Hello! I have a newly installed webserver (nginx) to which I can connect without trouble using iOS Safari, however in Chrome i get the ERR_CERT_AUTHORITY_INVALID error. I went online and found that it seems like my server doesn't provide a intermediate certificate (?): SSL Checker
I've configured my server to use the fullchain.pem file since previous topics about this issue seemed to come from servers using only cert.pem, but from here I can't really figure out what the problem is or where to start looking.
The domain is bought from Porkbun and verified with the dns-01 challenge since my ISP blocks port 80.
Do anyone have an idea where to start?
My domain is:
datamaskin.space
My web server is (include version):
nginx/1.24.0 on
The operating system my web server runs on is (include version):
Ubuntu 24.04
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don't know):
Yes
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 5.1.0 with certbot-dns-porkbun
So, we should focus efforts on Chrome. Have you tried stopping and restarting it? If it saw a faulty cert before it may still be in its cache.
You should be able to click somewhere on Chrome to show the actual cert it sees. Probably an icon of some kind. Would be interesting to know what those details are.
Does that Chrome see other sites properly? Like this forum?
So the "Chain is missing one or more intermediate certificates" from SSL Checker isn't really connected to the error?
The Chrome browser that I got the error on was on my work computer (Windows), so I booted up Windows on my home computer and here it worked as it should. I've tried iOS/Safari, Ubuntu/Firefox, Windows/Chrome, and Windows/Edge, both on LAN and connected to through my iPhone and I can't get the error to show - it's really only showing on my work computer. But the other sites are working as they should (?) on my work computer.
No, their testing system doesn't properly recognize some of the new intermediates that Let's Encrypt uses. It's a shame because it's otherwise a nice testing tool.
A quick test is using something like this to see the chain
echo | openssl s_client -connect (domain):(port) | head -20
Trying viewing the cert on your work computer and check out who the Issuer is. The current "real" chain of your cert is datamaskin.space ▶▶ E8 ▶▶ [ISRG Root X1] so if on your work computer E8 (signed by ISRG Root X1) is not the issuer then it's likely a local security product that injects it's own certificate. It would be pretty unlikely that ISRG Root X1 would not be trusted by chrome unless it's super old version on an old version of Windows (or macOS).
In chrome click the settings icon next to the url and click the connection info to view the cert
I've viewed the certificate on my work computer and it seems like all of you were right. For community.letsencrypt.org the certificate is issued by R2, but for datamaskin.space it seems to be issued by Fortinet.
We have some Fortinet software installed on our work's computers and it looks more like a scam software than something good. I can't possibly see what good would come from doing something like this, but I'm not the one running the IT infrastructure so I can't really change anything.
I guess I'll leave it at that. Thanks for all your help and the information regarding certificates
It's the only way they can scan the insides of an HTTPS connection for malicious content. But usually the IT department would add the Fortinet root certificate into the workstations through whatever tool corporate Windows has available for that. (Wasn't/isn't that called the "Windows directory" or something?)
