Net::err_cert_authority_invalid on some machines nginx

morea · May 24, 2018, 11:48am

Hi, as the name of the topic suggest I’m getting “net::err_cert_authority_invalid” on some machines, while it works perfectly fine on others. SSllabs gives me A score. Relevant part of the nginx config looks like this

 listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/dropshare.host/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/dropshare.host/privkey.pem; # managed by Certbot
ssl_trusted_certificate /etc/letsencrypt/live/dropshare.host/chain.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot

the

echo | openssl s_client -connect dropshare.host:443 -servername dropshare.host 2>/dev/null | awk '/Certificate chain/,/---/'

returns

    Certificate chain
     0 s:/CN=dropshare.host
       i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
     1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
       i:/O=Digital Signature Trust Co./CN=DST Root CA X3
    ---

Any help would be greatly appreciated

stevenzhu · May 24, 2018, 12:12pm

Hi,

I don’t really see any problem from your site except your ipv6 site throw connection refused. (Which obviously don’t have any cert presented)

P.S. that might be an issue when you apply the certificate using certbot Nginx (since if certbot visit your ipv6 site, it won’t passed)

Thank you

morea · May 24, 2018, 12:36pm

Hi stevenzhu, thank you for your answer!
Im going to fix ipv6 issue and see if that is going to help. Will certanly update results here
Thanks!

morea · May 25, 2018, 8:46am

Hi, ipv6 seems to be fixed now, but the issue still remains. Im attaching an image

Im realy running out of ideas what could be wrong here

thanks

_az · May 25, 2018, 9:00am

The certificate is only valid for dropshare.host, not www.dropshare.host.

Note that this page does not give any errors: https://dropshare.host/login , but this one does: https://www.dropshare.host/login

Basically, when you issue a certificate in Certbot, it needs to include both names. This can be achieved with:

-d dropshare.host -d www.dropshare.host

morea · May 25, 2018, 9:30am

Bullzeye, cant believe I missed that.
Thank you very much!

system · June 24, 2018, 9:31am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.