The certificate is not trusted because the issuer certificate is unknown


#1

My website works in IE and Chrome. I am not trusted in Firefox. Also tried on Safari on a Apple, it did not work. Did not work on my Android Phone either…

My domain is: budgetdreamer.com

I ran this command:
https://www.ssllabs.com/ssltest/analyze.html?d=www.budgetdreamer.com

It produced this output:
see output from website above

**** I do notice >>> This site works only in browsers with SNI support.

My web server is (include version):

Azure

The operating system my web server runs on is (include version):

I am not sure, what azure is using

My hosting provider, if applicable, is:

Azure

I can login to a root shell on my machine (yes or no, or I don’t know):

not sure

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
Not sure,


#2

Not a problem.

Probably because you are sending the Let’s Encrypt Authority X3 intermediate signed by ISRG Root X1. This intermediate does not have great compatibility with older/non-updated devices. Did you manually setup the certificate chain?

At the moment, you should be sending the Let’s Encrypt Authority X3 intermediate signed by DST Root CA X3. It has the greatest device compatibility.

This is the cross-signed X3 intermediate: https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt


#3

I don’t know what all that means, but I will do some research so I can understand what you are saying. I used this video to install it https://www.youtube.com/watch?v=2PKs8qLwMs0 and this extension
https://github.com/sjkp/letsencrypt-siteextension

I will re-trace my steps and see what went wrong.


#4

Hi,

This is really not an issue because your IP (the IP you host your website on) are not dedicated to only your website, and SNI (Server Name Indication * definitionfrom Wikipedia ) just means this / helps.

That’s weird, because the ISRG Root X1 should be trusted in all platforms by now…

Also, browsers should be able to use the extra certificate reference (in the certificate) to draw another path to the more widely trusted (in older devices) certificate.

Could you please try to update your firefox… (If it’s not the latest version) ? (And if the update does not work, please tell us the old and new version).
Please also tell us your iPhone / Android OS version…

BTW: There are lots of public extensions in Azure extension that supports requesting/installing a letsencrypt certificate to your Azure app service. See the following tutorial: https://www.hanselman.com/blog/SecuringAnAzureAppServiceWebsiteUnderSSLInMinutesWithLetsEncrypt.aspx

Thank you


#5

It’s also weird that it is using the ISRG intermediate at all.

I checked the linked Azure Site Extension, and it should be taking the issuer from the CA (https://acme-v01.api.letsencrypt.org/acme/issuer-cert). And that issuer, as of today, is still the Identrust/DST one:

Issuer: O = Digital Signature Trust Co., CN = DST Root CA X3

If I were you, I’d probably report this weirdness to the site extension author. I can’t see any way (from the video) that this could happen by accident.


#6

I think the Author coded it in this way so he does not need to change code when the switch came out…


#7

Ok, I update my firefox to 47.0.2 and I got this see below, but the updated prompted me to install yet another update, so I just downloaded it and installed it and got to Firefox Quantum 64 (64-bit) and it works now. I don’t have the Safari version now (at another location)… I will look into it. Let me try on a Android device… and I will get back to you… I really appreciate your help, and responding so soon…

https://www.budgetdreamer.com/

Peer’s Certificate issuer is not recognized.

HTTP Strict Transport Security: false
HTTP Public Key Pinning: false

Certificate chain:

-----BEGIN CERTIFICATE-----
MIIFcTCCBFmgAwIBAgISA1Jcdo1MWzxU15hRYlAnfgaVMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODEyMjYxMjQzMTBaFw0x
OTAzMjYxMjQzMTBaMBwxGjAYBgNVBAMTEWJ1ZGdldGRyZWFtZXIuY29tMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnzHxS66dbYPOiPSq60vTaBrbnWhJ
qTGmkiuAq5ae+VPIDVM4cnh3zU8OpMFeHQTMNQBI9F8hbwFyWaMsEihcqybO2OuF
QfOGwGh6joX4VVa0yP0otxQ8LrkvrSgpfyWEAMoicpmpwFjOoa1KiXjc5blJXXGo
HVHxXa6ipzIgRWC/slQf8fozrZ0DOgHHl7nsKRdRkCx/EpMt32P+2veXRLdk9rWa
ULctF8oC45X6+FYz1QlUZQIwVg9taAbthA0Kc0gOz7/5MHZwEq6HykB7b6qSvqmn
K3QJItEdfpIzInfOBH2DH8F73PeI77v+i04apUiUD6xRMVfk32avX2MDpQIDAQAB
o4ICfTCCAnkwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRDHnjTfdcqTvC/1PmzKsB7
rwEBkDAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcB
AQRjMGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlw
dC5vcmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlw
dC5vcmcvMDMGA1UdEQQsMCqCEWJ1ZGdldGRyZWFtZXIuY29tghV3d3cuYnVkZ2V0
ZHJlYW1lci5jb20wTAYDVR0gBEUwQzAIBgZngQwBAgEwNwYLKwYBBAGC3xMBAQEw
KDAmBggrBgEFBQcCARYaaHR0cDovL2Nwcy5sZXRzZW5jcnlwdC5vcmcwggEEBgor
BgEEAdZ5AgQCBIH1BIHyAPAAdwB0ftqDMa0zEJEhnM4lT0Jwwr/9XkIgCMY3NXnm
EHvMVgAAAWfqwToIAAAEAwBIMEYCIQDO9gWt5yyZZrrOoK2bFHfaO2YH5R9TzQxW
iADEL+Z98AIhALqQ6nrEyubcVZ0uS07Eey9frNKSTKXveBjDjZLdP51pAHUAY/Lb
zeg7zCzPC3KEJ1drM6SNYXePvXWmOLHHaFRL2I0AAAFn6sE5+QAABAMARjBEAiBR
D18DBvz/baCo1B8DbaKANdUwgqSX4+8tbM/FFl9LAQIgTm5OP6eNzcTKs1F3vu8v
Ht9Zyf9YVO7Vac9rEDhjqt8wDQYJKoZIhvcNAQELBQADggEBAI7MZ0/Cai0GBeHC
TK146Y/+jQd0DY1ddtE+Jm8aUOqQDgCN46yK41gT9iE86CJQEoZJUcn+lT/DPtsk
Lki8suEjzZeDzL7vbTiKOXS9QsrUr+zQ0iU9BsViabK4rsw7l6oFDpbEaHO8UE0c
M93LY2UKSg3c7Tp/OT1U0kuJpXhURy9+mXtwydr8MwF2cROApie7Y8mgpX0dhx7i
DR/5YQ00EgiYIV/N3DGEujDnC/b8LT/OqJPdp0/xJiTeptDIh12VY22+V/u4STpj
myVPtvke6lEZg4E+IcX+25RVtO0SdqmFJfDchxYDEA6mYNZWeoxuOfVoZXsCA5ZU
yevoPeY=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFjTCCA3WgAwIBAgIRANOxciY0IzLc9AUoUSrsnGowDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTYxMDA2MTU0MzU1
WhcNMjExMDA2MTU0MzU1WjBKMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDEjMCEGA1UEAxMaTGV0J3MgRW5jcnlwdCBBdXRob3JpdHkgWDMwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCc0wzwWuUuR7dyXTeDs2hjMOrX
NSYZJeG9vjXxcJIvt7hLQQWrqZ41CFjssSrEaIcLo+N15Obzp2JxunmBYB/XkZqf
89B4Z3HIaQ6Vkc/+5pnpYDxIzH7KTXcSJJ1HG1rrueweNwAcnKx7pwXqzkrrvUHl
Npi5y/1tPJZo3yMqQpAMhnRnyH+lmrhSYRQTP2XpgofL2/oOVvaGifOFP5eGr7Dc
Gu9rDZUWfcQroGWymQQ2dYBrrErzG5BJeC+ilk8qICUpBMZ0wNAxzY8xOJUWuqgz
uEPxsR/DMH+ieTETPS02+OP88jNquTkxxa/EjQ0dZBYzqvqEKbbUC8DYfcOTAgMB
AAGjggFnMIIBYzAOBgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADBU
BgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEBATAwMC4GCCsGAQUFBwIB
FiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQub3JnMB0GA1UdDgQWBBSo
SmpjBH3duubRObemRWXv86jsoTAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3Js
LnJvb3QteDEubGV0c2VuY3J5cHQub3JnMHIGCCsGAQUFBwEBBGYwZDAwBggrBgEF
BQcwAYYkaHR0cDovL29jc3Aucm9vdC14MS5sZXRzZW5jcnlwdC5vcmcvMDAGCCsG
AQUFBzAChiRodHRwOi8vY2VydC5yb290LXgxLmxldHNlbmNyeXB0Lm9yZy8wHwYD
VR0jBBgwFoAUebRZ5nu25eQBc4AIiMgaWPbpm24wDQYJKoZIhvcNAQELBQADggIB
ABnPdSA0LTqmRf/Q1eaM2jLonG4bQdEnqOJQ8nCqxOeTRrToEKtwT++36gTSlBGx
A/5dut82jJQ2jxN8RI8L9QFXrWi4xXnA2EqA10yjHiR6H9cj6MFiOnb5In1eWsRM
UM2v3e9tNsCAgBukPHAg1lQh07rvFKm/Bz9BCjaxorALINUfZ9DD64j2igLIxle2
DPxW8dI/F2loHMjXZjqG8RkqZUdoxtID5+90FgsGIfkMpqgRS05f4zPbCEHqCXl1
eO5HyELTgcVlLXXQDgAWnRzut1hFJeczY1tjQQno6f6s+nMydLN26WuU4s3UYvOu
OsUxRlJu7TSRHqDC3lSE5XggVkzdaPkuKGQbGpny+01/47hfXXNB7HntWNZ6N2Vw
p7G6OfY+YQrZwIaQmhrIqJZuigsrbe3W+gdn5ykE9+Ky0VgVUsfxo52mwFYs1JKY
2PGDuWx8M6DlS6qQkvHaRUo0FMd8TsSlbF0/v965qGFKhSDeQoMpYnwcmQilRh/0
ayLThlHLN81gSkJjVrPI0Y8xCVPB4twb1PFUd2fPM3sA1tJ83sZ5v8vgFv2yofKR
PB0t6JzUA81mSqM3kxl5e+IZwhYAyO0OTg3/fs8HqGTNKd9BqoUwSRBzp06JMg5b
rUCGwbCUDI0mxadJ3Bz4WxR6fyNpBK2yAinWEsikxqEt
-----END CERTIFICATE-----


#8

I’m not certain, but the problem may lie with this:


#9

FYI: I did alert the author of the extension. He has some thoughts and concerns in this thread: https://github.com/sjkp/letsencrypt-siteextension/issues/281