New cert is not valid on Browsers

This post has nothing to do with "getting" a cert from Let's Encrypt. Unfortunately, the category most relevant to my problem is closed. This category is the closest to relevant I can post to (besides: you folks suggested posting to this category instead of the closed one).

I will, however, fill out the template below in order to satisfy the requirements for posting to this category. The information you are requesting is irrelevant because I am successfully getting the certs and they are legitimate. The actual description of my problem is provided after the template.

My domain is: web.soliannet.net

I ran this command: sudo certbot certonly

It produced this output: The cert was created, PEM files placed in the correct place

My web server is (include version): Java app

The operating system my web server runs on is (include version): CentOS 7

My hosting provider, if applicable, is: Comcast

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): v1.11

My Actual Problem:

I have used certbot to successfully acquire a cert from LetsEncrypt. Because I am using my certs with a Nextcloud installation, I converted the PEM files into a CRT and KEY file. I am also using the cert in a Java- based application that is configured to use SSL, so I used openssl to create a JKS file.

The files I converted are the privatekey and the fullchain files. They are new certs, so they should be good.

Unfortunately, both Chrome and Firefox browsers say that the certs are invalid.

I have done google searches to research this problem, and it was suggested that sites that this happens with contain mixed content. The only problem with that is that neither of my applications have mixed content (I checked with Nextcloud and my Java application is just a test application that returns a line of HTML over SSL).

I can find no other reason why a new cert, properly converted and accessed, would not be valid.

Can anyone here think of a reason? Can anyone think of a fix for this problem?

Hi @factor3, and welcome to the LE community forum

Please show a screenshot of the error and include the URL.

The name isn't included in the cert SAN?
Used the IP instead of the name in a link?

There is much left unanswered yet.
But a fix will surely come

@rg305:

Thanks for your swift answer.

Actually, it appears that the problem was the URL I was using. I have a URL that maps to the one that I took the cert for. I use it because I want my users to have the convenience of not having to use a special port to reach my system.

I need to create a cert specifically for that URL, which I am in the process of doing now.

A question for you: what is a cert SAN? Can names be added to it? And by names are you referring to URLs?

Glossary - Let's Encrypt (letsencrypt.org)

image860×71 13.1 KB

All certs (even ones with a single name) now use the SAN field to detail all the names covered by the cert.

Any change to a cert will produce a new cert.
All certs will include all names in the SAN field.

No; URLs aren't included in the SAN field - only FQDNs and wildcard cert entries are listed.

As an example, here is the SAN entry for the cert on this site:

image406×511 12.4 KB

Interesting. I did not know you could have names like that.

Looking further, I am getting the idea (from the articles I am reading) that I can actually create LetsEncrypt certs that will protect more than one domain. Using certbot I can provide multiple domain names and the resulting cert will secure them. Is this accurate? Or do I need to learn a procedure for adding SANs to existing certs?

Yes.  

Certs are like tablets written in stone - they can't be altered.
Any change requires a new cert to be issued.
All the names that the cert will cover will be found in the SAN (automatically).
Note: LE has a limit of 100 entries in the SAN (per cert).
[in case you have a lot of sites]

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.