Certificated is not trusted

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://api.aierteam.com

I ran this command: I installed the certificated and config it nginx

It produced this output: certificate not trusted

My web server is (include version): nginx version: nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 2204

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.8.0


Hostname: done Matches Common Name or/and SAN
Expired: done No (89 days till expiration)
Public Key: done We were unable to find any issues in the public key of end-entity certificate
Trusted: close We were unable to verify this certificate
Self-Signed: done No, the end-entity certificate is not self-signed
Chain Issues: done No, we were unable to detect any issues in the certificate chain sent by the server
Weak signatures: done No, certificates sent by the server were not signed utilizing a weak hash function
OCSP Status: done OCSP Responder returned "good" status for the end-entity certificate

Could be a similar problem to this?

You can see in the certificate details that the issuing authority is the Let's Encrypt Staging CA. You need to use the production CA to obtain a valid certificate.


For the visually inclined:


Thank you for pointing that out. Maybe a following question is, is let's encrypt providing staging CA by default? And if it is possible, how can I obtain a free production ca from encrypt. I just followed the instruction and got the fullchain and privatekey from lets encrypt.

--resolved. It was due to an unremoved pem generated with --test-cerbot