I am having an issue with SSL Certificate on a .fun Domain

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: captainobvious.fun

I ran this command:

It produced this output:
12:23:57 PM AutoSSL’s configured provider is “Let’s Encrypt™”.
Analyzing “captainobvious”’s domains …
12:23:57 PM Analyzing “captainobvious.fun” (website) …
12:23:57 PM ERROR TLS Status: Defective
Certificate expiry: 1/29/26, 5:23 PM UTC (365 days from now)
ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (0:18:DEPTH_ZERO_SELF_SIGNED_CERT).
12:23:57 PM Attempting to ensure the existence of necessary CAA records …

My web server is (include version): Gen4 Ded Self-Managed Linux - 6C/64 GB - SSD

The operating system my web server runs on is (include version): AlmaLinux v8.10.0 STANDARD standard

My hosting provider, if applicable, is: Godaddy

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): cPanel Version 124.0.23

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

That is an error from AutoSSL in cPanel. You will need to ask them about that.

It is complaining that an HTTPS (TLS) connection to your domain is failing because your server is using a self-signed cert. I don't know why AutoSSL cares but that is the error.

When Let's Encrypt sends an HTTP challenge to your server it uses HTTP (not HTTPS) unless you redirect it to HTTPS. It does not look like you do that (from my own testing). Even if you did LE allows self-signed certs. And, LE does not use openssl for that so would not get an "openssl_verify" error.

This is pretty clearly something in AutoSSL. Best I can offer.

4 Likes

I find it interesting that all previously issued certificates https://crt.sh/?q=captainobvious.fun are wildcard certificates. Which implies that they were issued using the DNS-01 challenge of the Challenge Types - Let's Encrypt and not the HTTP-01 challenge. Has something changed @DesignAndPrintTeam?

3 Likes

That is interesting. The most recent of which expired a month ago. And their domain replies with a self-signed cert not the expired cert.

The error message is clear that it originates in AutoSSL. Even if they were now trying an HTTP Challenge that error would not be from LE.

5 Likes

Supplementally both name servers have the same IP Address :slightly_frowning_face:

1 Like