How to Get Bitdefender to Use My Site's Actual Certificate
As part of the Encrypted web scan, Bitdefender injects a self-signed root CA certificate and substitutes that for my personal website's GlobalSign (AlphaSSL) certificate. Until I added it as an exception, I could not reach my website via Chrome and got a certificate error instead. I understand this "feature" exists so that Bitdefender can verify the certificate's validity. Since I paid for and installed my certificate, I'm sure it's valid, and I would like it to be used instead.
Turning off the Encrypted web scan fixes the issue temporarily until it re-enables itself, but that doesn't qualify as a fix. Bitdefender apparently has a list of trusted websites where it doesn't inject its self-signed certificate. How can I make my website act like one of those? There are passwords and data that I don't want Bitdefender to examine when I'm updating my website.
Attached is an image of what the certificate should be when I visit my website and a text version of the CRT file.
Comments
-
Hello,
The only solution I can think of here would be to add the website as an exception for the OTP module. You could try to remove the exception later on, to check if the certificate issue persists. My assumption is that the certificate error will be cleared eventually, if there's nothing wrong with it. In the event the error persists despite adding the exception, the Encrypted web scan feature can be temporarily disabled to allow access on that page and in any case, it is recommended to clear the cache & cookies from the browser beforehand, to avoid saving any previous browsing data that could still return this error, even if it was removed in the meantime.
For additional advice regarding this and to further investigate a possible incorrect error message, I would recommend contacting Bitdefender Support using the link below:
State your contact reason / choose request category, then choose from the available contact channels, chat, phone and email/ticket. Chat would be the fastest way to reach them.
Let us know what worked for you.
Regards,
Alex
Premium Security & Bitdefender Endpoint Security Tools user
0 -
As mentioned in the original post, I added my website using the Manage exceptions link in the Online Threat Protection (OTP) section. At the time, I didn't think that fixed the issue, but that was a bit of a user error on my part. Chrome displays the URL as pcweenie.com, and that's exactly what I entered. That lets me access my website, but it is with the Bitdefender self-signed root CA certificate chain. After experimenting, I found that OTP requires the full URL, www.pcweenie.com. Once I edited that, my certificate was shown in place of the Bitdefender-issued one.
Since I have a wildcard certificate (*.pcweenie.com), I can make as many subdomains as I wish (e.g., checkout.pcweenie.com, blog.pcweenie.com, etc.). I have added several of the ones I have to the exception list. This does leave me with a fear that this scheme will break some commercial websites, but I have yet to discover them. For sites with a wildcard certificate, having pcweenie.com (or perhaps *.pcweenie.com) as an exception should be sufficient. That is how other certificate checkers handle it. That might be an improvement for a future version of Bitdefender.
This still leaves me questioning why Bitdefender didn't recognize my certificate as valid (and subsequently denied access to my website until I added pcweenie.com [and later www.pcweenie.com] as an exception). A subsidiary of GlobalSign issued my site's certificate. Is it because the root CA wasn't recognized, perhaps? Adding the exception "fixes" the issue, but that should not be necessary.
0