Some browser say certificate is not trusted


#1

My domain is: https://zabanshenas.com

https loads pretty much good in some browsers, However others say the certificate is not trusted.
Is there soothing I should do to fix it?


#2

Your server is only returning the leaf certificate issued for “zabanshenas.com”, but not the Let’s Encrypt Authority X3 intermediate certificate. Some browsers will fetch this automatically but not all of them! That’s why the error is browser dependent.

Did you use Certbot to issue your certificate? If so then in addition to cert.pem it should have output a fullchain.pem that you can use with your Webserver configuration to send the intermediate chain.

Are you using Apache as the webserver? If you share which ACME client you used and your webserver configuration someone should be able to help you figure out how to send the intermediate cert and fix your problem.


#3

yes

I’ve used this plugin to configure my https:

my apache configuration is this:

<VirtualHost xxx.xx.xxx.xxx:8443>

    ServerName zabanshenas.com
    ServerAlias www.zabanshenas.com
    ServerAdmin info@zabanshenas.com
    DocumentRoot /home/admin/web/zabanshenas.com/public_html
    ScriptAlias /cgi-bin/ /home/admin/web/zabanshenas.com/cgi-bin/
    Alias /vstats/ /home/admin/web/zabanshenas.com/stats/
    Alias /error/ /home/admin/web/zabanshenas.com/document_errors/
    #SuexecUserGroup admin admin
    CustomLog /var/log/httpd/domains/zabanshenas.com.bytes bytes
    CustomLog /var/log/httpd/domains/zabanshenas.com.log combined
    ErrorLog /var/log/httpd/domains/zabanshenas.com.error.log
    <Directory /home/admin/web/zabanshenas.com/public_html>
        AllowOverride All
        SSLRequireSSL
        Options +Includes -Indexes +ExecCGI
        php_admin_value open_basedir /home/admin/web/zabanshenas.com/public_html:/home/admin/tmp
        php_admin_value upload_tmp_dir /home/admin/tmp
        php_admin_value session.save_path /home/admin/tmp
    </Directory>
    <Directory /home/admin/web/zabanshenas.com/stats>
        AllowOverride All
    </Directory>
    SSLEngine on
    SSLVerifyClient none
    SSLCertificateFile /home/admin/conf/web/ssl.zabanshenas.com.crt
    SSLCertificateKeyFile /home/admin/conf/web/ssl.zabanshenas.com.key
    SSLCertificateChainFile /home/admin/conf/web/ssl.zabanshenas.com.ca

    <IfModule mod_ruid2.c>
        RMode config
        RUidGid admin admin
        RGroups apache
    </IfModule>
    <IfModule itk.c>
        AssignUserID admin admin
    </IfModule>

    IncludeOptional /home/admin/conf/web/shttpd.zabanshenas.com.conf*

</VirtualHost>
is it correct?

#4

Well, according to the specific part of letsencrypt-vesta, that shóuld be alright. But it clearly isn’t, because OpenSSL warns about incomplete chain (“Verify return code: 21 (unable to verify the first certificate)”).

One thing that caught my eye:

Which port does your Apache run? I’m seeing 8443 here, but nothing can connect to that port. Or is that b/c of a portmap on your NAT router/firewall or something?


#5

what can I do to make sure if its alright or not?

I really don’t know how 8443 got here. I suppose this file is created by letsencrypt-vesta plugin. could it be because of this?

btw I’m using a content delivery network and I have uploaded my cert and key files there. they didnt ask for the fullchain file. Do you think maybe it is the root cause of problem?


#6

That’s most certainly the issue here, yes. You uploaded the certificates from /home/admin/conf/web/?

You might want to consider uploading the cert and key from /etc/letsencrypt/live/zabanshenas.com/, respectively fullchain.pem and privkey.pem. fullchain.pem is both the end leaf certificate (cert.pem) and the Let’s Encrypt intermediate (chain.pem) in one file, so should be perfect for you to upload to your CDN.


#7

yes I exactly uploaded these two files in my cdn:

/home/admin/conf/web/ssl.zabanshenas.com.key
/home/admin/conf/web/ssl.zabanshenas.com.crt

Look in my CDN I can only upload two files and they clearly told me to upload cert file and key file. so you mean instead of cert file, I should upload fullchain file?


#8

If they only have two fields (one for the key, one for certificates), the one for the certificate typically is meant for both the leaf (server) certificate and any intermediates. So yes, fullchain.pem would probably be the right one.


#9

Correct.

For example, Apache uses one directive since version 2.4.8 for two certificates: the end leaf cert (cert.pem) and the chain (chain.pem) in one file (fullchain.pem). Most likely this shall also work with the single upload possibility for what they call the “cert file”.


#10

yes thank you very much. that corrected my problem.
and btw port 8443 was used because I was using apache + nging


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.