Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: t-wirth.de / backprod.de
The operating system my web server runs on is (include version): Ubunu 20.04.2
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Webmin / Command Line
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot): certbot 0.40.0
I have two domains both are using letsecrypt certificates. For one domain I'm getting the cert is unsigned message when running https://www.checktls.com/
Output for t-wirth.de:
[000.743] Connection converted to SSL
SSLVersion in use: TLSv1_3
Cipher in use: TLS_AES_256_GCM_SHA384
Perfect Forward Secrecy: yes
Certificate #1 of 4 (sent by MX):
Cert signed by: #2
Cert VALIDATED: ok
Cert Hostname VERIFIED (mail.t-wirth.de = .t-wirth.de | DNS:.t-wirth.de | DNS:t-wirth.de)
Not Valid Before: Jun 20 08:03:58 2021 GMT
Not Valid After: Sep 18 08:03:57 2021 GMT
subject= /CN=*.t-wirth.de
issuer= /C=US/O=Let's Encrypt/CN=R3
Certificate #2 of 4 (sent by MX):
Cert signed by: #3, #4
Cert VALIDATED: ok
Not Valid Before: Sep 4 00:00:00 2020 GMT
Not Valid After: Sep 15 16:00:00 2025 GMT
subject= /C=US/O=Let's Encrypt/CN=R3
issuer= /C=US/O=Internet Security Research Group/CN=ISRG Root X1
Certificate #3 of 4 (added from CA Root Store):
Cert signed by: #3, #4
Cert VALIDATED: ok
Not Valid Before: Jun 4 11:04:38 2015 GMT
Not Valid After: Jun 4 11:04:38 2035 GMT
subject= /C=US/O=Internet Security Research Group/CN=ISRG Root X1
issuer= /C=US/O=Internet Security Research Group/CN=ISRG Root X1
Certificate #4 of 4 (sent by MX):
Cert is unsigned
Cert VALIDATED:
Not Valid Before: Jan 20 19:14:03 2021 GMT
Not Valid After: Sep 30 18:14:03 2024 GMT
subject= /C=US/O=Internet Security Research Group/CN=ISRG Root X1
issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3
When doing the same on backprod.de the output is:
[001.822] Connection converted to SSL
SSLVersion in use: TLSv1_3
Cipher in use: TLS_AES_256_GCM_SHA384
Perfect Forward Secrecy: yes
Certificate #1 of 3 (sent by MX):
Cert signed by: #2
Cert VALIDATED: ok
Cert Hostname VERIFIED (mail.backprod.de = .backprod.de | DNS:.backprod.de | DNS:backprod.de)
Not Valid Before: May 1 00:05:46 2021 GMT
Not Valid After: Jul 30 00:05:46 2021 GMT
subject= /CN=*.backprod.de
issuer= /C=US/O=Let's Encrypt/CN=R3
Certificate #2 of 3 (sent by MX):
Cert signed by: #3
Cert VALIDATED: ok
Not Valid Before: Oct 7 19:21:40 2020 GMT
Not Valid After: Sep 29 19:21:40 2021 GMT
subject= /C=US/O=Let's Encrypt/CN=R3
issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3
Certificate #3 of 3 (added from CA Root Store):
Cert signed by: #3
Cert VALIDATED: ok
Not Valid Before: Sep 30 21:12:19 2000 GMT
Not Valid After: Sep 30 14:01:15 2021 GMT
subject= /O=Digital Signature Trust Co./CN=DST Root CA X3
issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3
Which means the whole chain seems to be different.
When running the command
openssl s_client -connect mail.t-wirth.de:25 -starttls smtp
Certificate chain
0 s:CN = *.t-wirth.de
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
openssl s_client -connect mail.backprod.de:25 -starttls smtp
Certificate chain
0 s:CN = *.backprod.de
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
Any Ideas? I recreated the t-wirth certificate today but this did not change anything. The creation of the backprod.de was a while ago. I have checked the fullchain files and the old one (backprod.de) only includes two parts, whereas the new one contains 3 parts (t-wirth.de). Is this unsigned message something I should be worried about and which could be avoided? I don't see a difference in creating the certificates there are both created by the dehydrated script and at least currently the configuration files are identical. I'm also using the letsencrypt tool byself with another domain which is getting the same warning.
A second thing which I noticed is that:
t-wirth.de - TLS / STARTTLS Test · SSL-Tools is running into errors (no certificates found - which does not make sense at all) whereas
backprod.de - TLS / STARTTLS Test · SSL-Tools is running without problems.
Other test pages telling me SSL / DANE is good for both domains.
e.g. Hardenize Report: t-wirth.de
I have also checked older versions for the full chains from the same domains. In past they had two parts, now 3 and the warning seems to be connected to that change. The old files (without warning and two parts) are from April, the newer ones (with 3 parts and warning) from May. And it does not matter if they are created with dehydrated or letsencrypt. Seems to be that this changed happened in May. Could be an update on certbot in ubuntu repositories maybe. Have I missed a configurable change in behavior?