• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Resolved SSL certificate problem only in IE

H

Heppi75

Basic Pleskian
hi,

I have problem with the SSL cert only in internet explorer.

I am running centOS 7 with plesk 12.5.30 (latest build). could anyone help why only the internet explorer is not working correct with the cert?

here is the url - I tried it in internet explorer 11 - with the message that I should check the TLS settings:

https://www.bioaustria.at/

maybe someone could help me please!
 
Last edited:
Hi,
I just visited your site in Edge and IE with no error, are you still having the issue? If so try to clear your browser cache.
Kind regards

Lloyd
 
No, I can't access it (Win8.1/IE11)

... and there is a curious error page (see attached screen capture).

... but the error in the error page seems to be a local IE11 thing...
 

Attachments

  • capture.png
    capture.png
    19.9 KB · Views: 6
Last edited:
@Sergio Manzi, @Heppi75,

The site opens normally for me as well (Windows 10, IE 11).

But it seems you have 'enabled' HTTP/2 on your server, which by default generates 'strict' cipher suites, making a lot of devices unable to connect, check SSL labs for some useful info about your configuration > https://www.ssllabs.com/ssltest/analyze.html?d=www.bioaustria.at

You might also want to read more on the issue on this thread > https://talk.plesk.com/threads/nginx-http-2-support-cipher-problems.337707/

To sum up, a solution would be to change your cipher list, you can use this in your /etc/nginx/conf.d/ssl.conf to enable support for 'most' devices
Code: 
ssl_ciphers EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AEAES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:CHACHA20:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 
Last edited:
Hi, @Heppi75!

Glad you solved your issue, but.... which of the many suggestions of https://talk.plesk.com/threads/nginx-http-2-support-cipher-problems.337707/ have you adopted?

Personally I find wisdom in @trialotto answer, i.e. "not lower TLS versions in the case that HTTP/2 support is enabled".

I'm not an expert in the matter, but it seems to be logical that if you enable HTTP/2 you want it to behave like it is expected and not use TLS < 1.2 (or just use good old HTTP/1.1).

I'm anyway very open to be corrected on this point of view...

 
hi, sergio

I only adapted the ssl_ciphers settings this way:
EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EDH+CHACHA20:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:CHACHA20:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!EDH+3DES;
 
Now I can reach it, but I see HTTP/1.1 is used (see attached request and response snapshots...)
 

Attachments

  • request.png
    request.png
    17.9 KB · Views: 6
  • response.png
    response.png
    19 KB · Views: 6
... but on the other hand, when accessing from Firefox I see HTTP/2 is used, so apparently you have found and used the magic combination of ciphers that allows you to use HTTP/2 if supported by the browser or HTTP/1.1 if not... ;)

It would be nice if someone with more experience than I have in this kind of things would confirm that this is OK...

P.S.: and https://www.ssllabs.com/ssltest/analyze.html?d=www.bioaustria.at says that you can exchange keys and be seen by everybody except IE6/XP, IE8/XP, Java 6 and Android 2.3.7
 
Last edited:
urki said:
@Sergio Manzi, @Heppi75,

The site opens normally for me as well (Windows 10, IE 11).

But it seems you have 'enabled' HTTP/2 on your server, which by default generates 'strict' cipher suites, making a lot of devices unable to connect, check SSL labs for some useful info about your configuration > SSL Server Test: www.bioaustria.at (Powered by Qualys SSL Labs)

You might also want to read more on the issue on this thread > Resolved - nginx HTTP/2 support cipher problems

To sum up, a solution would be to change your cipher list, you can use this in your /etc/nginx/conf.d/ssl.conf to enable support for 'most' devices
Code: 
ssl_ciphers EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EECDH+CHACHA20:EDH+AESGCM+AEAES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:CHACHA20:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Click to expand...
You saved my day in the end of 2020 :)
 
You must log in or register to reply here.

Similar threads

D
Issue can only create webmail certificates
Replies
1
Views
370
deepnpisgah
D
PrimeSites
Issue Server-wide backup invalidates SSL cert when deployed on back-up server
Replies
4
Views
441
PrimeSites
PrimeSites
Hangover2
Forwarded to devs SSL It! breaks renewal and usage of Let's Encrypt wildcard certificates when subdomains are involved
2
Replies
28
Views
6K
marcoherzog
M
C
Question SSL certificate location for Prosody import
Replies
7
Views
2K
Kaspar
K
mazterizes
Issue SSL Certificate Renewal Woes - Seeking Expert Advice
Replies
0
Views
494
mazterizes
mazterizes
Back
Top