Hi, I’m new to using lets encrypt and am trying to set it up on my Google App Engine project. I followed the instructions from this blog post, and I passed the challenge manually and uploaded my certificates to the App Engine project. Now when I try to visit my website using the HTTPS protocol, Safari is giving me a “This certificate was signed by an unknown authority” error, and chrome is also rejecting the certificate. It says the issuer is Let’s Encrypt Authority X3 which should be correct given the recent update. I made sure to copy fullchain.pem into the public key, so I don’t believe its a chain issue. Has anyone experienced this issue? Any help would be much appreciated.
you have to import the Let’s Encrypt Authority X3 cert into keychain access. Here is how :
-
Download the certificate file
-
Search “keychain access” in spotlight and open it
-
On the left of keychain access, there is a menu with your keychains. Click on the “system” keychain (under the “login” keychain)
-
Locate the certificate file that you downloaded in finder, then drag and drop it into the list of items in the keychain
Now, keychain access knows who sighed it and will tell safari that.
That will only affect inbland’s computer. Let’s Encrypt uses Identrust do it should work without importing anything into the keychain.
1 Like
I know, thats the problem.
Hi @Inbland! Can you share the name of your site so we can take a look?
I’d definitely recommend against following @melvyn2’s (well-intentioned) advice. That will make the site work on your computer but no one else’s, which will make it harder to see when you’ve fixed the problem.
@inbland, are you using the fullchain.pem ? if not, try using that instead of the other that you are using.
@melvyn2, yes I am using the fullchain.pem which includes two public keys.
@jsha, Hi! Sure, the name of my website is https://www.fosterhoff.com
Please let me know if you find out anything interesting 
This is an interesting case! I ran it through SSL Server Test at https://www.ssllabs.com/ssltest/analyze.html?d=www.fosterhoff.com&s=173.194.202.121&hideResults=on, which shows a T for not trusted. However, the certificate chain is correct. I also visited with Chrome, whose security panel just says “net::ERR_CERT_INVALID”. Not very informative.
Looking in more detail at SSL Server Test, I saw “Path #1: Not trusted (signature check failed)”. That suggested the certificate might be corrupt. To check, I ran:
openssl s_client -connect www.fosterhoff.com:443 -servername www.fosterhoff.com < /dev/null
And saved the cert shown. I parsed that with OpenSSL to get the serial number:
$ openssl x509 -text -in fosterhoff-invalid.pem | grep -A 1 Serial
Serial Number:
03:35:6b:26:bd:0b:aa:9b:54:5e:06:fb:ef:c3:b3:de:3c:88
I think fetched that serial from the Let’s Encrypt server and converted it from DER to PEM:
curl https://acme-v01.api.letsencrypt.org/acme/cert/`tr -d : <<<03:35:6b:26:bd:0b:aa:9b:54:5e:06:fb:ef:c3:b3:de:3c:88` | openssl x509 -inform der -outform pem > fosterhoff-good.pem
A diff between the two shows they are different:
$ diff fosterhoff-invalid.pem fosterhoff-good.pem
25d24
< ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
28c27,28
< MSwRlwdPrxmdWP9VQFyyTVqWaEXKShbZnQM3E6SpbaT01hkjNkUG2vZ0Go8=
---
> MSwRlwdPrxmdWP9VQFyyTVqWaEXKShbZnQM3E6SpbaT01hkjNkUG2vZ0Go99vShO
> BC/xJyQetCRILOL35NThAVs5jzvouSKxom4DtB39Sj5Es9n9sCwOyzzbEOA=
I think most likely you edited your cert.pem or fullchain.pem accidentally and mixed up some of the lines. I would recommend running the commands above to get fosterhoff-good.pem, then replacing (a) your cert.pem, and (b) the first entry in your fullchain.pem.
3 Likes
Good work! It turns out that copy and paste in the google app engine console introduced a couple of extra lines in the certificates, so you are absolutely correct. I’ve just generated new certificates and uploaded them. It looks like I have some other issues to work out now which I should get started on. Thanks for all of your help!
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.