Cannot access newly installed site - security policy called HTTP Strict Transport Security (HSTS)

My YunoHost server

Hardware: VPS 4Gb, plenty of storage, 2 cores
YunoHost version: 3.8.4.8
I have access to my server : Through SSH
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no

Description of my issue

I installed YunoHost on a few Debian 9 system. I configured YunHost via https:// as instructed. The site is configured for my custom domain.

If I access the newly installed site via the IP address, I get the certificate warning. If I accept the warning and continue, I can get to the site (admin or main site).

If I access the site via the domain name, I get the certificate warning, but I’m not given the option to accept the warning and I can’t get to the site. The warning I get is:

mydomain.com has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only connect to it securely. You can’t add an exception to visit this site.

Any ideas what I can do to fix this? Thanks

I’ll answer my own question for anyone else who hits this. I browsed through the admin site (first time installing YunoHost) but clearly I didn’t look closely through every menu item.

  • Click Domains
  • Click your domain name
  • Click SSL Certificate
  • Click the button to generate the Let’s Encrypt certificate

This solved my issue. Cheers!

1 Like

If you want some explains for why you get this :

Certificates are “papers” which are delivered by “certification autoritate”, which are trusted firms or associations. The certificate contains a public key generated by your server, and SIGNED by the certifcation autoritate which has delivered this certificate.

When a navigator comes to your website through HTTPS (TLS/SSL tunnel), it check among the public keys of certification autoritates it knows.

If found : OK.

If not found, the navigator tries a last thing : it checks whether the certification isn’t self-signed : it means that it is signed by the own key which is on the certificate. It is called “self-signed certifcate”. By default, this certificate is used on domain listed on yunohost.

But, navigators doesn’t like this sort of certificate, and that causes the problem.

However, if you want some security on your domain, you can enforce them using DNSSEC for signing your name domain, and even DANE in order to use other than the certifcation autoritate.

Have fun with your server !

Thanks!

I also discovered that if I create a subdomain in YunoHost, I can’t create a LetsEncrypt certificate for it until I run the diagnostic first. Weird but not a problem. :slight_smile:

Yup… hopefully we’ll find a way to improve this.

1 Like

No big deal. It’s an extra step but it works in the end.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.