Most browsers report invalid cert

Summary: A few weeks ago I replaced/renewed the CERT on our website, which is hosted on Google Cloud with a load balancer (but currently running 1 site behind it). Since then, my personal browers and a couple of other co-workers can see the site no problem, however, traffic has dropped and even my mobile browsers are showing the cert is invalid. I probably missed a step somewhere, but I'm clueless as to where.

I imported the new cert into the load balancer and it still shows the next day etc. SSLLabs reports the cert is valid, but browsers do not.

FYI - I inherited this site so I don't know all the details but can get whatever is required.

My domain is:

I ran this command: sudo letsencrypt

It produced this output: I don't have it handy, but no errors

My web server is (include version): Google Cloud platform - Not 100% sure.

The operating system my web server runs on is (include version): centos-7-v20171018

My hosting provider, if applicable, is: Google Cloud Platform

I can login to a root shell on my machine (yes or no, or I don't know): YES

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No/Google Cloud Platform

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Certbot 1.9.0

Your server isn't sending the certificate chain.

[cloudshell-user@ip-10-1-83-141 ~]$ openssl11 s_client -connect
depth=0 CN =
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN =
verify error:num=21:unable to verify the first certificate
verify return:1
Certificate chain
 0 s:CN =
   i:C = US, O = Let's Encrypt, CN = R3

In addition to your "leaf" cert, your system needs to send the "intermediate". I'm not especially familiar with whatever load balancer you're using, but generally one needs to use the "fullchain.pem" file instead of "cert.pem" so that it will include all the certificates. Hopefully that can get you at least pointed in the right direction.

The reason it will "sometimes" work is that browsers will often cache intermediates sent by the other sites, so if you've visited a properly-configured site that uses Let's Encrypt recently enough in your browser then you won't see the problem. (And Firefox does one better, and actually preloads all intermediates that it can ahead of time.) But to be sure to work all the time, you need to be sending the intermediates yourself.


Amazing! That was it. I had imported just the cert. Now with the fullchain after a restart (needed??) and a couple of minutes it is loading properly.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.