My web server is (include version): Apache-compatible but not Apache (not well known server)
The operating system my web server runs on is (include version): Ubuntu 10.10
I can login to a root shell on my machine (yes or no, or I don’t know): yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel): yes, but it’s part of this unusual server, so not well known.
I used ZeroSSL to create a cert 80 days ago and I need to renew over the next 10 days. I just tried once and was able to do HTTP verification and got the cert, but I apparently installed in incorrectly, so I tried again.
I tried two more times and got new .well-known/acme-challenge files, which I installed and verified access before going on to the challenge. But when I go on to the challenge I got the message twice now:
“remote error: tls: handshake failure”
Did I mess something up by incorrectly installing the new cert so now it can’t handshake to verify the new cert, or something like that.
The certificate is not signed by a trusted authority (checking against Mozilla’s root store). If you bought the certificate from a trusted authority, you probably just need to install one or more Intermediate certificates. Contact your certificate provider for assistance doing this for your server platform.
How important is that? In my attempt above when I tried splitting the cert so I put the first block into one setting and the second block in the “chain certificate” field on my server I ended up with an invalid cert and everything broke and I had to start over again.
Then you should use an own client, not ZeroSSL. Check, if you can use certbot-auto, perhaps with the certonly option. So you can update the certificate automatic and install it manual.
PS: Running the tool of digicert, yep, the incomplete chain is the problem.
Your site:
SSL Certificate is not trusted
The certificate is not signed by a trusted authority (checking against Mozilla's root store). If you bought the certificate from a trusted authority, you probably just need to install one or more Intermediate certificates. Contact your certificate provider for assistance doing this for your server platform.
Checking www.server-daten.de it shows the chain and the intermediate certificate.
Even though I have shell access, the web server itself is very non-standard. Plus the Linux distro is quite old (10.10). I’m working on upgrading that to 16.04 right now, but until that is done certbot-auto won’t work. I tried that in the past.
As far as where the certs are, in my non-standard web server I have a control panel for this. There are three boxes: one for the cert, one for the domain key, and one for the chain cert.
In my first attempt (this discussion opener) I tried splitting the cert (there appeared to be 2) and putting the first one in the cert box and the second one in the chain cert box. But that turned out to be an invalid cert that way and it became a big mess and I had to start from scratch.
I don’t have a cert.perm file. With ZeroSSL I just have the cert that I copied out of the last screen. Maybe if I downloaded it would have been a cert.perm file. I’m not sure.
It's not only a problem of online tests. Some Apple devices don't connect if the intermediate certificate is missing.
PS: There is one problem.
Old connection: SHA1 as Hash Algorithm is deprecated. Switch to SHA256 or SHA384. If your certificate has SHA256, check if there is an old Firewall or something else, that supports only SHA1. Update that component.
Your certificate has a SHA256 hash. But there is an old component between, that doesn't understand SHA256.