Net::err_cert_authority_invalid on some machines nginx


#1

Hi, as the name of the topic suggest I’m getting “net::err_cert_authority_invalid” on some machines, while it works perfectly fine on others. SSllabs gives me A score. Relevant part of the nginx config looks like this

 listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/dropshare.host/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/dropshare.host/privkey.pem; # managed by Certbot
ssl_trusted_certificate /etc/letsencrypt/live/dropshare.host/chain.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


    if ($scheme != "https") {
        return 301 https://$host$request_uri;
    } # managed by Certbot

the

echo | openssl s_client -connect dropshare.host:443 -servername dropshare.host 2>/dev/null | awk '/Certificate chain/,/---/'

returns

    Certificate chain
     0 s:/CN=dropshare.host
       i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
     1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
       i:/O=Digital Signature Trust Co./CN=DST Root CA X3
    ---

Any help would be greatly appreciated


#2

Hi,

I don’t really see any problem from your site except your ipv6 site throw connection refused. (Which obviously don’t have any cert presented)

P.S. that might be an issue when you apply the certificate using certbot Nginx (since if certbot visit your ipv6 site, it won’t passed)

Thank you


#3

Hi stevenzhu, thank you for your answer!
Im going to fix ipv6 issue and see if that is going to help. Will certanly update results here
Thanks!


#4

Hi, ipv6 seems to be fixed now, but the issue still remains. Im attaching an image

Im realy running out of ideas what could be wrong here

thanks


#5

The certificate is only valid for dropshare.host, not www.dropshare.host.

Note that this page does not give any errors: https://dropshare.host/login , but this one does: https://www.dropshare.host/login

Basically, when you issue a certificate in Certbot, it needs to include both names. This can be achieved with:

-d dropshare.host -d www.dropshare.host

#6

Bullzeye, cant believe I missed that.
Thank you very much!


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.