The certificate is not trusted because it is self-signed

arashout · December 12, 2020, 10:20pm

My domain is:
fitpets.app

I ran this command:
Tried to connect to fitpets.app from browser

It produced this output:

fitpets.app uses an invalid security certificate.

The certificate is not trusted because it is self-signed.

Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT

My web server is (include version):
nginx version: nginx/1.18.0

The operating system my web server runs on is (include version):
Ubuntu 20

My hosting provider, if applicable, is:
google domains

I can login to a root shell on my machine (yes or no, or I don't know):
Yes, I use AWS EC2

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.10.1

Google Domains detects my certificates and so do other certificate checking sites.
Apparently *.app sites have some extra protection from Google HSTS, but I don't really know how to fix the error.
I thought using Let's Encrypt to generate a certificate would fix it but maybe I need to also register the certificate somehow?

Thanks for any help!

sahsanu · December 12, 2020, 10:30pm

Hello @arashout,

I see no problem, well, there is a nginx bad gateway error but nginx is serving the right (and valid) certificate for your domain.

Maybe it is a browser's cache issue.

Cheers,
sahsanu

rg305 · December 12, 2020, 10:39pm

Which port are you getting that error from?
Also, I don't see a "www" DNS A record - was that on purpose?

arashout · December 12, 2020, 10:44pm

omg you are right!
It's working now!

I used incognito and no longer getting the cert error. Maybe it just took some time.

What do I need a "www" DNS A record for?

I only have an A Record for fitpets.app to my ec2 ip

Osiris · December 12, 2020, 10:58pm

Some people will type www in front of any URL, just because they're not used to URLs without it.

griffin · December 13, 2020, 1:02am

Imagine how much time and effort could be saved if the useless www subdomain custom were eliminated.

Consider:
http://apex -> https://apex -> https://www.apex

Eliminating the www subdomain eliminates 100% of redirects for sites using HSTS and 50% of redirects for sites not using HSTS. No need for a www serveralias or CNAME/A record. Never need to remember to include www in certificate. Greatly simplifies address canonicalization.

rg305 · December 13, 2020, 3:42am

too late it is already an ingrained custom (for too many)

system · January 12, 2021, 3:42am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Firefox does not trust this site because it uses a certificate that is not valid Help	10	5759	August 30, 2019
Getting "self signed certificate" error when I am not using a self-signed cert Help	7	3222	May 7, 2019
Certificate not valid / trusted Help	14	8209	September 11, 2018
Browser is complaining that my certificate is invalid, how to fix this? Help	13	794	March 22, 2022
Certificates are not trusted in chrome	21	10079	December 11, 2015

The certificate is not trusted because it is self-signed

Related topics