SSLShopper shows my Chain Cert as Let's Encrypt Authority X1 and Not Trusted in All Browsers

My domain is: www.canadiandragon.com

The operating system my web server runs on is (include version): Plesk 12.0.18 for windows

My hosting provider, if applicable, is: Deluxe Windows Hosting with Plesk

I can login to a root shell on my machine (yes or no, or I don’t know): I think so, I use FileZilla to upload everything and can copy to the folder that holds my httpdocs folder

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Plesk for Windows on GoDaddy

Hi guys, so my issue is that I am hosting with GoDaddy, who suck, and try to make everything as hard as possible in setting this up so that you’ll give up and buy their crappy SSL.

My first beef is that they force you to have them issue a CRT request through them, but then they only let you put in one domain (such as just www). I’m going to be writing them to complain about that, as then you can’t secure it without the www. I’ve tried getting around that with a .htaccess and web.config file and by setting www.canadiandragon.com as my preferred, but I am not sure if it 100% works for everyone.

Anyway, besides the point is that I can’t install certbot with them as far as I can tell, I have to issue the CRT though them. So I’ve done that, and it seems to work, but when I go on SSL Shopper it gives me an error on the last link that says:

The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. The fastest way to fix this problem is to contact your SSL provider.

So I compared my website to another website that uses Let’s Encrypt and the difference as far as I could tell was that my root cert common name was Let’s Encrypt Authority X1 and theirs was Let’s Encrypt Authority X3. I tried two different sites for issuing certs- zerossl.com and sslforfree.com and both times I am running into the same error. I’m not sure what to do otherwise to get this fixed, as I don’t think I can use certbot, even though plesk apparently supports it, I don’t think GoDaddy does and like I mentioned before, I have to have them issue the CRT request. Any help on how to fix this and get a proper root certificate would be appreciated!

Hi @sandrastaple ,

It’s true that your certificate chain isn’t quite right. It does include the obsolete Let’s Encrypt Authority X1 certificate instead of the current Let’s Encrypt Authority X3 certificate, and it’s also correct that it might not work on some browsers as a result. The most likely compatibility problems resulting from this would be on some mobile devices and on newly-installed machines that haven’t browsed the web very much yet. (For example, if you create a fresh browser profile and go to your site immediately with that profile, you might well see a certificate error in your browser.)

This kind of problem is somewhat unusual because Let’s Encrypt automatically sends the recommended certificate chain whenever it issues a certificate, so everyone should be able to get the right chain automatically whenever a new certificate is created. It seems like it should take extra effort to get an invalid chain this way. Can you tell us more specifically how you generated and installed this certificate? Did GoDaddy handle all of these steps for you?

For example, are you using ZeroSSL to generate the certificate? Using a CSR file created by GoDaddy?

@schoen The first step with GoDaddy is to login to Plesk Admin, and then choose Secure Your Sites under the domain you are updating (Each domain that you are hosting has it’s own.

From there you go to Add SSL Certificate

Then on the next page fill out the appropriate info. This is where I want to place a complaint with GoDaddy (not that it will probably do anything) because you can only choose one domain to secure…either with or without www. (I tried separating the two with a comma but just got an error.)
Once you have filled that out you click request and they generate the CSR and the key.

Once you have the CSR that they generate, you can take that to a website to generate the certs.

I tried both services listed earlier - (I liked zerossl.com better.) and both resulted in the same error. I had to verify my csr using the acme challenge. That gave me my certificate file, which I had to break into two files for GoDaddy as they request the certificate and CA certificate separately.

Once that’s done the last step is to go into Hosting Settings and turn on SSL by choosing the SSL Certificates you’ve set up.

I also setup a .htaccess file and web.config to try and get around the annoying issue of them not providing a CSR for both www.canadiandragon.com and canadiandragon.com, but that’s a whole different issue.

Anyway it’s pretty frustrating…especially since I was pretty please with myself for figuring this all out on my own and getting it setup quite quickly, haha! Only to have it not quite work…bleh!

Do you still have a copy of that file? It seems like the second one of these is wrong somehow, but I'd like to see what ZeroSSL gave you.

It looks like it’s very close to working in any case, so I’m sure we can get it sorted out. But as you mentioned, GoDaddy doesn’t seem to be fond of people using externally-obtained certificates rather than buying them from GoDaddy. This might be a real inconvenience as long as you keep using GoDaddy’s hosting; as you may know, Let’s Encrypt certificates are only valid for 90 days, and so we encourage everyone to try to find a way to automate the renewal process, which doesn’t seem like it would be straightforward to do in this setup.

Sure, here is the file, I just pasted the second part back in. It’s all just encrypted though…shoot it says I can’t attach as I’m a new user. I can just paste it below if you want!

No GoDaddy is terrible for this- I’ll probably look at switching when my hosting is up in a year. I’m sure I will have to manually update my certs every 90 days with them. The reason I switched to GoDaddy in the first place was because I needed a cheap hosting company that allowed multiple domains to be hosted (at least 3) with unlimited bandwidth and space. Bandwidth in particular, as my website is an online gallery that everyone links to- Pinterest in particular is hotlinked to my website like crazy as I’ve had the domain for almost 20 years now and everyone pins my art. I also need the host to be fairly fast- the last provider I was with was quite slow. If you have any recommendations that would be great…Is Let’s Encrypt good for securing simple shopping carts? I was hoping to try setting up Prestashop down the road (just with PayPal) and I really doubt GoDaddy is very supportive of that either.

Oh and also remember- I tried TWO different Let’s Encrypt certificate providers, and in both cases I still got the same error on SSLShopper.

Sure, please paste it here. Certificates are OK to post publicly (unlike private keys, which shouldn’t be shared).

@schoen Okay! Basically both websites issued a txt file (or .crt, same thing) where it had both certs inside. I broke it into two files, then uploaded them both at the same time.

This is what the text looks like:

-----BEGIN CERTIFICATE-----
MIIFZTCCBE2gAwIBAgISA8A+bN1FBumD2721wSqAhpenMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTAyMjExMzI5MzZaFw0x
OTA1MjIxMzI5MzZaMCExHzAdBgNVBAMTFnd3dy5jYW5hZGlhbmRyYWdvbi5jb20w
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5ailquh0Srzs0W2ZF86dR
R67pA3gDZarOtVRD5AoSU5Q83yfsh/gZ2f6wVKvgSsOZmjiPq2d4qGwmPFKUuNcr
RyGETxdTv3Y8nANhDTzTvjk3YSm1dYTEHedRFfnTqD//IGBtgSZ5h7inUJQ2ey3T
cOdghaAZEcALPeJRPCHRfiZaUBE55+OQyA6nbG0oNBlxB9QmerMBbxeOhmv4AN71
tZU2ok+mXZcRhZ06Nhj7rKx1Uz3DMUZhAsxJSi9b/PFwr9gswI9qC2g1ZCoj1wzP
gf2AVAjwP4wUem37UcQ0iNHFnZEVYpjjeerQ1VP88+xpY86lnSxYEc2xaoHs9AE3
AgMBAAGjggJsMIICaDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFIz2wrMyFWboHgVI
bKUHgdlAegF2MB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsG
AQUFBwEBBGMwYTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNl
bmNyeXB0Lm9yZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNl
bmNyeXB0Lm9yZy8wIQYDVR0RBBowGIIWd3d3LmNhbmFkaWFuZHJhZ29uLmNvbTBM
BgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIB
FhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQUGCisGAQQB1nkCBAIEgfYE
gfMA8QB3AOJpS64m6OlACeiGG7Y7g9Q+5/50iPukjyiTAZ3d8dv+AAABaRB2NWsA
AAQDAEgwRgIhAIU2pntgfbeMrsoVegrbCMgsVKIPGh8pOPwIvw7uK5CHAiEA0RVS
PA6XF35KI5Y1p6XatxxsJZtq/nzRa7XBEhZZWL8AdgBj8tvN6DvMLM8LcoQnV2sz
pI1hd4+9daY4scdoVEvYjQAAAWkQdjVsAAAEAwBHMEUCIQD9e/HJMUeaJds95dyu
Rly77zsPIE3wa/1h0akrAKHEkwIgLMH39P2Z0BXQbFzwXDQz5swC9gi2ON86fhHD
gkzZ8OQwDQYJKoZIhvcNAQELBQADggEBAHzjruYRYqkhCaj4OsZuZop8f2dtCAJ6
zKO5Gn4Jk9gKXFJlBHG9W5Axs9ZRQh/BEuZLKY1CcY7sI1HUWchdogUEhkCHw7Uj
kxvAoKAnCxUh11zsZIFIQWPtHmFVZ0lVGoolY/E+m+zUEeWjM1G/dNav7fUTq+gN
DvglF/DAPHua+CeU5rOP974JvvP9Au20mNenxHS07h+u9e9EEHGpgHvpvFkNhWi2
iTzNPca9R0x3z8Vk+zXlBvuI93i0G41GyhlOTiGDmx6ilXifD/pcPJ6tBkBdnlT1
i+c8HpbX6j1z/3ovy5Sg1hSHu4/OigWFo3K9YJ0rrrj8iV75TmFHrf8=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----

Interestingly, the second file (the CA or chain certificate) is correct, but it doesn’t match what’s being served by your hosting provider! Did you get any kind of error when you uploaded it? Could you try uploading it again?

@schoen I just tried redoing the entire process again to see if at any point it throws an error. It doesn’t- I created a new certificate as well just to see. Here is the new crt file I just got from ZeroSSL and switched to on GoDaddy:

-----BEGIN CERTIFICATE-----
MIIFYjCCBEqgAwIBAgISBGxSWkprPQN2EnfLGkxPyNV+MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xOTAzMTMxNjAwMDdaFw0x
OTA2MTExNjAwMDdaMCExHzAdBgNVBAMTFnd3dy5jYW5hZGlhbmRyYWdvbi5jb20w
ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCplFjFXgt9cxSNRlJnzR2H
gWfsOXyXLCQ0Y42+PfkF7h6img4txdn2DuyQ5iIQO5w0Nk3oOpfRXF3bo/+EGENJ
vcrImJf2fyZjTQ/fFpFRWsWVgeILj71QeO7P4mZIjueyBkBE1ZgVbvvU15Unh2Eu
Z35/IsZu2rkjIDGAs6M/aMCgmcO+l9u1eZfwiTZRJbNnTf1DMYJH52dm3gwFGM+R
F+2uZG6aQpitUv5khykl+dfAyTRVWLMiUFJm1kREM0nxdprC6ZTowoE7ny1IqkIg
V29AAJ1+nOqMEpYTWMkUYmv9147xRyS11vB3cojPYdz3VvrmAPr4dqKgjTr5zjZJ
AgMBAAGjggJpMIICZTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUH
AwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFCQRX2JYv9npt8KC
33rjzgDejsexMB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsG
AQUFBwEBBGMwYTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNl
bmNyeXB0Lm9yZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNl
bmNyeXB0Lm9yZy8wIQYDVR0RBBowGIIWd3d3LmNhbmFkaWFuZHJhZ29uLmNvbTBM
BgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIB
FhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQIGCisGAQQB1nkCBAIEgfME
gfAA7gB1AHR+2oMxrTMQkSGcziVPQnDCv/1eQiAIxjc1eeYQe8xWAAABaXf/NVYA
AAQDAEYwRAIgQvv494KwUuDgQof5A8FcIdadY8DkEVN9B8QiayTsu5kCIDvBuOKt
SQmRzsgBOspGK6PK63/k0hwiA84oVs5y8j3PAHUAKTxRllTIOWW6qlD8WAfUt2+/
WHopctykwwz05UVH9HgAAAFpd/81cQAABAMARjBEAiB7BclXFQxRje0uufKsSZ4r
3Kgv47yUqBP9TIbASynlzQIgLPYhO3EbNLWQhnHAWwt1q8/rOwqtNbLPMV3jCOLN
qIswDQYJKoZIhvcNAQELBQADggEBAIYa3u24b2cYo6EJQRVGmZu+MROl1qlGfg4M
pLz7A2s1f5sKzsART8IrGMm8mkQPRm9ksUxBfMtkmHsMWojeo0j8bFAbPphGSXIz
KIZNLWXvHCHRZ+MmU3RBntknumJ9HMIygOcnHVEq0P6I/PQr8YnLo/DodZAM+NX0
jRiuZ59GstA1Nt3jWQpPigDT9DcrbFIP0SSxMZOfU49676eT0GVJC402QQfx/GQl
FuQlVQwULMWYNcUijCk8CM/oMXxC56GMMoUytOOlebhTCz+KV+tb0NCT/LlPyeDB
rzE135E0u7dWCXAV1uHzt1mdKW4IoZxzjH9/BO6eB2eiFbRa874=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----

Again that is the correct certificate you're getting from ZeroSSL, and your site is indeed serving the end entity cert you just obtained, so it's not like the installation as a whole failed.

That should work, but maybe it's triggering some bug on GoDaddy's side? And maybe the alternative, uploading both as a single file in the Certificate field, might not trigger that bug? Might be worth a try...

@schoen I’m not uploading both in the certificate field though, I’m breaking it into two, so that the second ca cert is only in the second file.

That seems to be what GoDaddy expects you to do, although you could also try @jmorahan’s suggestion to see if it makes any difference.

I just tried putting both certificates back into one file and uploading it just to the certificate, then I tried uploading the same file to both the certificate and ca certificate, but it’s still showing the same thing on SSL shopper, and now my ca Certificate shows both parts in it on GoDaddy. Could GoDaddy be someone doing something to change the version of the CA Cert it’s passing off? So frustrating! Arg and I have a year to go with them too.

Yes, they could have a software bug that somehow hard-codes the X1 certificate, for example. Do you think you could ask their support about this? It seems to me that you're doing everything right here and GoDaddy is then doing something strange.

Hi @sandrastaple

the problem is global. I am using Windows 2012, but:

I don't know how Windows handles the intermediate certificate.

My own ACME-client splits the intermediate and the own certificate (from Letsencrypt), creates a pfx file (only with the own certificate) and loads that into Machine\Webhosting.

That works - SSLLabs -> Grade A, no incomplete chain.

Perhaps it's because the intermediate certificate is in Webhosting. But I don't know if there is a configuration option.

I don’t know anything about Windows hosting, but I remembered reading about an issue where an old intermediate got stuck in place and IIS was always serving it instead of the new one…

but that was from around the time when the X3 intermediate was introduced, which was … some time ago.