TLS Certificate is not trusted - acme.sh - nginx - wildcard

Checking ‘ddd.schoolonapp.com’ at https://www.digicert.com/help/ shows
“The certificate is not signed by a trusted authority (checking against Mozilla’s root store). If you bought the certificate from a trusted authority, you probably just need to install one or more Intermediate certificates. Contact your certificate provider for assistance doing this for your server platform.”

Below is Nginx config

What I am doing wrong?

My domain is:
*.schoolonapp.com

I ran this command:
export GD_Key=“dLDUQmFcgNfS_JY58**************”
export GD_Secret=“9EzZHz1ZCDs***********”
acme.sh --issue --dns dns_gd -d schoolonapp.com -d *.schoolonapp.com

It produced this output:

[Mon Jul 1 11:27:22 UTC 2019] Your cert is in /root/.acme.sh/schoolonapp.com/schoolonapp.com.cer
[Mon Jul 1 11:27:22 UTC 2019] Your cert key is in /root/.acme.sh/schoolonapp.com/schoolonapp.com.key
[Mon Jul 1 11:27:22 UTC 2019] The intermediate CA cert is in /root/.acme.sh/schoolonapp.com/ca.cer
[Mon Jul 1 11:27:22 UTC 2019] And the full chain certs is there: /root/.acme.sh/schoolonapp.com/fullchain.cer

My web server is (include version):
Nginx

The operating system my web server runs on is (include version):
ubuntu 18.04

My hosting provider, if applicable, is:
Digital ocean

I can login to a root shell on my machine (yes or no, or I don’t know):
yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

This seems backwards:
image

As confirmed by SSL Labs: https://www.ssllabs.com/ssltest/analyze.html?d=ddd.schoolonapp.com
There is a chain issue, you are not providing the intermediate cert.

What i am missing? how to provide intermediate cert?

I’m also not 100% certain that you can use this cert in this way:
image

You probably need to provide the cert that validates that one instead:
image
[DST Root CA X3]

OR

After some reading…
It might be the chain.pem file.

I have these files in acme.sh directory, what should be added to Nginx config to solve the issue?

Rem out the first line and use the second line instead:
image

Change the ca.cer to fullchain.cer
image

there is no chain.cer file as shown in directory.

But there is a fullchain.cer

1 Like

i tried this also, but no success

You replied before I could confirm and edit that post - use fullchain.cer

1 Like

Let me try this. thank you for immediate help :slightly_smiling_face:

make the two changes I asked and restart nginx
then check the site with SSL Labs

According to https://nginx.org/en/docs/http/configuring_https_servers.html, ssl_certificate should be set to fullchain.cer, and ssl_trusted_certificate wouldn’t be used at all. Why are we just tossing out wild guesses?

I’m not totally in depth in this current problem, but ssl_trusted_certificate is used for OCSP stapling.

That goes directly at:

Which is probably “following an outdated guide” and “not really too sure about what I’m doing”

When used correctly - which implies knowing what you are doing.

Finally this worked, can you please verify it at your end.

ssl on;
ssl_certificate /root/.acme.sh/schoolonapp.com/fullchain.cer;
ssl_certificate_key /root/.acme.sh/schoolonapp.com/schoolonapp.com.key;
ssl_trusted_certificate /root/.acme.sh/schoolonapp.com/fullchain.cer;
ssl_session_timeout 5m;

    ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES";
    ssl_prefer_server_ciphers on;

I gave you those instruction too:

Do you not know where SSL Labs is?
[Here is a clue: just add dot com to that name]
Have you never used it?
[rhetorical]