Generated certificate is not trusted

Hi, I have generated a new certificate for the domain app.werecruit.io and this certificate is not trusted by the services that need to connect to our app. I see on this tool that the certificate is correctly installed https://www.sslshopper.com/ssl-checker.html#hostname=app.werecruit.io, but can fail to be trusted on some browser. And for example, the mandrill inbound email webhook call return this error: Error: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed.

I have a Windows App Service on Azure.

When you configure your webserver with an SSL certificate, you need to use the full certificate chain (sometimes called fullchain.pem, or created by concatenating your certificate with cabundle.pem).

Right now, your web server is only configured with your certificate, but the chain/bundle is missing. This will result in some clients receiving certificate trust errors.

How did you get your certificate originally? All the files you need would have been given to you then.

I use the c# ACMESharpCore library, but cannot find a way to get this file via the ACME protocol.

I'm not sure about the ACMESharpCore API, but in ACME, a completed order's certificate URL is the full certificate chain in PEM format.

e.g. if you open up https://acme-v02.api.letsencrypt.org/acme/order/101076465/6521955365, then find the certificate field and download that, you'll see it's a PEM certificate chain with 2 certificates.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.