BUG (?): Chrome doesn't trust Let's Encrypt anymore


#1

Attached three screenshots.

Everything seems fine in Firefox and Safari. Chrome says that the certificate is signed by an unknown authority.

api.csbubbles.com

Chrome: Version 53.0.2785.143 (64-bit)


#2

Your web server isn’t configured to send the entire certificate chain. Some web browsers are more forgiving than others. Firefox, for example, isn’t actually “fine”. It will work for users who have successfully visited other websites using Let’s Encrypt (and cached the missing intermediate), and will fail with a similar error message for those who have not.

https://whatsmychaincert.com/
https://www.ssllabs.com/ssltest/analyze.html?d=api.csbubbles.com&hideResults=on

What web server are you using? For example, with Apache, if you have something like this:

SSLCertificateFile /etc/letsencrypt/live/api.csbubbles.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/api.csbubbles.com/privkey.pem

you need to change it to:

SSLCertificateFile /etc/letsencrypt/live/api.csbubbles.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/api.csbubbles.com/privkey.pem

or (before Apache 2.4.8):

SSLCertificateFile /etc/letsencrypt/live/api.csbubbles.com/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/api.csbubbles.com/chain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/api.csbubbles.com/privkey.pem

#3

Thanks Matt. I’ve added the SSLCertificateChainFile record, now it seems working fine in Chrome.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.