Risks in Using Self-Signed SSL Certificates


A reader reported receiving a message in Google Search Console about a self-signed SSL certificate. Google has been sending warnings about this for years. A self-signed SSL certificate is one that is issued by a server and not by a certificate authority (Comodo, Digicert, etc.). Self-signed SSL certificates will also cause browsers to issue a security warning, potentially affecting site traffic.

How to Check SSL Certificate Status

You can monitor and research your SSL certificate via Google’s Certificate Transparency Project tool. The Qualys SSL Labs page is a comprehensive tool for checking SSL certificate status.

If your certificate is indeed self-signed, you should consider obtaining a trusted SSL certificate. For more information read What Type of SSL Certificate Does Your Website Need?  and also Moving a WordPress Website from HTTP to HTTPS.

Some Warnings are False Positives

Some publishers have received the messages in error. These are called false positives.

A discussion in Google’s Webmaster Central Help Forum serves as an illustration. A member reported receiving the self-signed certificate message, even though his site is not self-signed. The discussion can be viewed here.

What happened was there was a small moment of time between switching certificate providers and it appears Google scanned his site in between the switch over. This is what triggered the false positive.

Here is what the publisher who received the notice stated:

“When I updated the certificate and rebooted the AWS VM I had a grub error and the VM did not restart. This is a known random quirk of this particular VM and the recovery process is to launch a new VM and restore from backup. For a 5 minute period before I remembered to block the public firewall while I rebuilt the server the nascent VM was live using the VM’s default self-signed certificate. When I opened up the firewall again the server was operating with an up-to-date Comodo certificate.

It is possible that, during that brief window, Googlebot might have polled the site…hell of a coincidence but possible…”

In another false positive report, this one from June 20th, 2018, a member reported receiving the self-signed certificate message even though their site has a valid certificate from GoDaddy.

Self-signed SSL Certificate Warniing

A member responded that it was likely in error and recommended ignoring Google’s warning about the self-signed SSL warning from Google’s Search Console.

Here is th explanation of why it was a false positive:

“This is due to the fact the server setup requires a browser to support SNI (Server Name Indication) to get the right certificate.

Pretty much all modern browsers do, there might be a very few users out there with very outdated versions that don’t.

The automated test doesn’t support it, so it gets the wrong, generic cert for the server.

The main googlebot supports it just fine though, so you are fine to disregard this, if you are not too worried about those very small percentage of users.”

Misconfigured SSL Certificates

It can be difficult to diagnose what the problem is. For one of my own websites I had certificate issues due to a secondary certificate not being properly installed.

There are instances of Lets Encrypt certificates triggering self-signed warnings. I found one in a closed and private Facebook Group. The other members were unable to help diagnose the reason so the member purchased a different certificate.

Lets encrypt certificate misconfigured leading to a self-signed certificate warning

In another case discussed on Let’s Encrypt’s forums it turns out that a technical issue related to how a dedicated server assigns certificates to multiple sites hosted on the same server was to blame for the self-signed certificate message.

Takeaway on Self-Signed SSL Certificate Warnings

If you are relying on a self-signed SSL certificate, you may wish to consider obtaining an SSL certificate from a trusted certificate authority. If you are using a trusted certificate authority and receive a warning from Google about a self-signed SSL certificate, you may wish to troubleshoot why you received this error.

In some cases the error message is received because of a misconfiguration. In others it is a false positive.

More Resources

Images by Shutterstock, modified by Author

Screenshots by author





Source link

Leave a reply:

Your email address will not be published.

Sliding Sidebar

About Me

About Me

Read about current trends on WordPress blogs, SEO, technology and more on plolu

Social Profiles