Certificate is not trusted in all web browsers

My domain is: https://directorslibrary.com/

On my desktop the website and SSL works correctly, but on my laptop it doesn't — other users have also reported that it is not working for them — and the site is saying insecure and unable to view the page.

I ran the site on SSL SHOPPER and got:

The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. The fastest way to fix this problem is to contact your SSL provider.

I am on AWS Lightsail.

Can anyone help me fix this issue? I was on chat with AWS for several hours and they could not help.

Regards,

How did you get and install the certificate?

I believe it was issued on Lightsail via SSH Terminal.

Could you perhaps elaborate more on that? Which ACME client? What command? What was the output? Which webserver? How did you install the certificate issued with the ACME client in said webserver?

2 Likes

We tried to renew the SSL certificate using /opt/bitnami/bncert-tool. However it was failed to renew the SSL certificate as the apache configuration was modified/customized manually or the SSL certificate was generated and installed manually previously.

Then we tried to generate a new SSL certificate using certbot command after stopping the apache service temporarily:


sudo /opt/bitnami/ctlscript.sh stop apache
sudo certbot certonly --standalone -d directorslibrary.com -d www.directorslibrary.com
sudo /opt/bitnami/ctlscript.sh start apache

Also we created a symbolic link to the newly generated SSL certificate. So it is not necessary to edit apache virtual host configuration when you renew the SSL certificate using certbot later.

To which files were those symbolic links made?

1 Like

I'm not 100% sure — "to the newly generated SSL certificate."

If you could find out, that would be helpful. You need to use fullchain.pem instead of cert.pem.

3 Likes

I was also given this command for the future —

Also if you want to renew the SSL certificate later a time, then you can use the below commands:


sudo /opt/bitnami/ctlscript.sh stop apache
certbot certonly --standalone renew
sudo /opt/bitnami/ctlscript.sh start apache

Edit your apache configuration to point to the fullchain.pem file as mentioned aby @Osiris - the issue is that your certificate chain served by apache does not include the R3 intermediate certificate, which it normally would.

5 Likes

That worked, thank you so much!

1 Like

So, for clarification it was not the actual Certificate itself but not selecting (pointing to) the needed Certificate.
I my understanding correct?

3 Likes

A link was made to the certificate, but it was pointing to cert.pem instead of fullchain.pem — on some browsers/systems it was happy to secure with just cert.pem, but others were not. Pointing to fullchain.pem fixed this issue for all.

5 Likes

Ah, I see. Thanks @tar_mack keeping track of the pieces can be difficult. See others experiences helps me like when I do code reviews it help me code better in the future. :smile:

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.