The certificate is not trusted because it is self-signed

arashout · December 12, 2020, 10:21pm

My domain is:
fitpets.app

I ran this command:
Tried to connect to fitpets.app from browser

It produced this output:

fitpets.app uses an invalid security certificate.

The certificate is not trusted because it is self-signed.

Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT

My web server is (include version):
nginx version: nginx/1.18.0

The operating system my web server runs on is (include version):
Ubuntu 20

My hosting provider, if applicable, is:
google domains

I can login to a root shell on my machine (yes or no, or I don't know):
Yes, I use AWS EC2

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.10.1

Google Domains detects my certificates and so do other certificate checking sites.
Apparently *.app sites have some extra protection from Google HSTS, but I don't really know how to fix the error.
I thought using Let's Encrypt to generate a certificate would fix it but maybe I need to also register the certificate somehow?

Thanks for any help!

sahsanu · December 12, 2020, 10:44pm

Hello @arashout,

I see no problem, well, there is a nginx bad gateway error but nginx is serving the right (and valid) certificate for your domain.

Maybe it is a browser's cache issue.

Cheers,
sahsanu

rg305 · December 12, 2020, 10:44pm

Which port are you getting that error from?
Also, I don't see a "www" DNS A record - was that on purpose?

arashout · December 12, 2020, 10:45pm

omg you are right!
It's working now!

I used incognito and no longer getting the cert error. Maybe it just took some time.

What do I need a "www" DNS A record for?

I only have an A Record for fitpets.app to my ec2 ip

Osiris · December 12, 2020, 10:58pm

Some people will type www in front of any URL, just because they're not used to URLs without it.

griffin · December 13, 2020, 1:02am

Imagine how much time and effort could be saved if the useless www subdomain custom were eliminated.

Consider:
http://apex -> https://apex -> https://www.apex

Eliminating the www subdomain eliminates 100% of redirects for sites using HSTS and 50% of redirects for sites not using HSTS. No need for a www serveralias or CNAME/A record. Never need to remember to include www in certificate. Greatly simplifies address canonicalization.

rg305 · December 13, 2020, 3:43am

too late it is already an ingrained custom (for too many)

system · January 12, 2021, 3:42am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.