates from different Certificate Authorities (CAs). It might be difficult to keep track of each and every issued certificate. To resolve such issues, all you need is a management platform and inventory tool.

Solution:

  • Inventory tool: it will locate all certificates that you have installed and respective CAs who have issued them.

  • You can also use APIs and ACME protocol to keep track of installed SSL certificates.

  1. Server name mismatch error: When Comodo Wildcard SSL certificate is installed, it is important to include all sub-domain names along with host domain. You can include ‘within the scope’ or specific domain name. Remember ‘www’ and ‘non-www’ domain versions are not one of the same things. Wildcard error can arise due to oversight or multiple levels of the domain. For example: If you have installed the certificate for *.mysite.com, there are chances that it may not cover ‘example.shop.mysite.com’.

Solution:

  • You have to include both on the certificate or list them under Wildcard SSL certificate.

  • Double check host-name while including it in your certificate.

  1. Server Authority invalid error: Major browsers have come up with a list of trusted CA’s. If you want to verify the authenticity of your CA, you can look for their name in this list. Also, check whether the certificates of your website are chained to a root. Along with is also check whether it is listed in the browser’s trust list. TheError can occur due to the use of self-signed certificates or government operated roots. The Government operated roots are not listed in Standard trusted store. Use of such roots can lead to warnings.

Solution:

  • Do not use self-signed certificates on the public website

  • Ask your employees to ignore warnings only for internal sites (intranet), not for general browsers.

  • Some CA’s offer non-public roots designed specifically for internal networks.

  1. Insufficient intermediates: Along with end-certificate, intermediates certificates are also provided by the server. Most of CAs have their own set of intermediates.

Solution:

It is important to install appropriate intermediates on the server you are using else browser will issue a warning.

  1. Client Clock error: This is not a server related error. This type of error occurs when the system clock is incorrect. This might result in overlapping of current time and certificate validity period.

Solution: 

Leave a gap between receiving and actual using of the certificate. For example, you have received the SSL certificate on 16/7/18 and installed it on the very same day. If any of the client clocks are set in the past, it will trigger an error or warning.

Summary

It is important to choose SSL certificate according to your requirements and configure SSL certificate properly. Fail to do so will trigger a warning or error message. Go for the free server configuration test. This will help to prevent a few of the common errors. Always opt for certified CAs and check browser’s trusted list. Make use of inventory tools and management platform to keep track of all the installed certificates.

If you want to get Comodo SSL Certificates for your website then feel free to contact our team at The SSL Street. Contact us at the toll-free number +1 (888) 606-7330 or try the 24/7 email support at info@thesslstreet.com


Download Now



Newsletter