Ssl certificate not accepted as trusted on some browsers

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: all4u.market

I ran this command: I've setup using certbot with nginx

It produced this output:
some browsers not recognizing
Imgur
Imgur

My web server is (include version): nginx 1.18.0

The operating system my web server runs on is (include version):
ubuntu 21.10
My hosting provider, if applicable, is:
linode
I can login to a root shell on my machine (yes or no, or I don't know):
yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.27.0

2

Welcome @parmonov98

Your server is sending a valid cert using the "long chain". This forum site also uses that chain. Can that browser visit this site without the error?

2 Likes
3

You may be having trouble because the "www" is not on the same cert.
crt.sh | all4u.market
Two certs have been issued independently.
One for: all4u.market
One for: www.all4u.market

2 Likes
4

I've setup a www.all4u.market and redirected non-www to www.
the same issue with the same browsers on Mac.
I think there's an browser-specific issue which I don't see.

5

What version of macOS is this? For Safari you need to be running macOS 10.12.1 or higher. Older macOS versions require manual configuration.

2 Likes
6

Great that fixes any DNS issues...
Now, are you using a cert that covers both names?
OR
Individually covering each name with a corresponding cert?

1 Like
7

I used a cert like this in nginx.

image
image739×117 14.2 KB

8

Let's see what that actually covers, with:
certbot certificates

1 Like
9

Compare:
SSL Server Test: all4u.market (Powered by Qualys SSL Labs)
with:
SSL Server Test: www.all4u.market (Powered by Qualys SSL Labs)

1 Like
10

image

1 Like
11

Ok, so I repeat myself (with my first post):

1 Like
12

I how to merge them? I just followed instruction on certbot official website.
Can u point in the right direction?
or to setup properly?

but what I remember before setting up www. The issue used to exist.

13

There might be more than one issue...

Certs can't be merged.
You need to get a new cert for both names.

Not sure how to advise you; as you stated:

other that to say: Include both names in the cert request - not one name at a time.

After we fix this issue, we can tackle the next (and for as many as you may have).

1 Like
14

after expanding ssl for both using sudo certbot (E)xpand option
got all green for all4u.market

image
image1014×432 22.3 KB

15

I use this site to check my CSRs and Certs
https://redkestrel.co.uk/products/decoder/
Looking at the CSR Subject Common Name (CN) (i.e. Subject:) (SSL Server Test (Powered by Qualys SSL Labs) labels it Common names)
and the CSR Properties SANs (i.e. X509v3 Subject Alternative Name:, DNS:) (SSL Server Test (Powered by Qualys SSL Labs) labels it Alternative names)

1 Like
16

compared as you said.
cert is the same for both name

image
image3921×1080 178 KB

17

I used certbot, and I don't know what to put in there?
've got 2 files here

image
image695×110 8.32 KB

which one should I use to check?

18

I've deleted the second cert for www one.
What is the next thing to fix ?
image

19

Absolutely NOT EVER the privkey.pem NEVER NEVER NEVER!

The first certificate in the fullchain.pem should be what you are looking for.

1 Like
20

Here is another place to look for issues with ones website https://check-your-website.server-daten.de/
in your case https://check-your-website.server-daten.de/?q=all4u.market

1 Like