net::ERR_CERT_AUTHORITY_INVALID

I am getting this error a few times, generally, this error does not occur.

Getting A+ at https://www.ssllabs.com/ssltest/analyze.html?d=ddd.schoolonapp.com

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: ddd.schoolonapp.com

I ran this command:

It produced this output:

My web server is (include version): nginx version: nginx/1.14.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04.4 LTS

My hosting provider, if applicable, is: digital ocean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): acme.sh

Below are files produced by acme.sh

ca.cer schoolonapp.com.conf schoolonapp.com.key fullchain.cer schoolonapp.com.csr schoolonapp.com.cer schoolonapp.com.csr.conf

Below is Nginx config

`
ssl on;

    ssl_certificate /root/.acme.sh/schoolonapp.com/fullchain.cer;

    ssl_certificate_key /root/.acme.sh/schoolonapp.com/schoolonapp.com.key;

    ssl_session_timeout 4h;



 ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions

ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;

ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE$

ssl_prefer_server_ciphers off;
add_header Strict-Transport-Security "max-age=63072000" always;

`

1 Like

Hi @jseeone

checking your domain via https://check-your-website.server-daten.de/?q=ddd.schoolonapp.com#url-checks - you see the problem.

Your certificate

Issuer not before not after Domain names LE-Duplicate next LE
Let’s Encrypt Authority X3 2020-07-05 2020-10-03 *.schoolonapp.com, schoolonapp.com
2 entries duplicate nr. 1
Let’s Encrypt Authority X3 2020-06-04 2020-09-02 *.schoolonapp.com, schoolonapp.com
2 entries

works with ddd.schoolonapp.com, not with the www-version. Your Ssllabs - check uses the non-www version, so all is ok. But if some users add www, it’s insecure.

And you have a wildcard DNS A entry:

Host Type IP-Address is auth. ∑ Queries ∑ Timeout
ddd.schoolonapp.com A 139.59.53.114 Bengaluru/Karnataka/India (IN) - DigitalOcean, LLC No Hostname found yes 1 0
AAAA yes
www.ddd.schoolonapp.com A 139.59.53.114 Bengaluru/Karnataka/India (IN) - DigitalOcean, LLC No Hostname found yes 1 0
AAAA yes
*.schoolonapp.com A 139.59.53.114 yes
AAAA yes
CNAME yes
*.ddd.schoolonapp.com A 139.59.53.114 yes
AAAA yes
CNAME yes

So the www.ddd - version has an ip address.

  • Remove the wildcard A record (may be impossible) (or)
  • create a certificate with the additional www domain name (and the wildcard) and use that.

DNS wildcard -> all deeper domain names are possible
Certificate wildcard -> only the next label is “wildcard generated”.

2 Likes

Thank you for your response. I will try it.

1 Like
A @ 104.198.14.52 1 Hour Edit
A * 139.59.53.114 600 seconds

CNAME www @ 1 Hour

I found these entries only in mu DNS manager. I can’t remove wildcard as i need to serve multiple subdomains. Please suggest me what should be done now. I have used following command.

acme.sh --issue --dns dns_gd -d schoolonapp.com -d *.schoolonapp.com

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.