SSL problems with older browsers

Problem Description

I’ve noticed that my sites hosted under control of sympl and using Letsencrypt SSL certificates give error messages if I use older devices such as a tablet with Android 6.
No problems with newer browsers (desktop or mobile), nor with other SSL sites on the same Android 6 tablet.
The Letsencrypt certificate hasn’t expired and the same sites get rated A+ on the SSL labs test.
Is there anything I can do to make my sites acceptable to older clients, or does this require a different sort of certificate that costs money and Letsencrypt can’t provide?

Also possibly related, someone has reported about one of my sites:
“Trying to access the website using Google Chrome (or any Google browser) is impossible …
it comes up with a privacy warning that is impossible to get round.
I think it needs the server host to add an authentication certificate … all Google
products are insisting on these now (no doubt to stop them being sued by users who get
scammed).”

I’ve no idea what he’s talking about. Does anyone else?
The site is https://embsaylibrary.org.uk if anyone’s sufficiently interested to test. It’s recently moved to my hosting (just over a week ago)

Any Error Messages

On older Chrome with Android 6:
“The identity of this website hasn’t been verified - server’s certificate is not trusted”

Environment

  • Sympl Version [11.20220426.0]:
  • Sympl Testing Version? [No]
  • Debian Version [Bullseye]:
  • Hardware Type? [Virtual]
  • Hosted On? [Bitfolk]

Letsencrypt SSL certificates give error messages if I use older devices such as a tablet with Android 6.

Android 6 was end-of-life 7 years ago now, so it’ll probably not be aware of more modern SSL protocols, and likely not have the updated Let’s Encrypt R3 Root Certificate and it’s cross-signing - IIRC, 7.1 was where it was added, so anything older than that will have problems with various things.

You could try editing the Apache config for the site and allowing TLS 1.0 and 1.1 by editing the SSLProtocol line and removing the -TLSv1 and TLSv1.1, but it would significantly reduce the security of the HTTPS connections as both have known issues.

“Trying to access the website using Google Chrome (or any Google browser) is impossible …
it comes up with a privacy warning that is impossible to get round.
…"

That sounds like they’re maybe accessing an older copy of the site, and have the newer Chrome ‘Safe Browsing’ security enabled?

Check the A and AAAA records end up at the same server, but other than that it looks fine.

I think it needs the server host to add an authentication certificate

Not sure about the rest, but Google are heavy pushing everything toward HTTPS, and preferentially ranking sites in search which use it, or they might have HTTPS and some other Google thing (Google Search Console) confused?

Maybe worth asking that user for a screenshot of the message they get?

Thank you for reminding me of that - yes, it’s almost certainly what I’m seeing.

No, I can tell the old Chrome to go ahead anyway and it connects, so TLS is OK, it’s just the certificate that it doesn’t trust. And I don’t want to downgrade my server security :slight_smile:

That looks likely. Stale data in cache, local DNS not updating… the problems’ probably gone away but as you suggest I could ask for a screenshot if it persists.

Thanks for response anyway - very helpful.