Invalid and valid in same browser

#1

My domain is: my-place.co.il

I ran this command:
certbot certonly --dns-digitalocean --dns-digitalocean-credentials /etc/letsencrypt/digitalocean_api.key -d *.my-place.co.il -d my-place.co.il

It produced this output: work as expected

My web server is (include version): Chrome Version 80.0.3987.87 (Official Build) (64-bit)

The operating system my web server runs on is (include version): Ubuntu 18.04.4 LTS

The version of my client is: certbot 0.31.0

I use DNS method because it should work with wildcard sub domain.
It work perfectly for 4 month. on Friday I saw that I get “Your connection is not private” in my browser, after 2 hours of wondering, I discover that it happened only in my browser and even in incognito mode it valid!

Screenshot_20200208_225830|690x388

Any idea?

1 Like
#2

You may want to confirm that you still have a call to a valid CA Bundle file (usually named chain.pem).

[root@Revan:~]# curl -ILv https://my-place.co.il/
*   Trying 68.183.213.115...
* TCP_NODELAY set
* Connected to my-place.co.il (68.183.213.115) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* stopped the pause stream!
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
2 Likes
#3

I used cert.pem instead of fullchain.pem
thanks for the help

1 Like
#4

Hi @ttv20

there is a check of your domain, created yesterday - https://check-your-website.server-daten.de/?q=my-place.co.il

As @ZetaRevan wrote: Your chain is incomplete.

2020-02-08.my-place.co.il
2020-02-08.my-place.co.il1137Ă—396 22.7 KB

Should look like

server-daten.de.connections
server-daten.de.connections1130Ă—398 28.1 KB

Perhaps use fullchain instead of cert.pem. fullchain.pem contains cert.pem and the intermediate certificate (found in chain.pem).

1 Like