Cant connect to website - Cant connect securely to this pageRSS

5 replies

Last post Oct 15, 2020 08:45 AM by Brucz

  • Cant connect to website - Cant connect securely to this page

    Oct 12, 2020 10:06 PM|Geezer32|LINK

    We have a new website running on a 2012r2 server, the site is configured with SSL with cert published from our internal CA. The server is for internal use only it is not exposed to the public

    The issue I am having is that many users are getting message in Edge "Cant connect security to this page, might be because of unsafe TLS settings"
    The server supports TLS1.2 as do the clients, I have ran a Qualsys test on one of the affected client and it says "good protocol support"

    Most of the users are connecting to the core network over a VPN, but I have multiple users using the same VPN and some have this issue and others don't

    All clients are Windows 10, they have the root CA certificate installed. network port 443 to the server are open from the client

    Chrome also exhibits a similar error message

    I've tried disabling the local AV (Symantec) made no difference

    what else can I do so these clients can connect to the web page?

    thanks

  • Re: Cant connect to website - Cant connect securely to this page

    Oct 13, 2020 02:37 AM|Brucz|LINK

    Hi Geezer32,

    The issue may be caused by multiple trusted certifivcation paths on the web server. For example, the certificate has two path to the trusted root CAs on the web server.

    1. Certification path 1: Website certificate - Intermediate CA certificate - Root CA certificate (1)
    2. Certification path 2: Website certificate - Intermediate CA certificate - Cross root CA certificate - Root CA certificate (2)

    When Certification path 1 and Certification path 2 have the same quality score, CryptoAPI selects the shorter path (Certification path 1) and sends the path to the client. However, the client computer can verify the certificate only by using the longer certification path that links to Root CA certificate (2). Therefore, the certificate validation fails.

    The solution is delete or disable the certificate from the certification path that you do not want to use.

    1. Log on to the web server as a system administrator.

    2. Add the Certificate snap-in to Microsoft Management Console. To do this, follow these steps:

      1. Click Start, click Run, type mmc, and then press Enter.
      2. On the File menu, click Add/Remove Snap-in.
      3. Select Certificates, click Add, select Computer account, and then click Next.
      4. Select Local computer (the computer this console is running on), and then click Finish.
      5. Click OK.
    3. Expand Certificates (Local Computer) in the management console, and then locate the certificate on the certificate path that you do not want to use.

      <div class="alert is-info">

      </div>
    4. Delete or disable the certificate by using one of the following methods:

      • To delete a certificate, right-click the certificate, and then click Delete.
      • To disable a certificate, right-click the certificate, click Properties, select Disable all purposes for this certificate, and then click OK.
    5. Restart the server if the issue is still occurring.

    More detail can refer to this document.

    Best regards,

    Brucz

  • Re: Cant connect to website - Cant connect securely to this page

    Oct 13, 2020 03:47 AM|Geezer32|LINK

    Thanks

    I had a look at this, there is only one certificate on the web server which is its own cert published by the root CA

    Its path looks normal,  Host->IssuingCA->RootCA

    On a client it looks the same and all the certs seem valid, no missing or unknown parts to the chain

    I see that the Root CA cert appears on the client device both under 'Intermediate Trusted Authorities' as well as 'Trusted Root Authorities'  - is this normal  (it is on my laptop I am looking at and the site works no problem for me)

    I tend to think that this issue is VPN related, as I have seen no instance of local devices on the LAN having any issue, or any one from the local AU region having any problems, it seems to be clients connecting from overseas (US mainly) over a VPN are having problems, but it is not all of them, some work, some don't

  • Re: Cant connect to website - Cant connect securely to this page

    Oct 14, 2020 01:29 AM|Brucz|LINK

    Hi Geezer32,

    If it is your vpn problem, I suggest you contact the vpn supplier or network engineer. What I can do is to troubleshoot the IIS side for you.

    Best regards,

    Brucz

  • Re: Cant connect to website - Cant connect securely to this page

    Oct 15, 2020 02:19 AM|Geezer32|LINK

    Well, I don't know if it is a VPN issue or not, the network guys say it isn't.  All I know for sure is that 1/2 the users of this system are getting TLS error connecting to the site

  • Re: Cant connect to website - Cant connect securely to this page

    Oct 15, 2020 08:45 AM|Brucz|LINK

    Hi Geezer32,

    According to your description, I think this is a network problem, because the local devices on the LAN are fine, except for those who use VPN, and the clients from overseas have problems. The network conditions of the two are different.

    I suggest you use some tools to capture network trace, and then analyze the process of network request handshake, and compare the difference between local and VPN.

    Best regards,

    Brucz