New Invalid certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. |, so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:
$PluginName = Cloudflare
$CN =
$CNwww =

$certParams = @{
Domain = $CN, $CNwww
Plugin = $PluginName
PluginArgs = @{CFToken = ($CFAPITokenSecure) }
AcceptTOS = $true
Contact = $EmailContact
#PreferredChain = 'ISRG Root X1'
PfxPass = $Credential.GetNetworkCredential().Password
New-PACertificate @certParams

It produced this output: Created the certificate and installed it on the certificate store, then I configured IIS to use the certificate
Although I own my domain, I am not publishing the site on the internet, I am tessting the process
I am validating the domain
Issuing the certificate
Installing the certificate on the internal web server for testing
My internal DNS is configured with the CN

I am new to Let's Encrypt, so I do not know if I am doing something wrong.
The curl command gives me this error:

  • TLSv1.3 (OUT), TLS handshake, Client hello (1):
  • TLSv1.3 (IN), TLS handshake, Server hello (2):
  • TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
  • TLSv1.3 (IN), TLS handshake, Certificate (11):
  • TLSv1.3 (OUT), TLS alert, unknown CA (560):
  • SSL certificate problem: unable to get local issuer certificate
  • Closing connection 0
    curl: (60) SSL certificate problem: unable to get local issuer certificate
    More details here: curl - SSL CA Certificates

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

My web server is (include version):

The operating system my web server runs on is (include version): Windows Server 2022

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): I am using Posh-acme

I am investigating Let's encrypt and creating a proof of concept for my company to eventually adopt it, but I am getting this error on the bowser

Your connection isn't private

Attackers might be trying to steal your information from (for example, passwords, messages, or credit cards).


I'm not entirely sure.

While certificate transparancy log aggregators often have a backlog of certificate yet to be indexed, it's often no that bad. And I don't see any certificate issued for using ( | nor Entrust Certificate Search - Entrust, Inc..

Perhaps your ACME client used the staging environment? Can you view the certificate in your browser and check the issuer?


@Osiris has guessed right that you are getting certs from the Let's Encrypt staging system

You will need to configure posh-acme to request certs from the production LE system


Please note that it's fine to issue a lot of certificates from the staging environment, but that there are strict rate limits for the production environment. (Looking at the number of certs issued quite fast after each other.)


This is all I find for Domain Names; no A, AAAA, or CNAME

$ nslookup -q=any
Address:      hinfo = "RFC8482" ""
$ nslookup -q=any
Address:  hinfo = "RFC8482" ""
1 Like

It is normal not to see those with DNS Challenge for internal network use.


Correct, I just didn't see which of the Challenge Types - Let's Encrypt was being used.

1 Like

It wasn't mentioned explicitly, but was implied by using the Cloudflare plugin.


Thanks @Osiris :slight_smile:

1 Like


Thank you all so much for your response, I was using stage instead of prod. I modify the code to use PROD and the certificate works like a charm, with no issues whatsoever.

Once again thank you for your answers and pointing me in the right direction.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.