Google Chrome says my SSL uses outdated security settings but other site tests disagree [closed]

Solution 1:

The problem is that your Windows computer has Avast antivirus installed. Avast injects a SSL certificate between the website and Google Chrome. See "Avast web/mail shield" on top of the left image.

Google Chrome shows a warning on your computer since Chrome validates the locally spoofed certificate. Avast AntiVirus spoofs the SSL certificates so they can see and scan the SSL traffic. Scans like Qualys SSL labs will tell you the truth.

You can disable Avast Web/Mail shield and retry it in Google Chrome. That way, Chrome will validate the certificate that your server serves and not the injected/spoofed SSL certificate that Avast injects between your server and Google Chrome.

On the left image you're looking at the info about the Avast SSL certificate. On the right to info about your own GeoTrust SSL certificate.

I'm assuming you also use the Linux version of Avast on your Debian machine and that generates a similar situation as on the Windows machine.

Solution 2:

The problem ist, that your certificate uses SHA1 as signature alogrythmus. If your certificate actually uses SHA2, check all the intermediate (and root) certificates in your chain. Every single certificate has to use SHA2.

SHA1 is old (weak) technology and should not been used anymore. Most PKI providers have both possibilities. Simply download SHA2 chain certs and upload them to your server. Then the problem will be solved.

As you are using an SHA2 cert (like seen above) the problem as to be on one of the intermediate certificates. Check them all for SHA1 and get the SHA2 ones instead.