SSL Issue: Your site is not private message

Follow up:  I have another secure site on this server (gtraxc.com) that is also acting up now, but a third site (atq-quality.com) is behaving normally as nearly as I can tell.  I have checked SNI for all three sites.

The SSL certificate has been revoked which means it is no longer valid.  I would talk to the SSL certificate provider to find out why it was revoked.

ssllabs thinks this:  
https://www.ssllabs.com/ssltest/analyze.html?d=gtraxc.com   (B at Best)  Certificate revoked and/or not verifyable
https://www.ssllabs.com/ssltest/analyze.html?d=gsetiming.com (B at Best) Certificate Revoked and/or not verifyable
Your server(s) support INSECURE protocols. See the reports.  (and are effectivly not secured).  Some SSL protocols get deprecated and cannot be used anymore... and SHOULD be hard disabled.

According to SSLLabs the certificates are not revoked, but the appstores & mozilla think they are.... This is the expansion on that from SSLLabs:
https://www.ssllabs.com/ssltest/analyze.html?d=gsetiming.com#whyNotTrusted

Or maybe a problem with your CA:

$ openssl s_client -connect gtraxc.com:443 -crl_check_all
CONNECTED(00000003)
depth=0 CN = www.gtraxc.com
verify error:num=3:unable to get certificate CRL
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA DV SSL CA 2018
verify error:num=3:unable to get certificate CRL
verify return:1
depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
verify error:num=3:unable to get certificate CRL
verify return:1
depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign RSA DV SSL CA 2018
verify return:1
depth=0 CN = www.gtraxc.com
verify return:1
---
....
$ openssl s_client -connect gtraxc.com:443 -crl_check_all  -verify_return_error          
CONNECTED(00000003)
depth=0 CN = www.gtraxc.com
verify error:num=3:unable to get certificate CRL
140158703531840:error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:1913:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 3556 bytes and written 319 bytes
Verification error: unable to get certificate CRL
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 860900001B75740D6B4F3B4725B90B3E62F855589BC66DB594C031F66EF26EFF
    Session-ID-ctx: 
    Master-Key: 
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1611530330
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---

Select allOpen in new window

ATQ is better: https://www.ssllabs.com/ssltest/analyze.html?d=atq%2dquality.com   it's security leave a lot to be desierd as it only scores a B.

it's security leave a lot to be desierd as it only scores a B.

But then again, so does
Google.com
Facebook.com
Amazon.com
Microsoft.com

In fact, it's more common than not but that will change at some point

Using the SSLabs it can quickly be transformed to A, possibly A+...
(Google  & Facebook succeptable to POODLE... think not).
They still allow for TSL1.0 and TLS 1.1....  that will probably be remoed in the comming months.

The above mentioned sites still allow RC4 which has been broken some time ago....
 

The above mentioned sites still allow RC4 which has been broken some time ago

Agreed, though Facebook.com using it (even only with older protocols) was surprising

Microsoft.com not supporting Forward Secrecy wasn't really that much of a surprise :\

Facebook caring about privacy and security?... that would be new.
Same for Microsoft actually caring for security of others.

+1 for noci's comment about Facebook + Microsoft.

https://www.ssllabs.com/ssltest/analyze.html?d=davidfavor.com provides a report of what I target for cert quality.

For now, you'll always have Cipher Strength 90 when running TLSv1.3 which I do because TLSv1.3 provides some speed benefits under certain circumstances.

Said differently, A+ is the minimum score I allow when I deploy a site.

This provides best user experience when accessing a site.

David, do I have to do anything on iis other than install the née certificate?  Also, are there instructions for installing in iis 10?

Anything you can tell me about “badly broken” would be much sooteviated

Thank you all!

Never midn that last comment.  I see you gave me a site to look at for issues.  Thank you!

Links for your site are already mention in this comment: https://www.experts-exchange.com/questions/29206157/SSL-Issue-Your-site-is-not-private-message.html#a43231196
(the result from yesterday are still there, unless you forced a rescan).

My comments about breakage above.

To me, any < A+ score is broken, or rather, I only deploy A+ sites into the wild, as having an A+ score resolves many oddball edge conditions which can show up in browsers.

Whether Windows or Linux or OSX, you'll generate a cert once + install it, then setup a nightly CRON (or equivalent) job to run a the command...

certbot renew --non-interactive --no-self-upgrade --post-hook "service-bounce"

Select allOpen in new window

Which will auto-magically renew all certs.

You service-bounce script will collect together all service restart commands required to ingest a new cert.

For example, this will usually include HTTPS + IMAPS + SQL or any other services which require a restart or reload each time a new cert becomes available... like when a renewal occurs...

Also getting an A+ now,  will deteriorate  automatically to A then B due to deprecation of hashes and encryption methods.