My website shows SSL errors

Hi everyone, I have some issues going on with my website https://gnosis.ge and I really appreciate it if you help me figure out how these can be resolved. Some people reported that they cannot open the website because of SSL certificate errors (I have let’s encrypt ssl) so I have tested the website on SSLabs and I got some issues:

  1. chain issues = incomplete

  2. Most of the TLS 1.2 suites are WEAK and all of TLS 1.1 suites are WEAK

  3. DNS CAA says no

  4. When I installed let’s encrypt CNAME record it only showed me the name: _acme-challenge.gnosis.ge. and not the second name with “www” in it (can this be an issue?)

Other issues that I think is the result of errors above:
5. Social media sharing doesn’t include logo or featured image and website cannot be opened directly from fb messenger
6. when I try to share gnosis.ge in the messenger it doesn’t embed link

Thanks in advance for your time!

Hello!

You can’t use certificate chains here. If you need those, please upgrade to premium.

TLS 1.1 and 1.2 are weak. You should use the most up to date web browser which supports TLS 1.3 which is more secure.

You are unable to set CAA records here without external DNS management, such as CloudFlare.

That is not an issue. If you own the apex domain (or subdomain) then why wouldn’t you own the www subdomain? See, that’s why it was removed. No ACME for www is perfectly fine (if you are using the in-house TLS tool).

This is why:

This is most likely Messenger’s fault.

5 Likes

Thank you very much for your answers most of the things are clear to me now. Just couple of questions:

I see that in order to have DNS CAA I have to use external DNS management, can you tell me what issues can my website have if I don’t have CAA records?

From the link you provided I understood that the website cannot be opened from apps, so this is the reason why social sharing will never include images right?

I tested other website without www or https and all of them embeds links only gnosis.ge seems to have issues (with www and hhtps works just fine).

None, as long as you are not a Certificate Authority, which I don’t think you are.

Correct!

You need to pick one and stick with it. From what you wrote, it looks like https://www.gnosis.ge/ is the one that works properly, so choose it. You can follow these guides if you need help.

3 Likes

I agree with most that @wackyblackie said, but want to clarify a few points.

Yes, this is true, but a deliberate design. You can block everything that’s not considered secure, but then people who use operating systems which are a few versions behind, they will be unable to access your website because they don’t support the latest and most secure settings.

There is a tradeoff between device compatibility and security to be made. And we’ve chosen to be a bit less strict with security to support older devices.

DNS CAA records tell the world which SSL providers you allow to issue certificates for your domain. If you create a CAA record that says only Let’s Encrypt is allowed to issue certs on your domain, then GoGetSSL, ZeroSSL and all other SSL providers will refuse to issue certificates for your domain.

Having CAA is good practice because it reduces the opportunity for an attacker to get a certificate for your domain, because you’re restricting the providers they could get one from.

But not having it is presents only a very small risk, because all SSL providers are required to do proper authorization checks before issuing a certificate in the first place.

3 Likes

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.