err_cert_authority_invalid

bgengs · April 19, 2016, 7:50pm

I successfully installed Let’s Encrypt at Envesti.com and RichardGengel.com. But when installing at BeLikeBrit.org, Google Chrome and many other browsers do not trust it. Really not to sure what to do, have been researching for hours. Will add more information below:

server {
listen 443 ssl;
root /var/www/belikebrit.org/public_html;
index index.html index.htm index.php;
server_name belikebrit.org www.belikebrit.org;
ssl_certificate /etc/letsencrypt/live/belikebrit.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/belikebrit.org/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_ciphers ‘EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH’;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security max-age=15768000;

    location / {
        try_files $uri $uri/ /index.html;
        rewrite ^/([A-Za-z0-9-]+)/$ index.php?page=$1 last;
        rewrite ^/([A-Za-z0-9-]+)/([A-Za-z0-9-]+)/$ index.php?page=$1&title=$2 last;
        rewrite ^/([A-Za-z0-9-]+)/([A-Za-z0-9-]+)/([A-Za-z0-9-]+)/$ index.php?page=$1&title=$2&hash=$3 last;
    }

    location ~ /.well-known {
            allow all;
    }

    error_page 404 /404.html;

    error_page 500 502 503 504 /50x.html;
    location = /50x.html {
          root /usr/share/nginx/html;
    }

       # pass the PHP scripts to FastCGI server listening on the php-fpm socket
    location ~ \.php$ {
            fastcgi_pass unix:/var/run/php5-fpm.sock;
            fastcgi_index index.php;
            fastcgi_read_timeout 360;
            fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
            include fastcgi_params;

    }

    location ~ /\.ht {
       deny all;
    }

    location /core {
            auth_basic "Admin Login";
            auth_basic_user_file /etc/nginx/pma_pass;
    }


    location /timoun {
            proxy_pass http://localhost:1337;
    }

}

server {
listen 80;
listen [::]:80;
server_name belikebrit.org;
rewrite ^/(.*) https://belikebrit.org./$1 permanent;
}

Osiris · April 19, 2016, 8:27pm

Well, your server servs the following certs:

Certificate chain
 0 s:/CN=fake/O=My Company Name LTD./C=US
   i:/CN=fake/O=My Company Name LTD./C=US

That’s not Let’s Encrypt obviously…

Did you reload/restart ngingx et cetera?

pfg · April 19, 2016, 8:34pm

Are you sure that your web server is terminating the TLS connection? There’s an odd via: 1.1 stark, 1.1 stark header being sent by your server. Is there some kind of reverse proxy, CDN, load balancer or something like that in front of your web server?

bgengs · April 20, 2016, 12:03am

Certificate chain
0 s:/CN=www.belikebrit.org
i:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
1 s:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3

I ran the same command

bgengs · April 20, 2016, 12:13am

I pointed the domain back to godaddy for the day/night… I’m going to rebuild from Scratch tomorrow if I can’t find the answers tonight…

Osiris · April 20, 2016, 4:33am

belikebrit.org points to 184.168.131.233… Is that correct?

bgengs · April 20, 2016, 4:08pm

Yes, 184.168.131.233

bgengs · April 20, 2016, 4:11pm

The website jumps back and forth from the SSL and Privacy Error message…

bgengs · April 20, 2016, 4:22pm

2016/04/20 12:22:07 [warn] 13311#0: “ssl_stapling” ignored, host not found in OCSP responder “ocsp.int-x3.letsencrypt.org/”