Certificate is not trusted on all browsers - FreeSSL.tech Auto

FCrescent · September 2, 2020, 5:20am

My problem is the following : I was able to get a LetsEncrypt thaks to the great FreeSSL.tech Auto app which is a php LE client.
The problem occured when I tried to connect a plugin to my site. It revealed the following problem :
" The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate."

But I don’t know where I missed a step. I indicated the Cert, CAbundle and pem to my hosting provider, indeed was able to activate https but never saw anything about an “intermediate chain” whatsoever and just started to discover the IdenTrust aspect of LE.

=======================================
My domain is: fabiencrescent.com

I ran this command: Commands were run by FreeSSL.tech Auto app to issue the SSL certificate

It produced this output: “Please find the SSL files at the locations given below (web hosting log in required to access) and install SSL manually with the help of your web hosting service provider. It is recommended not to download the SSL files for security reason. Please copy the SSL locations and send the text to your web host.” (this message appeared in the FreeSSL.tech LE/acme/php client when I asked to issue a Cert; it was followed by the folders where cabundle, pem and crt were located)

My web server is (include version): LiteSpeed

The operating system my web server runs on is (include version): Linux … couldn’t find through putty/bash command

My hosting provider, if applicable, is: Hostinger

I can login to a root shell on my machine (yes or no, or I don’t know): no

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): yes , it’s called “hPanel” at Hostinger if I understand well…

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): my acme/LE client is FreeSSL.tech Auto (https://freessl.tech/documentation-free-ssl-certificate-automation)

==================================

Your help would be more than welcome (for the installation of this… intermediate chain apparently), thank you !

Edit : I just noticed that my SSL scan said there was a 4096bits Cert which was detected; which is weird because it is supposed to be the SSL certificate of another domain that my Hosting provider offered for free … hope it doesn’t cause my intermediate chain bug… (https://www.ssllabs.com/ssltest/analyze.html?d=fabiencrescent.com)

_az · September 2, 2020, 5:23am

You are missing the intermediate certificate.

When you upload to your hosting control panel, you need to upload:

your private key ( )
your certificate ( )
your intermediate certificates (sometimes called “CA Bundle” or “CA Certificates”) ()

If you do all 3 parts, the trust issue should go away.

Is your confusion in identifying the intermediate certificate? It is the same as cabundle.

FCrescent · September 2, 2020, 5:42am

This is weird because I copy-pasted the content of “cabundle.pem” and my SSL cert was detected by my hosting provider (renewed to Dec 1st).

The folder contains this :

cabundle.pem (it took this)
certificate.pem (it took this)
csr_last.csr
fullchain.pem
private.pem (it took this)
public.pem

Your question made have a deeper look at the “fullchain.pem” file (because it sounds like intermediate chain of trust maybe…) but it contains 2 “-----BEGIN CERTIFICATE----- *********** -----END CERTIFICATE-----” tags … So it seemed to me more intelligent to use the cabundle.pem content… (which I did)

_az · September 2, 2020, 5:44am

That sounds like it should have worked, but your site isn’t actually sending the intermediate certificate. Might be worth asking your host.

FCrescent · September 2, 2020, 5:51am

So you mean the intermediate certificate should be dealt with just by copy-pasting the content of cabundle.pem … ?
I thought maybe it could have been some other file to add in my server file management system …

Would you say it’s worth trying to put one of the 2 tags —BEGIN Cert— ---END cert---- from the “fullchain.pem” file instead of the content from “cabundle.pem” ?

JuergenAuer · September 2, 2020, 5:51am

Hi @FCrescent

use the fullchain.pem and don't forget to restart your server.

FCrescent · September 2, 2020, 6:03am

Hello @JuergenAuer , I am not very knowledgeable about the details of Certificates.

My hosting provider gives me 3 empty spaces to fill up :

SPACE 1 (“Certificat (CRT)*”)
SPACE 2 (“Clé privée : (KEY)*”)
SPACE 3 (“CABUNDLE”)

=====
Should I do :
space 1 >> content of certificate.pem
space 2 >> content of private.pem
space 3 >> content of fullchain.pem
OR
space 1 >> first tag --BEGIN-- --END-- of fullchain.pem
space 2 >> content of private.pem
space 3 >> second tag of fullchain.pem

?
Sorry it must be so obvious for you guys I feel like dumb …
(the whole “-----BEGIN CERTIFICATE----- // -----END CERTIFICATE-----” tags is very confusing to me for the moment )

JuergenAuer · September 2, 2020, 6:07am

If you have such a setup with three options, try that:

Fullchain.pem contains yours and the intermediate certificate -> split that file.

And try it - only your hoster knows what he want, we can only speculate.

FCrescent · September 2, 2020, 6:12am

Okay thank you very much ! I will try these sound-to-be-great-speculations and double-check with my hosting provider !
I will give a feedback as soon as possible!

griffin · September 2, 2020, 7:41am

I concur fully with @JuergenAuer’s conclusion and know it to be accurate. Now whether your setup will actually serve the ca bundle has yet to be seen.

When I use cPanel SSL/TLS management with GoDaddy shared hosting, I only paste my certificate (first certificate in fullchain.pem) into the certificate box. cPanel fills in the ca bundle automatically. It also fills in the private key automatically since I previously generated the private key and certificate signing request in cPanel.

FCrescent · September 4, 2020, 1:41pm

PROBLEM SOLVED

I wanted to update you on my situation !

I identified where the problem came from thanks to the comment of @griffin who completed the answer of @JuergenAuer .

Hostinger provided 3 spaces to fill up (certificate, private key and cabundle).
BUT instead of putting in each space the content of each file FreeSSL.tech generated, I had to do :

space “certificate” >> content of "fullchain.pem"
space “key” >> content of “private.pem” (normal !)
space “cabundle” >> NOTHING !!! (very counter-intuitive !!)

Apparently by putting the content of fullchain.pem in “certificate” area, Hostinger calculated automatically the intermediate chain of trust !

Anyway thank you all for your quick answers !
This Hostinger way of doing things (not indicating clearly where to put “fullchain.pem” was very annoying !
Have a nice day community !

JuergenAuer · September 4, 2020, 1:46pm

Then they should change their explantation.

Thanks reporting back.

So we know it's a bad interface.

FCrescent · September 4, 2020, 1:53pm

Exactly they should ! I’m going to add the indication in the “comment part” in SSL article on Hostinger site to help upcoming lost people !

anindya · September 5, 2020, 9:08am

Thank you so much for the update. Glad to know that the issue is fixed. Thanks, everybody for helping him fix.

Another possible solution:

space 1 “certificate” >> content of “certificate.pem”
space 2 “key” >> content of “private.pem”
space 3 “cabundle” >> content of “cabundle.pem”

system · October 5, 2020, 9:08am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.