Invalid cert for my nginx server


#1

I am getting some errors when I try to contact my server. Here is what I see when I use wget:

$ wget https://ganchrow.com
--2017-03-23 22:40:21--  https://ganchrow.com/
Resolving ganchrow.com... 190.171.27.34
Connecting to ganchrow.com|190.171.27.34|:443... connected.
ERROR: cannot verify ganchrow.com's certificate, issued by ‘CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US’:
  Unable to locally verify the issuer's authority.
To connect to ganchrow.com insecurely, use `--no-check-certificate'.

The server is currently running Ubuntu 16.04.2 nginx/1.10.0.

My understanding is that my certs are not set up correctly, but I have the following questions:

  1. What is the correct cert that I should be using? Can I get it from here?
  2. How do I replace the new cert with my old one? Or do I merge?
  3. Or is the problem something else entirely?

Thanks.


#2

Could you fill out the other information requested?

Most importantly, what Let’s Encrypt client are you using?

Please fill out the fields below so we can help you better.

I ran this command:

It produced this output:

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

https://www.ssllabs.com/ssltest/analyze.html?d=ganchrow.com&hideResults=on

You need to change the Nginx “ssl_certificate” directive to a file including both your end certificate and the Let’s Encrypt intermediate.

If you’re using Certbot, that means changing “ssl_certificate /etc/letsencrypt/live/example.com/cert.pem;” to “ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem”.

If you’re using a different client, there’s probably an equivalent file with a different name.

It’s not related to this issue, but some aspects of the TLS configuration aren’t very secure. Mozilla has a good secure TLS configuration guide:

https://wiki.mozilla.org/Security/Server_Side_TLS


#3

Thanks for your reply. That was exactly the problem.

I changed to using the fullchain and I no longer get the error.


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.