[Solved]Not trusted on mobile, maybe error setting up chain cert

my nginx conf

listen 443 ssl;
server_name lisitede.com;
add_header Strict-Transport-Security "max-age=31536000";
ssl_certificate /etc/nginx/cert/lisitede.com/lisitede.chained.crt;
ssl_certificate_key /etc/nginx/cert/lisitede.com/lisitede.com.key;

and I’ve checked it that lisitede.chained.crt is the concat of lisitede.crt and lets-encrypt-x1-cross-signed.pem.

ssllabs

https://www.ssllabs.com/ssltest/analyze.html?d=lisitede.com

This server’s certificate chain is incomplete. Grade capped to B.

OK on Mac Chrome

but not trusted on iPhone4 and Moto X

I’ve reviewed related posts. But I cannot find where I did it wrong.

FYI, I applied for a cert about a month ago and have been using it with the same settings until today.

I re-apply my cert for it and for another subdomain this morning and all goes wrong.

Using the fullchain.pem file in your config should correct your issue

Hello @hbrls,

As @serverco said, you should always use the fullchain generated when issued the cert and you won't have this problem.

Just for your info, you have issued the cert today so you are using the wrong intermediate cert, it is not X1 but X3, since last week there is a new intermediate cert in play ;-).

Cheers,
sahsanu

I apply by the script. And I think lisitede.chained.crt is fullchain.pem. Do you know how to test that?

I didn’t notice that. The init script author has updated to x3 and I not. I’ll try it now. BTW, what does x1 x3 mean?

X1, X2, X3, X4 are just versioning numbers. Certificates were issued by X1 at first, X2 would have been a recovery intermediate if something goes completely wrong. X3 and X4 are the new intermediate certificates that work with Windows XP SP3+. Your client should automatically download the right certificate from Let’s Encrypt, if it does not, you should report it as bug there. It’s never a good idea to hardcode the intermediate.

Hello @hbrls,

Regarding X1 and X3, they are just the names of the intermediate certificates. You can see them here https://letsencrypt.org/certificates/

Anyway, you don’t need to issue a new certificate with the updated script (yes, update the script to the new version) but you only need to concatenate your current cert and the new intermediate cert https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem into lisitede.chained.crt

Cheers,
sahsanu

It works! Thank you all!

And FYI, appending X3 without removing X1 will result sslab to complain about Incorrect order, Extra certs

Glad you get it working.

Perhaps I should have explained it better, with "concatenate your current cert" I meant your domain cert, not your fullchain cert :wink:

Have a nice day,
sahsanu

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.