TLS Certificate is not trusted - - nginx - wildcard

Checking ‘’ at shows
“The certificate is not signed by a trusted authority (checking against Mozilla’s root store). If you bought the certificate from a trusted authority, you probably just need to install one or more Intermediate certificates. Contact your certificate provider for assistance doing this for your server platform.”

Below is Nginx config

What I am doing wrong?

My domain is:

I ran this command:
export GD_Key=“dLDUQmFcgNfS_JY58**************”
export GD_Secret=“9EzZHz1ZCDs***********” --issue --dns dns_gd -d -d *

It produced this output:

[Mon Jul 1 11:27:22 UTC 2019] Your cert is in /root/
[Mon Jul 1 11:27:22 UTC 2019] Your cert key is in /root/
[Mon Jul 1 11:27:22 UTC 2019] The intermediate CA cert is in /root/
[Mon Jul 1 11:27:22 UTC 2019] And the full chain certs is there: /root/

My web server is (include version):

The operating system my web server runs on is (include version):
ubuntu 18.04

My hosting provider, if applicable, is:
Digital ocean

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

This seems backwards:

As confirmed by SSL Labs:
There is a chain issue, you are not providing the intermediate cert.

What i am missing? how to provide intermediate cert?

I’m also not 100% certain that you can use this cert in this way:

You probably need to provide the cert that validates that one instead:
[DST Root CA X3]


After some reading…
It might be the chain.pem file.

I have these files in directory, what should be added to Nginx config to solve the issue?

Rem out the first line and use the second line instead:

Change the ca.cer to fullchain.cer

there is no chain.cer file as shown in directory.

But there is a fullchain.cer

1 Like

i tried this also, but no success

You replied before I could confirm and edit that post - use fullchain.cer

1 Like

Let me try this. thank you for immediate help :slightly_smiling_face:

make the two changes I asked and restart nginx
then check the site with SSL Labs

According to, ssl_certificate should be set to fullchain.cer, and ssl_trusted_certificate wouldn’t be used at all. Why are we just tossing out wild guesses?

I’m not totally in depth in this current problem, but ssl_trusted_certificate is used for OCSP stapling.

That goes directly at:

Which is probably “following an outdated guide” and “not really too sure about what I’m doing”

When used correctly - which implies knowing what you are doing.

Finally this worked, can you please verify it at your end.

ssl on;
ssl_certificate /root/;
ssl_certificate_key /root/;
ssl_trusted_certificate /root/;
ssl_session_timeout 5m;

    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
    ssl_prefer_server_ciphers on;

I gave you those instruction too:

Do you not know where SSL Labs is?
[Here is a clue: just add dot com to that name]
Have you never used it?