Invalid cert for my nginx server

I am getting some errors when I try to contact my server. Here is what I see when I use wget:

$ wget https://ganchrow.com
--2017-03-23 22:40:21--  https://ganchrow.com/
Resolving ganchrow.com... 190.171.27.34
Connecting to ganchrow.com|190.171.27.34|:443... connected.
ERROR: cannot verify ganchrow.com's certificate, issued by ‘CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US’:
  Unable to locally verify the issuer's authority.
To connect to ganchrow.com insecurely, use `--no-check-certificate'.

The server is currently running Ubuntu 16.04.2 nginx/1.10.0.

My understanding is that my certs are not set up correctly, but I have the following questions:

  1. What is the correct cert that I should be using? Can I get it from here?
  2. How do I replace the new cert with my old one? Or do I merge?
  3. Or is the problem something else entirely?

Thanks.

Could you fill out the other information requested?

Most importantly, what Let's Encrypt client are you using?

Please fill out the fields below so we can help you better.

I ran this command:

It produced this output:

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

https://www.ssllabs.com/ssltest/analyze.html?d=ganchrow.com&hideResults=on

You need to change the Nginx "ssl_certificate" directive to a file including both your end certificate and the Let's Encrypt intermediate.

If you're using Certbot, that means changing "ssl_certificate /etc/letsencrypt/live/example.com/cert.pem;" to "ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem".

If you're using a different client, there's probably an equivalent file with a different name.

It's not related to this issue, but some aspects of the TLS configuration aren't very secure. Mozilla has a good secure TLS configuration guide:

https://wiki.mozilla.org/Security/Server_Side_TLS

2 Likes

Thanks for your reply. That was exactly the problem.

I changed to using the fullchain and I no longer get the error.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.