Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
platform.rgsgames.com
I ran this command:
echo | openssl s_client -connect platform.rgsgames.com:443
It produced this output:
$ echo | openssl s_client -connect platform.rgsgames.com:443
CONNECTED(00000004)
depth=0 CN = platform.rgsgames.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = platform.rgsgames.com
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = platform.rgsgames.com
verify return:1
Certificate chain
0 s:CN = platform.rgsgames.com
i:C = US, O = Let's Encrypt, CN = R11
Server certificate
-----BEGIN CERTIFICATE-----
MIIE+jCCA+KgAwIBAgISBOE143C4HBxkSEXhy3QBdCAqMA0GCSqGSIb3DQEBCwUA
MDMxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQwwCgYDVQQD
EwNSMTEwHhcNMjQwNjA4MDYzMzAzWhcNMjQwOTA2MDYzMzAyWjAgMR4wHAYDVQQD
ExVwbGF0Zm9ybS5yZ3NnYW1lcy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQC67ohB1elN3Dnkli3ynzjhv8HB+yVB+PVubnWDo3F+KQx2wuj3f069
LpQA3ELm5nPZbTCggobE1TcwCWb1SMClE/XL+nHFkrmX0ns3smMDZvQjb3GcLOMe
HiLnkwF0JifbE7DZQxL6dFdIxm9DRqy8rWV2TUIqGV96ro1VkyMWLM4LNCE7/+sF
Y96Lpf9w/mgeieF0pYTSmlbwmcycVjsUCDBauElC0nCf19YIdlubK5kFi6rTWLBs
9Fm5YMxlzgBLPxjTAG5xObC7vAjml3z4ie/WUyKa6tu36+lOtGLQmGEDtGhFjnH0
GViiECTyaWsxjF5P5CwwyTKamNFcKxzbAgMBAAGjggIZMIICFTAOBgNVHQ8BAf8E
BAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQC
MAAwHQYDVR0OBBYEFMEsTUPEDiwtxKiVfdw0dDC22KHNMB8GA1UdIwQYMBaAFMXP
RqTq9MPAemyVxC2wXpIvJuO5MFcGCCsGAQUFBwEBBEswSTAiBggrBgEFBQcwAYYW
aHR0cDovL3IxMS5vLmxlbmNyLm9yZzAjBggrBgEFBQcwAoYXaHR0cDovL3IxMS5p
LmxlbmNyLm9yZy8wIAYDVR0RBBkwF4IVcGxhdGZvcm0ucmdzZ2FtZXMuY29tMBMG
A1UdIAQMMAowCAYGZ4EMAQIBMIIBBAYKKwYBBAHWeQIEAgSB9QSB8gDwAHUAPxdL
T9ciR1iUHWUchL4NEu2QN38fhWrrwb8ohez4ZG4AAAGP9sPg3gAABAMARjBEAiBD
Fkgs21uKs6Wo449KQ8SbYcjupAcyPJjcZNr/spVSjgIgDjO+tFFce3V3BTmEteLK
ZIaDb1Z1IoniUbznWZXYrMYAdwAZmBBxCfDWUi4wgNKeP2S7g24ozPkPUo7u385K
Pxa0ygAAAY/2w+FsAAAEAwBIMEYCIQD1IwPQHiRiVnTMRtaX1Lgh5jqzg6xR4VJV
Kh/NqwnKfAIhALbybo2WAE+DE6AU2h7dGJ5gm1Ct1V/UTuZauQOEkvRaMA0GCSqG
SIb3DQEBCwUAA4IBAQAsJMl8GY/4Jpu70ygAQ4KEOLnEAG0FV3A0/URGemCIktNE
cjhdA04MadM6nohqBTVHa6yCcNc0FLyaVRPvLo5U0afCfCknvzvxbMOEpLt8o5za
CSoN8oogdIhukXrxuJ5S0t18il6wcYK4bNgJgTCV2QNXwo3rPfdnRRIj5fvAEIAo
kwOKrPPDsYP9IbPlhpgr2cM1Y1J6DX/PKwb1fqKM820fxxFrsxMrHoafCB4qpWYu
4ie+SwtwVnqUhXFRZt8KhRBkaZCURaE3vSMTTv9A72kWWL22EpAa8pJvS75CIqQm
EUyGw9ddaAXYIlnQp1/MNef7EuOXreeBgXAWgpBz
-----END CERTIFICATE-----
subject=CN = platform.rgsgames.com
issuer=C = US, O = Let's Encrypt, CN = R11
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
SSL handshake has read 1773 bytes and written 459 bytes
Verification error: unable to verify the first certificate
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 623F629AA660DCD686BA62C6A351665FB31C61F2C9B96EB38212F4D910B31CED
Session-ID-ctx:
Master-Key: C1C1910E80399FAFEF9B7131FB3BE787A611C65049181913304B66DA66425B8C865C1AA6C8B04654D4511D43E7E5DB67
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1717936695
Timeout : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no
DONE
My web server is (include version):
apache but the renewed certificate is loaded on Citrix load balancer set as SSL Offload
The operating system my web server runs on is (include version):
CentOS7
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot):
The problem I have is when the client is an application server or an AWS CloudFront they read the output I posted above and they elaborate the certificate as "untrusted" due to the message present in the output:
"
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = platform.rgsgames.com
verify error:num=21:unable to verify the first certificate
verify return:1
"
The only one thing I can see here is that something changed in the chain, specifically with the CN; it was R3 before the last renewal and now it's R11.
How can this be fixed?
Please help.