Testing Approaches To Prove or Disprove - "SSL Certificate is not trusted" message


#1

Hi, I just installed your letsencrypt cert. https works, which is great but i still have no green browser bar (https://screencast.com/t/VLDaxmZb3JE) When i run a scan via https://www.digicert.com/help/ it tells me:

SSL Certificate is not trusted

The certificate is not signed by a trusted authority (checking against Mozilla’s root store). If you bought the certificate from a trusted authority, you probably just need to install one or more Intermediate certificates. Contact your certificate provider for assistance doing this for your server platform.

But looking at https://helloworld.letsencrypt.org/ the cert in the URL is displayed in green.

Whats the difference? How can i fix this pls?


#2

I am assuming you do not have the root CA in your Cert Store as trusted. Check your trusted Root CA store and make sure it has “DST Root CA X3”. I am not sure what platform you are on, so I cannot explain how to check this.


#3

Thank you so much for the quick feedback @yrootberg

I am not technical at all (yet). Nevertheless i am using hosteurope. They have an interface where you can upload cert and key as well as uplaoding a “CA file”. I guess thats the missing part. Any idea where i can download the intermediary certificiate file. I tried googeling it and just found this: https://www.identrust.com/certificates/trustid/root-download-x3.html

Am I on the right path?


#4

Hi @edgeglobal,

You should not ask the same question on two different posts.

The intermediate certificate that you are looking for is here https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt

Cheers,
sahsanu


#5

Apologies and thank you very much!


#6

I would also like to mention that whatever method you used to get the certificate probably should offer you some way to get the intermediate cert (which is most likely what the hosting provider refers to as the CA file). Although downloading it from Let’s Encrypt’s site will work fine, it should not be necessary.

This is a good thing to keep in mind for the long term. Some day Let’s Encrypt certificates may be issued under a different intermediate CA, so in the long term, like some years from now, you shouldn’t assume that the CA file will always be the Let’s Encrypt Authority X3 certificate that it currently is.


#7

Hi @edgeglobal

There have been some great suggestions.

When testing it’s important to understand the context of the test and why it might be wrong.

A) I suggest using an Online Scanner like SSLLAbs.com
B) You can also use OpenSSL to confirm

There are usually two main reasons why a test might be failing

Root Related Issues
Intermediates

I wrote a quick guide on how to use OpenSSL. Using OpenSSL with Mozilla Root CA Bundle to Avoid unable to get local issuer certificate Errors

You definitely want to use tools like SSLLabs or OpenSSL to double check your findings as it could be a browsers or OS issue.

Andrei


Getting The Green Bar in Browsers - Whats Required (Updated: May 2017)
#8

Thank you very much.

I got the lets encrypt from domain provider checkdomain.de and installed key, cert and CA file on apache webserver of hosteurope.de

domain is https://scheidungsinfo.at

however it is still not secure.

looking at https://www.digicert.com/help/ there is an issue with the “server certificate”

I am lost what the next steps is…


#9

on https://www.whynopadlock.com/check.php i see that i have some unsecure links. I will have to fix them first.

THANK YOU ALL


#10

Hi @edgeglobal

You are not getting error messages but you won’t get the green padlock until you fix the insecure contents.

Andrei


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.