SSLLABS says certificate is untrusted

https://www.ssllabs.com/ssltest/analyze.html?d=magnesium.crosswell.holtain.net
Trusted No NOT TRUSTED (Why?)

Seems to be issues with the generated chain.crt

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
magnesium.crosswell.holtain.net
I ran this command:
getssl magnesium.crosswell.holtain.net
It produced this output:
Registering account
Verify each domain
Verifying magnesium.crosswell.holtain.net
magnesium.crosswell.holtain.net is already validated
Verifying magnesium2.crosswell.holtain.net
magnesium2.crosswell.holtain.net is already validated
Verification completed, obtaining certificate.
Requesting Finalize Link
Requesting Order Link
Requesting certificate
Certificate saved in /root/.getssl/magnesium.crosswell.holtain.net/magnesium.crosswell.holtain.net.crt
reloading SSL services
Stopping httpd: [ OK ]
Starting httpd: [ OK ]
magnesium.crosswell.holtain.net - rsa certificate installed OK on server
certificate obtained for magnesium.crosswell.holtain.net
My web server is (include version):
Server version: Apache/2.2.15 (Unix)
The operating system my web server runs on is (include version):
CentOS 6
My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
getssl V2.45

1 Like

getssl has a quirk that by default get its certificate from testing server, which has lax rate limit but is not trusted by browser.
you will need to edit ~/.getssl/config.cfg to change server to production. it will have relevent option commented at the start of the file

5 Likes

I'd forgotten that quirk!

Comment out the first server listed and uncomment the second and all is well
# The staging server is best for testing (hence set as default)
CA="https://acme-staging-v02.api.letsencrypt.org"
# This server issues full certificates, however has rate limits
#CA="https://acme-v02.api.letsencrypt.org"

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.