TLS Certificate is not trusted - acme.sh - nginx - wildcard

Checking ‘ddd.schoolonapp.com’ at https://www.digicert.com/help/ shows
“The certificate is not signed by a trusted authority (checking against Mozilla’s root store). If you bought the certificate from a trusted authority, you probably just need to install one or more Intermediate certificates. Contact your certificate provider for assistance doing this for your server platform.”

Below is Nginx config

Screen Shot 2020-04-27 at 17.15.001028×320 28.1 KB

What I am doing wrong?

My domain is:
*.schoolonapp.com

I ran this command:
export GD_Key=“dLDUQmFcgNfS_JY58**************”
export GD_Secret=“9EzZHz1ZCDs***********”
acme.sh --issue --dns dns_gd -d schoolonapp.com -d *.schoolonapp.com

It produced this output:

[Mon Jul 1 11:27:22 UTC 2019] Your cert is in /root/.acme.sh/schoolonapp.com/schoolonapp.com.cer
[Mon Jul 1 11:27:22 UTC 2019] Your cert key is in /root/.acme.sh/schoolonapp.com/schoolonapp.com.key
[Mon Jul 1 11:27:22 UTC 2019] The intermediate CA cert is in /root/.acme.sh/schoolonapp.com/ca.cer
[Mon Jul 1 11:27:22 UTC 2019] And the full chain certs is there: /root/.acme.sh/schoolonapp.com/fullchain.cer

My web server is (include version):
Nginx

The operating system my web server runs on is (include version):
ubuntu 18.04

My hosting provider, if applicable, is:
Digital ocean

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

This seems backwards:

As confirmed by SSL Labs: https://www.ssllabs.com/ssltest/analyze.html?d=ddd.schoolonapp.com
There is a chain issue, you are not providing the intermediate cert.

What i am missing? how to provide intermediate cert?

I’m also not 100% certain that you can use this cert in this way:

You probably need to provide the cert that validates that one instead:

[DST Root CA X3]

OR

After some reading…
It might be the chain.pem file.

Screen Shot 2020-04-27 at 16.20.32986×121 11.1 KB

I have these files in acme.sh directory, what should be added to Nginx config to solve the issue?

Rem out the first line and use the second line instead:

Change the ca.cer to fullchain.cer

there is no chain.cer file as shown in directory.

But there is a fullchain.cer…

i tried this also, but no success

You replied before I could confirm and edit that post - use fullchain.cer

Let me try this. thank you for immediate help

make the two changes I asked and restart nginx
then check the site with SSL Labs

According to https://nginx.org/en/docs/http/configuring_https_servers.html, ssl_certificate should be set to fullchain.cer, and ssl_trusted_certificate wouldn’t be used at all. Why are we just tossing out wild guesses?

I'm not totally in depth in this current problem, but ssl_trusted_certificate is used for OCSP stapling.

That goes directly at:

Which is probably "following an outdated guide" and "not really too sure about what I'm doing"

When used correctly - which implies knowing what you are doing.

Finally this worked, can you please verify it at your end.

ssl on;
ssl_certificate /root/.acme.sh/schoolonapp.com/fullchain.cer;
ssl_certificate_key /root/.acme.sh/schoolonapp.com/schoolonapp.com.key;
ssl_trusted_certificate /root/.acme.sh/schoolonapp.com/fullchain.cer;
ssl_session_timeout 5m;

    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
    ssl_prefer_server_ciphers on;

I gave you those instruction too:

Do you not know where SSL Labs is?
[Here is a clue: just add dot com to that name]
Have you never used it?
[rhetorical]