Some browser say certificate is not trusted

hnaseri · February 27, 2017, 4:05pm

https loads pretty much good in some browsers, However others say the certificate is not trusted.
Is there soothing I should do to fix it?

cpu · February 27, 2017, 4:09pm

Your server is only returning the leaf certificate issued for "zabanshenas.com", but not the Let's Encrypt Authority X3 intermediate certificate. Some browsers will fetch this automatically but not all of them! That's why the error is browser dependent.

Did you use Certbot to issue your certificate? If so then in addition to cert.pem it should have output a fullchain.pem that you can use with your Webserver configuration to send the intermediate chain.

Are you using Apache as the webserver? If you share which ACME client you used and your webserver configuration someone should be able to help you figure out how to send the intermediate cert and fix your problem.

hnaseri · February 27, 2017, 4:15pm

yes

I've used this plugin to configure my https:

my apache configuration is this:

<VirtualHost xxx.xx.xxx.xxx:8443>

    ServerName zabanshenas.com
    ServerAlias www.zabanshenas.com
    ServerAdmin info@zabanshenas.com
    DocumentRoot /home/admin/web/zabanshenas.com/public_html
    ScriptAlias /cgi-bin/ /home/admin/web/zabanshenas.com/cgi-bin/
    Alias /vstats/ /home/admin/web/zabanshenas.com/stats/
    Alias /error/ /home/admin/web/zabanshenas.com/document_errors/
    #SuexecUserGroup admin admin
    CustomLog /var/log/httpd/domains/zabanshenas.com.bytes bytes
    CustomLog /var/log/httpd/domains/zabanshenas.com.log combined
    ErrorLog /var/log/httpd/domains/zabanshenas.com.error.log
    <Directory /home/admin/web/zabanshenas.com/public_html>
        AllowOverride All
        SSLRequireSSL
        Options +Includes -Indexes +ExecCGI
        php_admin_value open_basedir /home/admin/web/zabanshenas.com/public_html:/home/admin/tmp
        php_admin_value upload_tmp_dir /home/admin/tmp
        php_admin_value session.save_path /home/admin/tmp
    </Directory>
    <Directory /home/admin/web/zabanshenas.com/stats>
        AllowOverride All
    </Directory>
    SSLEngine on
    SSLVerifyClient none
    SSLCertificateFile /home/admin/conf/web/ssl.zabanshenas.com.crt
    SSLCertificateKeyFile /home/admin/conf/web/ssl.zabanshenas.com.key
    SSLCertificateChainFile /home/admin/conf/web/ssl.zabanshenas.com.ca

    <IfModule mod_ruid2.c>
        RMode config
        RUidGid admin admin
        RGroups apache
    </IfModule>
    <IfModule itk.c>
        AssignUserID admin admin
    </IfModule>

    IncludeOptional /home/admin/conf/web/shttpd.zabanshenas.com.conf*

</VirtualHost>
is it correct?

Osiris · February 27, 2017, 4:33pm

Well, according to the specific part of letsencrypt-vesta, that shóuld be alright. But it clearly isn't, because OpenSSL warns about incomplete chain ("Verify return code: 21 (unable to verify the first certificate)").

One thing that caught my eye:

Which port does your Apache run? I'm seeing 8443 here, but nothing can connect to that port. Or is that b/c of a portmap on your NAT router/firewall or something?

hnaseri · February 27, 2017, 4:43pm

what can I do to make sure if its alright or not?

I really don't know how 8443 got here. I suppose this file is created by letsencrypt-vesta plugin. could it be because of this?

btw I'm using a content delivery network and I have uploaded my cert and key files there. they didnt ask for the fullchain file. Do you think maybe it is the root cause of problem?

Osiris · February 27, 2017, 4:46pm

That's most certainly the issue here, yes. You uploaded the certificates from /home/admin/conf/web/?

You might want to consider uploading the cert and key from /etc/letsencrypt/live/zabanshenas.com/, respectively fullchain.pem and privkey.pem. fullchain.pem is both the end leaf certificate (cert.pem) and the Let's Encrypt intermediate (chain.pem) in one file, so should be perfect for you to upload to your CDN.

hnaseri · February 27, 2017, 4:54pm

yes I exactly uploaded these two files in my cdn:

/home/admin/conf/web/ssl.zabanshenas.com.key
/home/admin/conf/web/ssl.zabanshenas.com.crt

Look in my CDN I can only upload two files and they clearly told me to upload cert file and key file. so you mean instead of cert file, I should upload fullchain file?

pfg · February 27, 2017, 5:10pm

If they only have two fields (one for the key, one for certificates), the one for the certificate typically is meant for both the leaf (server) certificate and any intermediates. So yes, fullchain.pem would probably be the right one.

Osiris · February 27, 2017, 5:50pm

Correct.

For example, Apache uses one directive since version 2.4.8 for two certificates: the end leaf cert (cert.pem) and the chain (chain.pem) in one file (fullchain.pem). Most likely this shall also work with the single upload possibility for what they call the "cert file".

hnaseri · February 27, 2017, 6:09pm

yes thank you very much. that corrected my problem.
and btw port 8443 was used because I was using apache + nging

system · March 29, 2017, 6:09pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.