0

First and foremost I want to apologize, because I am really an amateur in networking. I tried to run a SSLLabs check on a web domain my company owns. The overall rating is "A" and everything is shown "green", which lets me believe that I do not have to worry about the report

Summary of SSLLabs Report

Summary of SSLLabs Report

But still there is one part of the report which lets me worry and I wanted to ask if anyone can explain me 1. if I have valid reason to worry and 2. if yes, what could I do, to make things safe. In the Part "Certification Paths, there are two paths shown. #1, which is "trusted" and #2, which is "Not trusted". I worry, that the not trusted one can cause problems to our company. Can I just ignore it or do I have to resolve it in any way?

Censored Part of Certification Path

Censored Part of Certification Path

If you need more information out of the report to answer my question just let me know.

HBruijn
  • 80,330
  • 24
  • 138
  • 209
Simon Rempel
  • 1
  • The posted certification path looks like the server sends two certification path, one for the current certificate and one for an expired certificate. I would remove the expired one and the related certs as it increases the TLS handshake data. Clients should ignore the certificates, but you never know what client implementations are out there, so I would better remove them. – Robert Jan 26 '24 at 10:55
  • Reminds me of Let's Encrypt problems with one of their root certs expired and buggy openssl failing to follow the valid one. – AlexD Jan 26 '24 at 10:57
  • https://security.stackexchange.com/questions/256542/what-happens-if-one-certificate-path-is-valid-while-the-other-one-is-not – AlexD Jan 26 '24 at 10:59
  • Thank your very much for your answers! So, if I would like to remove the outdated certificate, where is the place to do it? I guess the certificates are not hosted on the DigitalOcean servers we host but most probably on the domain name service provider we are using. Again, sorry for me not being able to ask with more technical knowledge. – Simon Rempel Jan 26 '24 at 11:07
  • The TLS certificates are served by your HTTPS server (or CDN if you are using one), not the domain name service provider. – AlexD Jan 26 '24 at 11:31
  • Perfect, I think with that I have all the answers I need, thanks very much! Will leave a short reply here as soon as I have removed the certificate to confirm, that the Report that is clean of the Untrusted Path – Simon Rempel Jan 26 '24 at 12:07

1 Answers1

0

worry that the not trusted one can cause problems to our company. Can I just ignore it?

Is there a problem or error or warning when accessing the site?

Otherwise it's likely that (modern) clients all have a more up to date version of the intermediate issuing certificate and ignore the expired certificate that is presented.

Greg Askew
  • 36,724
  • No, there are no errors or warnings when the site is accessed. So if I understand your statement right it seems to me that most probably there is no immediate danger with the certificate issue? – Simon Rempel Jan 29 '24 at 09:10