Certifacte shows NET::ERR_CERT_AUTHORITY_INVALID on all machines

#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:https://kiseni.com

My web server is Microsoft IIS 10

The operating system my web server runs on is (include version): Windows Server 2016 DataCenter Edition

My hosting provider, if applicable, is: Contabo

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Plesk Obsidian

Hello, I am writing here again an entry related to kiseni.com . Apparently there is a problem with the wildcard certificate of Lets Encrypt. As soon as I call up my domain I get the error described in the title. According to SSLChecker the certificate and the chain is correct.

Thanks in advance!

Best regards!

1 Like
#2

The certificate path appears correct and the site loads properly on my system. You should check your computers trust store and ensure ISRG Root X1 and DST Root CA X3 appear there.

Also verify against a computer on a different network, there is a possibility some sort of ssl inspection or other network device is intercepting the connection. (This can also happen with some antivirus products)

3 Likes
#3

Hi @x1x11x

there is a check of your domain, ~~3 hours old - https://check-your-website.server-daten.de/?q=kiseni.com

There is no critical problem visible.

A valid wildcard

CN=kiseni.com
	05.12.2019
	04.03.2020
expires in 19 days	*.kiseni.com, kiseni.com - 2 entries

both connections use that, no mixed content.

So it’s not a general problem. Share a screenshot.

2 Likes
#4

Hi!
sorry for my late response, here is the screenshot as requested.

image
image883Ă—620 18.6 KB

#5

No issues for me with loading the site. I suggest you clear your browser cache or test in a different browser. Happened to me the other day & I had to do that cause it was only happening in my Chrome browser.

#6

Pull up the certificate details, that will provide more information about the problem. You should be able to click the “Not Secure” icon in the top left of the page next to the address bar (Not sure what it is in German though), Then click Certificate and provide the information there.

1 Like
#7

We need the result of “Erweitert”.

And click on

NET::ERR_CERT_COMMON_NAME_INVALID

then the certificate is visible.

1 Like
#8

Here are the requested infos:

image
image623Ă—746 69 KB

And as text:

NET::ERR_CERT_AUTHORITY_INVALID
Subject: www.kiseni.com

Issuer: FGT60E4Q16019307

Expires on: 19.01.2038

Current date: 18.02.2020

PEM encoded chain:
-----BEGIN CERTIFICATE-----
MIIDbzCCAlegAwIBAgIKa4w77lFHnqk/8DANBgkqhkiG9w0BAQsFADCBqTELMAkG
A1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEjAQBgNVBAcMCVN1bm55dmFs
ZTERMA8GA1UECgwIRm9ydGluZXQxHjAcBgNVBAsMFUNlcnRpZmljYXRlIEF1dGhv
cml0eTEZMBcGA1UEAwwQRkdUNjBFNFExNjAxOTMwNzEjMCEGCSqGSIb3DQEJARYU
c3VwcG9ydEBmb3J0aW5ldC5jb20wHhcNMTYwNzIwMDQwNDE5WhcNMzgwMTE5MDMx
NDA3WjAZMRcwFQYDVQQDDA53d3cua2lzZW5pLmNvbTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBALeH/fRZfso8ujdLbim/CQ3ky6FiBM+ayNNXONLXbSUM
hw17kwpiEk0Mk0o+Ol+VU2TpcFNLz73Opy/SaJtGfiHrwDZdpW1jfP9oGRbiDpvo
u/09QKjCCeXeROisdnKFfylrhkwlTp3tCr9I+3uBfV1EsFzvVfurD2iDdswFsGmM
9QvFxB3dQXM3gzzcORyKWB7LE56v32wgYLREJDbNjcffH8pCLDsOCYUXmPjV45Py
p3F3QDTWaIBzjtPwpLyVv2vW1ggCRXtREYsNb63FbcZw/egoE8mObj8//z764pKF
Bew2l/SX0UuLKnwJn8Yp72agZx/m4HYzwZSZZQIJJ+8CAwEAAaMoMCYwCQYDVR0T
BAIwADAZBgNVHREEEjAQgg53d3cua2lzZW5pLmNvbTANBgkqhkiG9w0BAQsFAAOC
AQEAkYJA7mAPef19hZ8PL2LPk3iwXmc2J2nFKbtWJXXM+pXjsELGCbP841P9STb+
oxZgEUeRq0YmnH29ULctRhKiLEbxtEXJ5vy5u2kEL4Zy5Ob4OAy1kqd3A5eObQP/
v9g9bfRnWMnCU0rJCIpEcDbY3a47zUn7PX8miBmxtNpOW+0cswYuIsKkM5CBQ0gg
/wY+IAAx+ZUcX/pR+KCC5eYxiWUlb6NolIM+C2So4oHRBvINjt6Ucn1XE8pr4Nd0
AoysevYe/BM1wwc0CDh6YRY9y+6TFUeAe/4Qqj1LGR+lnPnMbmdcPJw9PxKV3mmr
tIJNLCKSbVk1CJw/Y3/RxF96mw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIID4jCCAsqgAwIBAgIEOnylhTANBgkqhkiG9w0BAQsFADCBqTELMAkGA1UEBhMC
VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEjAQBgNVBAcMCVN1bm55dmFsZTERMA8G
A1UECgwIRm9ydGluZXQxHjAcBgNVBAsMFUNlcnRpZmljYXRlIEF1dGhvcml0eTEZ
MBcGA1UEAwwQRkdUNjBFNFExNjAxOTMwNzEjMCEGCSqGSIb3DQEJARYUc3VwcG9y
dEBmb3J0aW5ldC5jb20wHhcNMTYwODIyMDkxODQ4WhcNMjYwODIzMDkxODQ4WjCB
qTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEjAQBgNVBAcMCVN1
bm55dmFsZTERMA8GA1UECgwIRm9ydGluZXQxHjAcBgNVBAsMFUNlcnRpZmljYXRl
IEF1dGhvcml0eTEZMBcGA1UEAwwQRkdUNjBFNFExNjAxOTMwNzEjMCEGCSqGSIb3
DQEJARYUc3VwcG9ydEBmb3J0aW5ldC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDHDPzlodCmAAD5rHMsE8BiaY/d3lldLb7iAnqimxVHyDk2Eaik
mEZHgO3D6QwjhOyyHNIVjSa2TiHnsx0LSdWZuvLy2rqW8cOCAPSHy+9EiTZLhkFu
IcEdqUPOYYsIFiYvEDhARxwBuGi5RFxXabuPl/YnP8b5FctFMGucM8Mvc2TD7kGv
R/EgoUXWN93s3/BroH57GXxOme+6v+IyBfYCyTQa37REvoKQnV0R7XOETCdqK5vl
BEO+ogtizd2RczZvCd09oJjzadkS+VHjbeR7nb98d+NoUe177EZ5X0nhBWwapzY9
nA9DG68+pyW7mFevO3qqyfQG8knAOEscLIC/AgMBAAGjEDAOMAwGA1UdEwQFMAMB
Af8wDQYJKoZIhvcNAQELBQADggEBAJHKXx5GnsHAK6x4HHMSeu4XVy3c6RXDlP9x
QY2hqJZ7jb8aPQLx/4AqwUf45+Qd14bIdmJmKGedLTdgOg7mlzGwnhP7kixlQVeY
Zi1Pqa/VDnDPc2P8befUAsxXHy6pte4/GGnffPFZvsCs9bfkupsBkHbZ00GOq7/Z
SBh4F7ziqSeW+C/2XFVIexPcjQu3q/TfSYK9+CcQsRtRXPKLAikiWMb3XARXPYvN
H7RuTS5UgTzQLGLN2aPpacc/5OOdww3LjtGdn2Z5PTekpyRd1RHpGl8QjCVtccJU
wfq9EmWbhJR+4Puzo+N4Rq9ri8ypoQzINX5tabfjf7PF4yvIQBk=
-----END CERTIFICATE-----
Dies ist keine sichere Verbindung
Hacker könnten versuchen, Ihre Daten von www.kiseni.com zu stehlen, zum Beispiel Passwörter, Nachrichten oder Kreditkartendaten. Weitere Informationen
NET::ERR_CERT_AUTHORITY_INVALID
Subject: www.kiseni.com

Issuer: FGT60E4Q16019307

Expires on: 19.01.2038

Current date: 18.02.2020

PEM encoded chain:
-----BEGIN CERTIFICATE-----
MIIDbzCCAlegAwIBAgIKa4w77lFHnqk/8DANBgkqhkiG9w0BAQsFADCBqTELMAkG
A1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEjAQBgNVBAcMCVN1bm55dmFs
ZTERMA8GA1UECgwIRm9ydGluZXQxHjAcBgNVBAsMFUNlcnRpZmljYXRlIEF1dGhv
cml0eTEZMBcGA1UEAwwQRkdUNjBFNFExNjAxOTMwNzEjMCEGCSqGSIb3DQEJARYU
c3VwcG9ydEBmb3J0aW5ldC5jb20wHhcNMTYwNzIwMDQwNDE5WhcNMzgwMTE5MDMx
NDA3WjAZMRcwFQYDVQQDDA53d3cua2lzZW5pLmNvbTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBALeH/fRZfso8ujdLbim/CQ3ky6FiBM+ayNNXONLXbSUM
hw17kwpiEk0Mk0o+Ol+VU2TpcFNLz73Opy/SaJtGfiHrwDZdpW1jfP9oGRbiDpvo
u/09QKjCCeXeROisdnKFfylrhkwlTp3tCr9I+3uBfV1EsFzvVfurD2iDdswFsGmM
9QvFxB3dQXM3gzzcORyKWB7LE56v32wgYLREJDbNjcffH8pCLDsOCYUXmPjV45Py
p3F3QDTWaIBzjtPwpLyVv2vW1ggCRXtREYsNb63FbcZw/egoE8mObj8//z764pKF
Bew2l/SX0UuLKnwJn8Yp72agZx/m4HYzwZSZZQIJJ+8CAwEAAaMoMCYwCQYDVR0T
BAIwADAZBgNVHREEEjAQgg53d3cua2lzZW5pLmNvbTANBgkqhkiG9w0BAQsFAAOC
AQEAkYJA7mAPef19hZ8PL2LPk3iwXmc2J2nFKbtWJXXM+pXjsELGCbP841P9STb+
oxZgEUeRq0YmnH29ULctRhKiLEbxtEXJ5vy5u2kEL4Zy5Ob4OAy1kqd3A5eObQP/
v9g9bfRnWMnCU0rJCIpEcDbY3a47zUn7PX8miBmxtNpOW+0cswYuIsKkM5CBQ0gg
/wY+IAAx+ZUcX/pR+KCC5eYxiWUlb6NolIM+C2So4oHRBvINjt6Ucn1XE8pr4Nd0
AoysevYe/BM1wwc0CDh6YRY9y+6TFUeAe/4Qqj1LGR+lnPnMbmdcPJw9PxKV3mmr
tIJNLCKSbVk1CJw/Y3/RxF96mw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIID4jCCAsqgAwIBAgIEOnylhTANBgkqhkiG9w0BAQsFADCBqTELMAkGA1UEBhMC
VVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEjAQBgNVBAcMCVN1bm55dmFsZTERMA8G
A1UECgwIRm9ydGluZXQxHjAcBgNVBAsMFUNlcnRpZmljYXRlIEF1dGhvcml0eTEZ
MBcGA1UEAwwQRkdUNjBFNFExNjAxOTMwNzEjMCEGCSqGSIb3DQEJARYUc3VwcG9y
dEBmb3J0aW5ldC5jb20wHhcNMTYwODIyMDkxODQ4WhcNMjYwODIzMDkxODQ4WjCB
qTELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWExEjAQBgNVBAcMCVN1
bm55dmFsZTERMA8GA1UECgwIRm9ydGluZXQxHjAcBgNVBAsMFUNlcnRpZmljYXRl
IEF1dGhvcml0eTEZMBcGA1UEAwwQRkdUNjBFNFExNjAxOTMwNzEjMCEGCSqGSIb3
DQEJARYUc3VwcG9ydEBmb3J0aW5ldC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDHDPzlodCmAAD5rHMsE8BiaY/d3lldLb7iAnqimxVHyDk2Eaik
mEZHgO3D6QwjhOyyHNIVjSa2TiHnsx0LSdWZuvLy2rqW8cOCAPSHy+9EiTZLhkFu
IcEdqUPOYYsIFiYvEDhARxwBuGi5RFxXabuPl/YnP8b5FctFMGucM8Mvc2TD7kGv
R/EgoUXWN93s3/BroH57GXxOme+6v+IyBfYCyTQa37REvoKQnV0R7XOETCdqK5vl
BEO+ogtizd2RczZvCd09oJjzadkS+VHjbeR7nb98d+NoUe177EZ5X0nhBWwapzY9
nA9DG68+pyW7mFevO3qqyfQG8knAOEscLIC/AgMBAAGjEDAOMAwGA1UdEwQFMAMB
Af8wDQYJKoZIhvcNAQELBQADggEBAJHKXx5GnsHAK6x4HHMSeu4XVy3c6RXDlP9x
QY2hqJZ7jb8aPQLx/4AqwUf45+Qd14bIdmJmKGedLTdgOg7mlzGwnhP7kixlQVeY
Zi1Pqa/VDnDPc2P8befUAsxXHy6pte4/GGnffPFZvsCs9bfkupsBkHbZ00GOq7/Z
SBh4F7ziqSeW+C/2XFVIexPcjQu3q/TfSYK9+CcQsRtRXPKLAikiWMb3XARXPYvN
H7RuTS5UgTzQLGLN2aPpacc/5OOdww3LjtGdn2Z5PTekpyRd1RHpGl8QjCVtccJU
wfq9EmWbhJR+4Puzo+N4Rq9ri8ypoQzINX5tabfjf7PF4yvIQBk=
-----END CERTIFICATE-----

Best regards!

#9

That’s not a Let’s Encrypt certificate (or a certificate from any publicly trusted CA).

This is 100% a guess, but “FGT60E4Q16019307” sounds like it could have been issued by a Fortinet FortiGate 60E. (Maybe “4Q16019307” is when it was manufactured and the serial number.)

Do you have one of those?

Is it configured to do HTTPS interception?

Are you sure your DNS records and hosts file are correct?

1 Like
#10

Yes we have a FortiGate in use, I just find it interesting that this error only occurs behind this firewall, so you can assume that this is not a problem of Lets Encrypt?

#11

Correct, The FortiGate is intercepting the connection and because of this you see the certificate generated by the FortiGate, Which isn’t trusted on any device by default.

I don’t know much about FortiGate and have never used it but if you have access to manage it you should be able to disable that function, (I had a link here, but after reading it a second time I think it’s a simpler matter of just going into the inspection menu and turning off deep scan)

#12

You probably don’t want to do that.

#13

Very good news! I am glad that it is FortiGate and not LetsEncrypt.
Thanks for the help!

1 Like
#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.