Getting ERR_CERT_AUTHORITY_INVALID when making call to my server

DannyBoris · August 15, 2023, 12:40pm

My domain is: api.gamifyd-generator.link

I ran this command: sudo certbot --nginx

It produced this output: added certificates to my nginx config file (site-availble)

My web server is (include version): nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version): (Ubuntu)

My hosting provider, if applicable, is: AWS EC2 machine

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):certbot 2.6.0

The cert is valid according to all checkers ive tried online.
I've refreshed browser and clear cookies and cache.
I've restarted nginx service on the machine.
I've tried to send a call from a different browser and even from a different machine.
Seems like everything was added currectly when running certbot --nginx and choosing the domain.

Please let me know if im missing something or if u need more info.

9peppe · August 15, 2023, 1:39pm

There are no A or AAAA records associated with your domain.

Osiris · August 15, 2023, 1:49pm

There was a few moments ago, resolving to 16.16.163.144. And the certificate was just fine.

DannyBoris · August 15, 2023, 2:18pm

Ive moved it to api1. instead of api to make it worked indeed but the api. one doesnt work.
very weird.

9peppe · August 15, 2023, 2:20pm

Of course it doesn't. There is no record telling me the IP for api.

api1 works fine:

❯ echo '' | openssl s_client -connect api1.gamifyd-generator.link:443
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = api1.gamifyd-generator.link
verify return:1
---
Certificate chain
 0 s:CN = api1.gamifyd-generator.link
   i:C = US, O = Let's Encrypt, CN = R3
   a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
   v:NotBefore: Aug 15 12:09:22 2023 GMT; NotAfter: Nov 13 12:09:21 2023 GMT
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
   v:NotBefore: Sep  4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
   a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
   v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIEOjCCAyKgAwIBAgISBLivfLndosGGSVe5CMOgb9V3MA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMzA4MTUxMjA5MjJaFw0yMzExMTMxMjA5MjFaMCYxJDAiBgNVBAMT
G2FwaTEuZ2FtaWZ5ZC1nZW5lcmF0b3IubGluazBZMBMGByqGSM49AgEGCCqGSM49
AwEHA0IABHFUB6/CYbhNZ7CHRttTP201OvIogpi7PrGWGk/TGKtngLNFBogHndMr
qW9CBKPMNDJya5dBD0Pk7cskYvGH3j+jggIfMIICGzAOBgNVHQ8BAf8EBAMCB4Aw
HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYD
VR0OBBYEFL3e85+wiUcjyaxoKD2IZzhBXpwtMB8GA1UdIwQYMBaAFBQusxe3WFbL
rlAJQOYfr52LFMLGMFUGCCsGAQUFBwEBBEkwRzAhBggrBgEFBQcwAYYVaHR0cDov
L3IzLm8ubGVuY3Iub3JnMCIGCCsGAQUFBzAChhZodHRwOi8vcjMuaS5sZW5jci5v
cmcvMCYGA1UdEQQfMB2CG2FwaTEuZ2FtaWZ5ZC1nZW5lcmF0b3IubGluazATBgNV
HSAEDDAKMAgGBmeBDAECATCCAQYGCisGAQQB1nkCBAIEgfcEgfQA8gB3ALc++yTf
nE26dfI5xbpY9Gxd/ELPep81xJ4dCYEl7bSZAAABiflQsdAAAAQDAEgwRgIhANSS
LBxKaDe84JTVs4UQrsKYGYYTCelboPXBarb+/f16AiEAxEMyjkDsWlgVu/GgJMwT
l93Jcg5UXoZU2HwNzoBKN6AAdwDoPtDaPvUGNTLnVyi8iWvJA9PL0RFr7Otp4Xd9
bQa9bgAAAYn5ULHYAAAEAwBIMEYCIQDeSgV3YUPbfESBM5Npo7PWTe0Lz92z/ltv
UKvZdo/5xAIhAJ3kp1Sy+xv8UgZiA6DBKdaKL3Gt+YJCi3CSad7IW2p1MA0GCSqG
SIb3DQEBCwUAA4IBAQBhEIH+2HNT28BkcTBtT6t+He0HTCAcRcggpGVL3N7651M3
qvT2jRVEYcVdePUz5+LYA62CPUBqqY95XOMx4GtPegUI8ZUvkaVXNqvtEVKkX97F
Z7zM9p5/NdWLzgxYX2m1+xYKRfjQAsnx+1U8CQg6tOYoKnh30+xyHzJwceHngfBy
BA7YyoISSohG6rMr4Q6oBE6q40mHTVYJZALO8t/5QdVuGRxjoxRkQ4GoXxkX+7u1
eruXY9cU2sijZ0K8dIBVnN3QQn4j3KrcRW1dmKzILP+7lPnm4gEiFqBbs7B5CFOY
MDXRYPQGmZ3vMV+HdVbp6QAAPVVtw2DK1jZyHjNQ
-----END CERTIFICATE-----
subject=CN = api1.gamifyd-generator.link
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4156 bytes and written 409 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 256 bit
This TLS version forbids renegotiation.
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
DONE

~
❯

rg305 · August 15, 2023, 2:48pm

For "api" or "api1"?
"api" shows nothing directly form the authoritative DNS servers.

Osiris · August 15, 2023, 2:51pm

api. See above, OP changed the hostname apparently.

Maybe some caching going on in your browser?

system · September 14, 2023, 2:51pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.