Half the Domain certificates trusted

I ran the command to get the certificate for the sub-domain “www” and the bare domain in the same command (see below). All went well, with --dry-run and regular command.

Note: When I ran the command www. and non-www where both accessible, (no redirects between the two).
PROBLEM: https://www.bluedgeusa.com is seem as a valid SSL certificate by browsers while “https://bluedgeusa.com” is seen as untrusted certificate.

My domain is: bluedgeusa.com

I ran this command: certbot certonly --webroot -w ./public -d bluedgeusa.com -d www.bluedgeusa.com

It produced this output:
Congratulations! Your certificate and chain have been saved at:
Your key file has been saved at:

My web server is (include version): NodeJs 8.3.0 (I use greenlock-express to server https)

The operating system my web server runs on is (include version): Ubuntu 16.04

My hosting provider, if applicable, is: DigitalOcean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Dry-run executes against the staging server and provides an untrusted test certificate. You should not use this in production, staging is to use while troubleshooting issues so you don’t hit rate limits. Once you are able to issue staging certificates, you should drop the dry-run flag and get a real one issued.

Thanks jared. I used -dry-run only at first for the sack of the test, all was well, and then used the command without the --dry-run flag.
Note: I edited my post to reflect the situation better.

neither site is accessible from the Internet:

@rg305 I had to go back to serving http only pages. I don’t want to have clients seeing a faulty certificate alert. The SSL test online only showed 1 ssl issue for bluedgeusa.com : untrusted certificate.

As long as you don’t force SSL, no one should be forced to see any https pages.
So, you could allow http and https and maybe we can help you resolve the https problem.

@rg305 True enough :slight_smile: I have activated https you can now use all http and https version
see :

Hi @bluedge,

At 25th August you issued 7 certificates, 5 of them valid for www.bluedgeusa.com and bluedgeusa.com, 1 of them only valid for bluedgeusa.com and other one only valid for www.bluedgeusa.com and this one is the current certificate used by your web server.

So, you need to take a look to all the certs you have issued:

certbot certificates

And check what is the right path to the one that covers both domains, once you know where it is, you should change your web server config to point to this cert for both domains.

Edit: I forgot to say that the certificate that is being server for bluedgeusa.com is one that you issued using staging server instead of production and that is the reason you receive an error in your browser.


Thx @sahsanu I tried multiple times as from first try i got this issue.
I see only one certificate on my server now: (I did a backup of other certificates before cleaning them from the actual folder)
How do I know which one is the proper one to use from the back up? And how do I make the server use this one instead?
is there a config file?

I ran certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
  Certificate Name: bluedgeusa.com
    Domains: bluedgeusa.com,www.bluedgeusa.com
    Expiry Date: 2017-11-23 17:59:00+00:00 (VALID: 88 days)
    Certificate Path: /etc/letsencrypt/live/bluedgeusa.com/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/bluedgeusa.com/privkey.pem

You can confirm that this is a certificate from the real Let’s Encrypt Intermediate certificate authority (currently the Let’s Encrypt Authority X3) and that it contains both desired Subject Alternative Names by running:

openssl x509 -in /etc/letsencrypt/live/bluedgeusa.com/cert.pem -noout -text

Then make sure your node server uses the paths specified by certbot:

(Note that we used cert.pem earlier because we don’t care about the intermediate certificate when printing to the screen, but you need to use fullchain.pem with most web server software because it indeed needs the intermediate certificate.)

It’s a real cert. If it was a staging cert, it would say something like “INVALID: TEST_CERT” instead of “VALID: 88 DAYS”.

1 Like

Thx @Patches
I use I use greenlock-express to server https, as I always do. So i “guess” it serves the proper certificates.

This is what I get from your command, anything wrong?
Version: 3 (0x2)
Serial Number:
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3
Not Before: Aug 25 17:59:00 2017 GMT
Not After : Nov 23 17:59:00 2017 GMT
Subject: CN=bluedgeusa.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
X509v3 Subject Key Identifier:
X509v3 Authority Key Identifier:

            Authority Information Access: 
                OCSP - URI:http://ocsp.int-x3.letsencrypt.org
                CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

            X509v3 Subject Alternative Name: 
                DNS:bluedgeusa.com, DNS:www.bluedgeusa.com
            X509v3 Certificate Policies: 
                  CPS: http://cps.letsencrypt.org
                  User Notice:
                    Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/

    Signature Algorithm: sha256WithRSAEncryption

greenlock-express gets its own certificates. You probably don’t need certbot at all.

greenlock-express uses the staging server by default. Per the README you linked to:

You must set server to https://acme-v01.api.letsencrypt.org/directory after you have tested that your setup works.

To get greenlock-express to issue for the www form of your site (or vice-versa), add it to approveDomains.

@Patches I’m confused. I’m not in the impression greenlock issues the certificates. Anyhow, I specified the domain names in the approveDomains. The problem still remain.
function approveDomains(opts, certs, cb) {
if (certs) {
opts.domains = [‘bluedgeusa.com’, ‘www.bluedgeusa.com’]
} else {
opts.email = ‘myemail@gmail.com’;
opts.agreeTos = true;
cb(null, { options: opts, certs: certs });

If I go to ~letsencrypt (from greenlock docs) I see the two certificates anyway.
cd ~/letsencrypt/etc/live# ls bluedgeusa.com sni-test.ssllabs.com www.bluedgeusa.com

If those options don’t make greenlock-express do the right thing after restarting your server, you should file an issue with them to get help from people more experienced with it:


Or, since you have a valid certificate from certbot, you could instead just use it instead of greenlock-express:

1 Like

@Patches Thank you for your great help. Greenlock seems to have a limited support, if any.
I will get ride of it and go the Certbot way and load the certificates from nodejs directly.
A cron job will do the periodic renew work…
I would like to thank you all for your help, you are an amazing community !

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.