Cisco ISE will not trust Certificate trust chain is incomplete

PresidioCapedCoder · November 18, 2023, 12:48am

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: guestportal.100percentuptime.com

When I upload the full chain to my trusted certs, they show as untrusted because the trust chain is incomplete

My web server is (include version): Cisco ISE 3.2

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): not using certbot

rg305 · November 18, 2023, 1:37am

Hi @PresidioCapedCoder, and welcome to the LE community forum

I don't see a cert that covers that name at the IP for that name.
Have a look at:
SSL Server Test: guestportal.100percentuptime.com (Powered by Qualys SSL Labs)

Furthermore, I don't find any cert having ever been issued for that name:
https://crt.sh/?identity=100percentuptime.com&deduplicate=Y&dir=^&sort=4&group=none
[but maybe that's just crt.sh acting up]

Bruce5051 · November 18, 2023, 4:15am

This is what I see for the presently being severed certificate; looks like a GoDaddy certificate, not a Let's Encrypt certificate.
https://decoder.link/sslchecker/guestportal.100percentuptime.com/443
https://www.ssllabs.com/ssltest/analyze.html?d=guestportal.100percentuptime.com

$ openssl s_client -showcerts -servername guestportal.100percentuptime.com -connect guestportal.100percentuptime.com:443 < /dev/null
CONNECTED(00000003)
depth=2 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
verify return:1
depth=1 C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
verify return:1
depth=0 CN = mnvpn.presidiolab.com
verify return:1
---
Certificate chain
 0 s:CN = mnvpn.presidiolab.com
   i:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: May 30 16:38:39 2023 GMT; NotAfter: Jun 30 16:38:39 2024 GMT
-----BEGIN CERTIFICATE-----
MIIGqjCCBZKgAwIBAgIJAJ7R+mUAMyptMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa
MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0
cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UEAxMqR28gRGFkZHkgU2Vj
dXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTIzMDUzMDE2MzgzOVoX
DTI0MDYzMDE2MzgzOVowIDEeMBwGA1UEAxMVbW52cG4ucHJlc2lkaW9sYWIuY29t
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnGfYf1gFduOvmaQywRvy
SQBvT2UbQKt2+ZolbOpDTyXXGX9a5tWGV1wVdZbqmZmEXQBnt7DCKUO+yfCPdKz4
YVfkx44MuYKbfcbxYX3vpqHEbnn8Xgvh3Z8qXw+aCsHCsFY53QhZcAv+jufOMI9p
zIbX5/FgHIbRJJNhkS5nrBMH+dBDIJLb9OEdMpCzkBlky4JA0UHDXOI6WcvrS7vk
Wfcnoa/aSrUUzb7K0BPM4iuiN9txn7Z3h+7/zyGp1+pOLPUx5PzGGjjdapvbLCdX
Ovi7gpRClYJCDbCCtsNbVpMUfhhGFgBkrFfHdsunbkB9TwYrsOH7Ybcvoux20NT7
LQIDAQABo4IDUDCCA0wwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcD
AQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQDAgWgMDgGA1UdHwQxMC8wLaAroCmGJ2h0
dHA6Ly9jcmwuZ29kYWRkeS5jb20vZ2RpZzJzMS01ODc4LmNybDBdBgNVHSAEVjBU
MEgGC2CGSAGG/W0BBxcBMDkwNwYIKwYBBQUHAgEWK2h0dHA6Ly9jZXJ0aWZpY2F0
ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS8wCAYGZ4EMAQIBMHYGCCsGAQUFBwEB
BGowaDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuZ29kYWRkeS5jb20vMEAGCCsG
AQUFBzAChjRodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRv
cnkvZ2RpZzIuY3J0MB8GA1UdIwQYMBaAFEDCvSeOzDSDMKIz1/tss/C0LIDOMDsG
A1UdEQQ0MDKCFW1udnBuLnByZXNpZGlvbGFiLmNvbYIZd3d3Lm1udnBuLnByZXNp
ZGlvbGFiLmNvbTAdBgNVHQ4EFgQUgPES/e19lADpxv8ClMNuKlxRRlswggF9Bgor
BgEEAdZ5AgQCBIIBbQSCAWkBZwB2AO7N0GTV2xrOxVy3nbTNE6Iyh0Z8vOzew1FI
WUZxH7WbAAABiG2GpAUAAAQDAEcwRQIgJCapqVllK1g+OP3I10ZM7PACMsry9+Sl
NM+SVi9f8o8CIQDbZXw5Ujy3gYjYHxGNaHxuKmhS95KhYav3+ki/XTquOgB1AEiw
42vapkc0D+VqAvqdMOscUgHLVt0sgdm7v6s52IRzAAABiG2GpNkAAAQDAEYwRAIg
Kl2jTdWMNUXnlteIB77WIwCzfLsM4joLEbI2SVJ+xIoCIGMhZ3maX+W7tacoElO7
SOnjNx3ncfds9wpMD/JZbmpNAHYA2ra/az+1tiKfm8K7XGvocJFxbLtRhIU0vaQ9
MEjX+6sAAAGIbYalSwAABAMARzBFAiA+C+G6taeVDjvDFfkoAu4AJc2TGOMfhtHx
17V6f3UXQQIhAL5hf8DsRPc2QwGGsnqknKnHRFbxzTDzy/o47Dl5xDUIMA0GCSqG
SIb3DQEBCwUAA4IBAQBeS7ixFyuXRX0/sUN0mGRHqcZI7OvhUVRYAISVF7ehJsac
FbZndlByozpFGmHjorA0pt/6lShQVU5IeSQxVUDK5vqL/FgUqCHSGfmCWOZgZif+
Qjf5yxuQQwqLH1i2sXwiwvK56TuayJljky/3+DyzRy9y+Knd5gR+DPqVpb+3Rovz
QiasgkrCGtNf/05lgRcMEdeXyP37LmJIeuVRVCBBWoDHZUqoENtT3o5EPVROXVQO
Ruo59KkzL6exqEEkLknkyp/Y+8fiXZFZ5vNrII/9hhURvLPN3RSYoSWlEh9VYdrB
pKjg6LOARqdYL5yadEz9AV3TZKbel7cdysxTkkTo
-----END CERTIFICATE-----
 1 s:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
   i:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: May  3 07:00:00 2011 GMT; NotAfter: May  3 07:00:00 2031 GMT
-----BEGIN CERTIFICATE-----
MIIE0DCCA7igAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTExMDUwMzA3MDAwMFoXDTMxMDUwMzA3
MDAwMFowgbQxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjEtMCsGA1UE
CxMkaHR0cDovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkvMTMwMQYDVQQD
EypHbyBEYWRkeSBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC54MsQ1K92vdSTYuswZLiBCGzD
BNliF44v/z5lz4/OYuY8UhzaFkVLVat4a2ODYpDOD2lsmcgaFItMzEUz6ojcnqOv
K/6AYZ15V8TPLvQ/MDxdR/yaFrzDN5ZBUY4RS1T4KL7QjL7wMDge87Am+GZHY23e
cSZHjzhHU9FGHbTj3ADqRay9vHHZqm8A29vNMDp5T19MR/gd71vCxJ1gO7GyQ5HY
pDNO6rPWJ0+tJYqlxvTV0KaudAVkV4i1RFXULSo6Pvi4vekyCgKUZMQWOlDxSq7n
eTOvDCAHf+jfBDnCaQJsY1L6d8EbyHSHyLmTGFBUNUtpTrw700kuH9zB0lL7AgMB
AAGjggEaMIIBFjAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV
HQ4EFgQUQMK9J47MNIMwojPX+2yz8LQsgM4wHwYDVR0jBBgwFoAUOpqFBxBnKLbv
9r0FQW4gwZTaD94wNAYIKwYBBQUHAQEEKDAmMCQGCCsGAQUFBzABhhhodHRwOi8v
b2NzcC5nb2RhZGR5LmNvbS8wNQYDVR0fBC4wLDAqoCigJoYkaHR0cDovL2NybC5n
b2RhZGR5LmNvbS9nZHJvb3QtZzIuY3JsMEYGA1UdIAQ/MD0wOwYEVR0gADAzMDEG
CCsGAQUFBwIBFiVodHRwczovL2NlcnRzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkv
MA0GCSqGSIb3DQEBCwUAA4IBAQAIfmyTEMg4uJapkEv/oV9PBO9sPpyIBslQj6Zz
91cxG7685C/b+LrTW+C05+Z5Yg4MotdqY3MxtfWoSKQ7CC2iXZDXtHwlTxFWMMS2
RJ17LJ3lXubvDGGqv+QqG+6EnriDfcFDzkSnE3ANkR/0yBOtg2DZ2HKocyQetawi
DsoXiWJYRBuriSUBAA/NxBti21G00w9RKpv0vHP8ds42pM3Z2Czqrpv1KrKQ0U11
GIo/ikGQI31bS/6kA1ibRrLDYGCD+H1QQc7CoZDDu+8CL9IVVO5EFdkKrqeKM+2x
LXY2JtwE65/3YR8V3Idv7kaWKK2hJn0KCacuBKONvPi8BDAB
-----END CERTIFICATE-----
 2 s:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
   i:C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", CN = Go Daddy Root Certificate Authority - G2
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  1 00:00:00 2009 GMT; NotAfter: Dec 31 23:59:59 2037 GMT
-----BEGIN CERTIFICATE-----
MIIDxTCCAq2gAwIBAgIBADANBgkqhkiG9w0BAQsFADCBgzELMAkGA1UEBhMCVVMx
EDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoT
EUdvRGFkZHkuY29tLCBJbmMuMTEwLwYDVQQDEyhHbyBEYWRkeSBSb290IENlcnRp
ZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTA5MDkwMTAwMDAwMFoXDTM3MTIzMTIz
NTk1OVowgYMxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQH
EwpTY290dHNkYWxlMRowGAYDVQQKExFHb0RhZGR5LmNvbSwgSW5jLjExMC8GA1UE
AxMoR28gRGFkZHkgUm9vdCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkgLSBHMjCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL9xYgjx+lk09xvJGKP3gElY6SKD
E6bFIEMBO4Tx5oVJnyfq9oQbTqC023CYxzIBsQU+B07u9PpPL1kwIuerGVZr4oAH
/PMWdYA5UXvl+TW2dE6pjYIT5LY/qQOD+qK+ihVqf94Lw7YZFAXK6sOoBJQ7Rnwy
DfMAZiLIjWltNowRGLfTshxgtDj6AozO091GB94KPutdfMh8+7ArU6SSYmlRJQVh
GkSBjCypQ5Yj36w6gZoOKcUcqeldHraenjAKOc7xiID7S13MMuyFYkMlNAJWJwGR
tDtwKj9useiciAF9n9T521NtYJ2/LOdYq7hfRvzOxBsDPAnrSTFcaUaz4EcCAwEA
AaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYwHQYDVR0OBBYE
FDqahQcQZyi27/a9BUFuIMGU2g/eMA0GCSqGSIb3DQEBCwUAA4IBAQCZ21151fmX
WWcDYfF+OwYxdS2hII5PZYe096acvNjpL9DbWu7PdIxztDhC2gV7+AJ1uP2lsdeu
9tfeE8tTEH6KRtGX+rcuKxGrkLAngPnon1rpN5+r5N9ss4UXnT3ZJE95kTXWXwTr
gIOrmgIttRD02JDHBHNA7XIloKmf7J6raBKZV8aPEjoJpL1E/QYVN8Gb5DKj7Tjo
2GTzLH4U/ALqn83/B2gX2yKQOC16jdFU8WnjXzPKej17CuPKf1855eJ1usV2GDPO
LPAvTK33sefOT6jEm0pUBsV/fdUID+Ic/n4XuKxe9tQWskMJDE32p2u0mYRlynqI
4uJEvlz36hz1
-----END CERTIFICATE-----
---
Server certificate
subject=CN = mnvpn.presidiolab.com
issuer=C = US, ST = Arizona, L = Scottsdale, O = "GoDaddy.com, Inc.", OU = http://certs.godaddy.com/repository/, CN = Go Daddy Secure Certificate Authority - G2
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4403 bytes and written 427 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 8F6783686B7853DF119A2EBE34486FCE8E7C74C3A39C10562A4F6BD1D3F1873F
    Session-ID-ctx:
    Master-Key: FF6E1F73C54BAF3556623805939DEF8F90F62D69D0B2705A834EAAF3983BA1026BE501A7868968E32C7D0B4820A675AF
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1700280664
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: yes
---
DONE

PresidioCapedCoder · November 19, 2023, 4:42am

This is cert is on a private lab and not public. The A record was created through test automation and is just the public IP of the Lab I use and not related to this cert. My issue is with the full chain show as incomplete once I import it is as a trusted cert

PresidioCapedCoder · November 19, 2023, 4:45am

The cert you are seeing is the public cert for the lab I use and not the LE cert. My cert is not public it is on a private cisco ISE server. I am look to see if anyone else has had issues importing LE full chain in to the ISE server trusted certs and showing as incomplete.

rg305 · November 19, 2023, 10:55am

All globally trusted certs are logged.
If you don't want the name known [to the public] then you should use a wildcard cert.

system · December 19, 2023, 10:56am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certificate chain incomplete Help	4	1384	January 21, 2022
Certbot doesn't include root certificate in the chain Help	3	710	March 14, 2024
Facebook debugger https://developers.facebook.com/tools/debug returns can't validate SSL certificate Help	3	1334	July 7, 2021
Invalid certificate chain Help	2	1984	March 16, 2022
Certificated is not trusted Help	5	297	March 1, 2024

Cisco ISE will not trust Certificate trust chain is incomplete

Related topics