[solved] Server's certificates are not trusted

try 1 first
restart apache if needed

I dont think anything changed aftering option 1 and a restart of apache.

Yeah I think there is no REAL issued cert:
https://crt.sh/?q=myf*****views.com

Try 2 then restart apache

Alright, ran the command and restarted apache. Not seeing any changes, unfortunately.

OMG!!!
Its a new cert but still from staging!

confirm the modified file:
server = https://acme-staging.api.letsencrypt.org/directory
should show
server = https://acme-v01.api.letsencrypt.org/directory

The server domain under the renew folder returned to staging as well. Is it perhaps the -d option in the command?

Do you have a cli.ini file? Did you run any other tool or script that helps you to get certificates?

Normally we would expect this if you ran with --staging or --test-cert or --dry-run at some point, and otherwise not.

Otherwise, you can try grep -r staging /etc/letsencrypt to see if you have any other spurious references to the staging server (and also perhaps history | egrep '(staging|test-cert|dry-run)' to see if you have any test-related command lines that you’ve forgot about?).

There is a cli.ini file, and no I haven’t run any script or tool. Just the command I shared above. From the first command you requested, in partial.

/etc/certbot/cli.ini:# The staging/testing server
/etc/certbot/cli.ini:server = https://acme-staging.api.letsencrypt.org/directory
/etc/certbot/dev-cli.ini:# Always use the staging/testing server - avoids rate limiting
/etc/certbot/dev-cli.ini:server = https://acme-staging.api.letsencrypt.org/directory

I agree with @schoen it’s probably a cli.ini file that is overriding that file setting.

update the cli.ini file and rerun command with option 2
restart apache if needed

Argh, this is a known problem with OpenSuSE that we never got a contact to get fixed:

:frowning: :frowning: :frowning:

I am a bit surprised that more people aren’t encountering this problem and complaining to OpenSuSE about it. This is a hard-to-discover unexpected default that breaks the most basic functionality of Certbot.

Thank you both! Sorry I wasn’t looking up the proper things. Admittedly today is my first time ever touching SSL so I’m sure I made a lot of rookie mistakes. Either way, the SSL is up and running thanks to you both!

mark it closed
and your welcome

I am frustrated that the OpenSuSE package is causing people to waste quite a bit of time this way—and also that I didn’t remember this problem sooner. :slight_smile:

This appears to have been fixed in Tumbleweed, but not backported to Leap.

-------------------------------------------------------------------
Fri Aug 25 06:07:01 UTC 2017 - ecsos@opensuse.org
​
- On request from upstream switch server parameter in cli.ini from
  staging to production server.
- Change description in README.SUSE.

https://build.opensuse.org/request/show/519138

1 Like

That makes me think that I was the upstream requester in question but that I then forgot about the entire interaction afterwards! Maybe I will make a forum thread with some prominent keywords in the title in the hope that anyone who runs into this in the future finds that thread (or that I’ll at least remember having written it).

Edit: I learned from a conference call that @SwartzCr and @bmw were the upstream requesters, which might explain why this was less clear in my memory. :slight_smile:

@bmw gave me a contact at openSUSE and I’ve just sent an e-mail asking if this can also be updated for Leap users.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.