The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate

Help
1

I'm having issues from various sources (mainly non web browser sources i.e Axios, Curl etc) complaining about my SSL chain.

In Nginx, I think I'm providing my chain via:

ssl_certificate /etc/nginx/ssl/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/privkey.pem;

The only thing which is "different" from how I normally set things up is I'm going through a load balancer but I've uploaded the fullchain contents and privkey contents to the load balancer so "assumed" that'd be OK.

I do have the option to specify the "chain" against my LB:

image
image636×472 3.23 KB

When I filled it in, I just entered the fullchain.pem contents into the certificate field and left the chain field empty assuming that if the full chain was part of the certificate, it'd be OK. I don't know if this is the issue or not.

I would really appreciate any advise as this is certainly not my area of expertise.

My domain is: booksprout.co

I ran this command: SSL Checker

It produced this output:

The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. The fastest way to fix this problem is to contact your SSL provider.

My web server is (include version):
nginx:1.18.0

The operating system my web server runs on is (include version):
Ubuntu Linux 22.04.5

My hosting provider, if applicable, is: OVH

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 2.9.0

2

Ok, I worked this out.

It turns out my fullchain.pem needed to be split between the certificate and chain fields in my load balancer. I thought it'd send it all and just work but clearly not.

1 Like
3

Most modern software can handle this, yes. However, there's some older software out there that cannot accept certificate and chain in the same file. This may be the case for your load balancer interface.

For this reason, certbot also offers the cert.pem and chain.pem files in addition to fullchain.pem. You could try submitting those to your interface (the first one as certificate, the latter as chain) and see if that solves it.

4 Likes
4

Yeah, this turned out to be the issue. I just split the contents of the fullchain.pem between the fields and it fixed it.

Pleased I understand the issue now.

1 Like
5

If you have cert.pem and chain.pem, you may avoid having to split the fullchain.pem file.

3 Likes
6

OP stated they used Certbot, so indeed, Certbot also provides a cert.pem and chain.pem, which negates the need of splitting fullchain.pem.

1 Like
7

The only reason I said "split" is because my LB wants me to paste the values in, not upload the certs. So I just copy / pasted the top section of fullchain.pem into the cert field in my LB and the bottom section into the chain section of my LB. Not splitting the .pem file as such :slight_smile: Hope that clears things up.

1 Like
8

Why not just copy the contents of the [already] separate files?

1 Like
9

Because I had the fullchain.pem file in my editor in front of me :slight_smile:

1 Like
10

Is there any way to automate any of that?

2 Likes
11

Not that I can see. Something I'll need to handle manually every 3 months :grimacing:

Edit: Actually, they do have an API from what I can see but not something I'll be messing with just yet :roll_eyes:

1 Like
12

Don't wait until the last day. It won't leave you any time to correct problems before your cert expires. For automated renewals LE recommends renewing with 30 days remaining on a 90-day cert. If you are diligent maybe 7-14 days before is enough for manual renew. In my experience that will quickly become tedious :slight_smile:

2 Likes
13

Yes, of course - thanks.
I've already got a flow in place for this. I renew a week before it's due as that's always been enough time :slight_smile:

2 Likes
14

Explicitly noting what others were talking about above: fullchain.pem is just cert.pem concatenated with chain.pem.

3 Likes
15

Exactly. And given that it only contained 2 entries (Mysite.come and then the LetsEncrypt one), it was a pretty simple endeavor :stuck_out_tongue:

1 Like