• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Issue Site with SSL not visible on samsung browser

Jochem

New Pleskian
Hi,

I have a very strange problem concerning all sites with SSL running on Plesk Onyx + Lets Encrypt extension.

I'm running 50+ sites on vps4.rznd.nl and almost every domain has a SSL certificate from letsEncrypt. The strange thing is that all of these sites are not visible on de stock samsung browser (on i.e Galaxy S5,6,7). The stock browser opens when you open a link within an app. The show a page with says "This page is not available" You can click a link with Details, this only show the version of this browser. In this case its: 4.0.20-81

The domains without ssl are running normally on this browser. What is even weirder, I have this new VPS (vps5.rznd.nl) with probably all default settings from the plesk image from TransIP. Even here the problem is the same.

From this stock browser you can go to the default browser which opens in i.e Chrome or any other you've set as default. And from there the sites work normally.

I cannot replicate this since I don't have a samsung phone.

I'm not in to the technical stuff, but I can check some thing in the console if needed.

After some searching I've noticed that when I go to SSL/TLS certificates in the usersubscription that every certificate is missing de CSR-part. "CRS is not deliverd" Maby this has something to do with it?

To test: https://websiteroermond.nl/ from vps5.rznd.nl is not working in the samsung browser and without the certificate (http://websiteroermond.nl) it does work normally.
 
Maybe it is problem in Samsung browser but not in Plesk? Or maybe there is some kind of known incompatibility between Samsung browser and Letsecrypt certificates? Have you checked it? Have you contacted Samsung?

BTW, I have checked https://websiteroermond.nl with Xiaomi stock browser and with BlackBerry10 stock browser. All works fine.
 
Hi IgorG,

Thanks for your reply. I'm pretty sure it's the browsers fault. The problem is that the samsung browser (or any mobile browser) doesn't show any errors concerning a certificate.

I've also checked it with multiple browsers, even from a cheap alcatel phone. No problemo.

I should also contact Samsung about this, but my hopes where better here ;)


I've found something. Via developer.samsung.com I used a samsung galaxy s7 emulator and got the same problem: ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY

First hit in Google:
https://www.jeffgeerling.com/blog/2016/fixing-errspdyinadequatetransportsecurity-ssl-error-chrome
 
Last edited:
I had similar problem with globalSign alpha ssl on windows phones but only in case when CRT and Key is instaled without CA-CRT...in most cases users just supply CRT and KEY without CA-crt.After Ca-crt is added issue is resolved.
 
Last edited:
A customer just called, she has the same problem when opening the https links from Word 2011 (mac).

"https://websiteroermond.nl cannot be opened. "Cannot Locate Proxy Server or Internet Server"

I don't know if this is the same issue as the samsung browser has, but if it is, it's likely that other applications also have this issue. Which makes it a Plesk or LetsEncrypt module issue I guess?
 
Last edited:
A friend of me was able to fix the issue for the samsung browser. I was hoping that this also fixed the Word issue but that seems to be another problem...
 
I have the same problem with all pages. Lots of customers called (web store). It doesn't matter if you have Let's Encrypt certs or not trusted one (to accept the risk). HTTP is ok, HTTPS isn't...

Any fix from Plesk in the future?
 
PRODUCT, VERSION, OPERATING SYSTEM, ARCHITECTURE
Plesk Onyx, v17.0.17_build1700161028.14, Ubuntu 16.04.1 LTS

PROBLEM DESCRIPTION
On older browsers and/or Samsung Stock browser getting error ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY on https. It doesn't matter if you have trusted or self-signed SSL certificate.

STEPS TO REPRODUCE
Any Samsung smart phone with stock browser (Google Chrome is ok). I have Samsung Galaxy S7, but it can be tested also with emulator from Samsung: http://developer.samsung.com/remotetestlab/rtlDeviceList.action?os=101

ACTUAL RESULT
Getting error ERR_SPDY_INADEQUATE_TRANSPORT_SECURITY on HTTPS. Webpage doesn't open.

EXPECTED RESULT
Webpage should open

ANY ADDITIONAL INFORMATION
Plesk is on stock settings, no extra custom modifications. The problem was there from the beginning - december 2016.
Problem is solved with Additional nginx directives (thanks to nate on https://talk.plesk.com/threads/ssl-error.340520/#post-813903):
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers EECDH+CHACHA20:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
ssl_prefer_server_ciphers on;
 
Hi, sorry for the late reply.

the problem is in /etc/nginx/conf.d/ssl.conf
I don't know the old version, but this works

Code:
ssl_session_cache shared:SSL:10m;

ssl_session_timeout 10m;

ssl_prefer_server_ciphers on;

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128$

ssl_dhparam /etc/nginx/ssl/dhparam.pem;

ssl_stapling off;

ssl_stapling_verify off;



Now the customer comes with a new odd issue. When she copies a url with https (from my server) and she paste it in MS Word (mac 2011) and than clicks the site, she's getting the message:
“Unable to open. Cannot locate the Internet server or proxy server.”
 
Last edited:
I think this is an Issue with the Ciphers. The Samsung Browser and old Word need <2048Bit dhparam Curves and "more compatible" Cipher Suites.
 
It may be that the cert is valid in terms of Common Name (domain), but it can't be verified due to revocation, broken validation chain (lack of intermediate certs on new SHA-2 certs), expired or anything else preventing it to be fully valid. I'd bet for the intermediate certs which is the case in 2016 since the upgrade to SHA-2.
 
There are many cause of this error here major issues and fixes.
  1. Check Your System’s Date and Time Settings
  2. Clear Chrome’s Browsing Data using Ctrl + Shift + Delete
  3. Antivirus Settings - Enable all SSL protocols
Once you done just restart you devices, If still getting issue then you can use ssl unblocker, It will help you too.
If issue solved then please hit a like.
Thanks
 
Back
Top