SSLShopper shows my Chain Cert as Let's Encrypt Authority X1 and Not Trusted in All Browsers

sandrastaple · March 13, 2019, 12:34am

The operating system my web server runs on is (include version): Plesk 12.0.18 for windows

My hosting provider, if applicable, is: Deluxe Windows Hosting with Plesk

I can login to a root shell on my machine (yes or no, or I don’t know): I think so, I use FileZilla to upload everything and can copy to the folder that holds my httpdocs folder

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Plesk for Windows on GoDaddy

Hi guys, so my issue is that I am hosting with GoDaddy, who suck, and try to make everything as hard as possible in setting this up so that you’ll give up and buy their crappy SSL.

My first beef is that they force you to have them issue a CRT request through them, but then they only let you put in one domain (such as just www). I’m going to be writing them to complain about that, as then you can’t secure it without the www. I’ve tried getting around that with a .htaccess and web.config file and by setting www.canadiandragon.com as my preferred, but I am not sure if it 100% works for everyone.

Anyway, besides the point is that I can’t install certbot with them as far as I can tell, I have to issue the CRT though them. So I’ve done that, and it seems to work, but when I go on SSL Shopper it gives me an error on the last link that says:

The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. The fastest way to fix this problem is to contact your SSL provider.

So I compared my website to another website that uses Let’s Encrypt and the difference as far as I could tell was that my root cert common name was Let’s Encrypt Authority X1 and theirs was Let’s Encrypt Authority X3. I tried two different sites for issuing certs- zerossl.com and sslforfree.com and both times I am running into the same error. I’m not sure what to do otherwise to get this fixed, as I don’t think I can use certbot, even though plesk apparently supports it, I don’t think GoDaddy does and like I mentioned before, I have to have them issue the CRT request. Any help on how to fix this and get a proper root certificate would be appreciated!

schoen · March 13, 2019, 12:46am

Hi @sandrastaple ,

It’s true that your certificate chain isn’t quite right. It does include the obsolete Let’s Encrypt Authority X1 certificate instead of the current Let’s Encrypt Authority X3 certificate, and it’s also correct that it might not work on some browsers as a result. The most likely compatibility problems resulting from this would be on some mobile devices and on newly-installed machines that haven’t browsed the web very much yet. (For example, if you create a fresh browser profile and go to your site immediately with that profile, you might well see a certificate error in your browser.)

This kind of problem is somewhat unusual because Let’s Encrypt automatically sends the recommended certificate chain whenever it issues a certificate, so everyone should be able to get the right chain automatically whenever a new certificate is created. It seems like it should take extra effort to get an invalid chain this way. Can you tell us more specifically how you generated and installed this certificate? Did GoDaddy handle all of these steps for you?

schoen · March 13, 2019, 12:47am

For example, are you using ZeroSSL to generate the certificate? Using a CSR file created by GoDaddy?

sandrastaple · March 13, 2019, 1:04am

@schoen The first step with GoDaddy is to login to Plesk Admin, and then choose Secure Your Sites under the domain you are updating (Each domain that you are hosting has it’s own.

From there you go to Add SSL Certificate

Then on the next page fill out the appropriate info. This is where I want to place a complaint with GoDaddy (not that it will probably do anything) because you can only choose one domain to secure…either with or without www. (I tried separating the two with a comma but just got an error.)
Once you have filled that out you click request and they generate the CSR and the key.

Once you have the CSR that they generate, you can take that to a website to generate the certs.

I tried both services listed earlier - (I liked zerossl.com better.) and both resulted in the same error. I had to verify my csr using the acme challenge. That gave me my certificate file, which I had to break into two files for GoDaddy as they request the certificate and CA certificate separately.

Once that’s done the last step is to go into Hosting Settings and turn on SSL by choosing the SSL Certificates you’ve set up.

I also setup a .htaccess file and web.config to try and get around the annoying issue of them not providing a CSR for both www.canadiandragon.com and canadiandragon.com, but that’s a whole different issue.

Anyway it’s pretty frustrating…especially since I was pretty please with myself for figuring this all out on my own and getting it setup quite quickly, haha! Only to have it not quite work…bleh!

schoen · March 13, 2019, 1:06am

Do you still have a copy of that file? It seems like the second one of these is wrong somehow, but I'd like to see what ZeroSSL gave you.

schoen · March 13, 2019, 1:09am

It looks like it’s very close to working in any case, so I’m sure we can get it sorted out. But as you mentioned, GoDaddy doesn’t seem to be fond of people using externally-obtained certificates rather than buying them from GoDaddy. This might be a real inconvenience as long as you keep using GoDaddy’s hosting; as you may know, Let’s Encrypt certificates are only valid for 90 days, and so we encourage everyone to try to find a way to automate the renewal process, which doesn’t seem like it would be straightforward to do in this setup.

sandrastaple · March 13, 2019, 1:27am

Sure, here is the file, I just pasted the second part back in. It’s all just encrypted though…shoot it says I can’t attach as I’m a new user. I can just paste it below if you want!

sandrastaple · March 13, 2019, 1:41am

No GoDaddy is terrible for this- I’ll probably look at switching when my hosting is up in a year. I’m sure I will have to manually update my certs every 90 days with them. The reason I switched to GoDaddy in the first place was because I needed a cheap hosting company that allowed multiple domains to be hosted (at least 3) with unlimited bandwidth and space. Bandwidth in particular, as my website is an online gallery that everyone links to- Pinterest in particular is hotlinked to my website like crazy as I’ve had the domain for almost 20 years now and everyone pins my art. I also need the host to be fairly fast- the last provider I was with was quite slow. If you have any recommendations that would be great…Is Let’s Encrypt good for securing simple shopping carts? I was hoping to try setting up Prestashop down the road (just with PayPal) and I really doubt GoDaddy is very supportive of that either.

sandrastaple · March 13, 2019, 1:42am

Oh and also remember- I tried TWO different Let’s Encrypt certificate providers, and in both cases I still got the same error on SSLShopper.

schoen · March 13, 2019, 5:02am

Sure, please paste it here. Certificates are OK to post publicly (unlike private keys, which shouldn’t be shared).

sandrastaple · March 13, 2019, 4:32pm

@schoen Okay! Basically both websites issued a txt file (or .crt, same thing) where it had both certs inside. I broke it into two files, then uploaded them both at the same time.

This is what the text looks like:

schoen · March 13, 2019, 4:44pm

Interestingly, the second file (the CA or chain certificate) is correct, but it doesn’t match what’s being served by your hosting provider! Did you get any kind of error when you uploaded it? Could you try uploading it again?

sandrastaple · March 13, 2019, 5:08pm

@schoen I just tried redoing the entire process again to see if at any point it throws an error. It doesn’t- I created a new certificate as well just to see. Here is the new crt file I just got from ZeroSSL and switched to on GoDaddy:

jmorahan · March 13, 2019, 5:25pm

Again that is the correct certificate you're getting from ZeroSSL, and your site is indeed serving the end entity cert you just obtained, so it's not like the installation as a whole failed.

That should work, but maybe it's triggering some bug on GoDaddy's side? And maybe the alternative, uploading both as a single file in the Certificate field, might not trigger that bug? Might be worth a try...

sandrastaple · March 13, 2019, 5:30pm

@schoen I’m not uploading both in the certificate field though, I’m breaking it into two, so that the second ca cert is only in the second file.

schoen · March 13, 2019, 5:31pm

That seems to be what GoDaddy expects you to do, although you could also try @jmorahan’s suggestion to see if it makes any difference.

sandrastaple · March 13, 2019, 5:42pm

I just tried putting both certificates back into one file and uploading it just to the certificate, then I tried uploading the same file to both the certificate and ca certificate, but it’s still showing the same thing on SSL shopper, and now my ca Certificate shows both parts in it on GoDaddy. Could GoDaddy be someone doing something to change the version of the CA Cert it’s passing off? So frustrating! Arg and I have a year to go with them too.

schoen · March 13, 2019, 6:08pm

Yes, they could have a software bug that somehow hard-codes the X1 certificate, for example. Do you think you could ask their support about this? It seems to me that you're doing everything right here and GoDaddy is then doing something strange.

JuergenAuer · March 13, 2019, 6:31pm

Hi @sandrastaple

the problem is global. I am using Windows 2012, but:

I don't know how Windows handles the intermediate certificate.

My own ACME-client splits the intermediate and the own certificate (from Letsencrypt), creates a pfx file (only with the own certificate) and loads that into Machine\Webhosting.

That works - SSLLabs -> Grade A, no incomplete chain.

Perhaps it's because the intermediate certificate is in Webhosting. But I don't know if there is a configuration option.

jmorahan · March 13, 2019, 7:12pm

I don’t know anything about Windows hosting, but I remembered reading about an issue where an old intermediate got stuck in place and IIS was always serving it instead of the new one…

but that was from around the time when the X3 intermediate was introduced, which was … some time ago.

Topic		Replies	Views
How to get the SSL Certificate from Let's Encrypt with CSR.txt file to manually upload on GoDaddy shared web hosting (Plesk) Help	4	1584	February 23, 2022
Installing Let's Encrypt on a 1and1 hosted site Server	4	11136	April 10, 2018
Certbot "system" dropdown Godaddy Help	3	1118	June 30, 2018
Is it possible to use Lets Encrypt on Plesk without Certbot? Help	2	1096	August 31, 2017
NET::ERR_CERT_AUTHORITY_INVALID with plesk Help	5	1529	October 30, 2019

SSLShopper shows my Chain Cert as Let's Encrypt Authority X1 and Not Trusted in All Browsers

The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. The fastest way to fix this problem is to contact your SSL provider.

Related topics