I've been using certbot and letsencrypt to add SSL to a friends website for the last couple of years. I've been using DNS challenges because their hosting provider does not allow ssh access.
It was working fine until a short time ago when I started to see this message: TLS Certificate is not trusted
The domains are onewave.ie and www.onewave.ie
It works on chrome because it caches certs, but for iPhone users they are blocked from viewing the site.
I'm wondering is this because there are two TXT records for www.onewave.ie? One is my record for the DNS challenge and the other must have come from the hosting provider. I can't remove the extra record as I don't have that kind of access.
I used https://www.digicert.com/help to verify the certs aren't trusted as I don't have an iPhone to test with and it shows that the certs are not trusted.
This is the command I ran to generate the certs, FYI this worked fine on my other domains which I renewed only a couple of weeks ago, but those are on my VPS and don't require DNS challenges.
certbot -d onewave.ie -d www.onewave.ie --manual --preferred-challenges dns certonly
It should also send the intermediate certificate R3.
Depending on how you've installed the certificate at the hosting provider you either need to replace cert.pem by fullchain.pem or keep using cert.pemand also use chain.pem in the appropriate place at the hosting providers configuration panel.
Thanks for the reply. Unfortunately I only have the option to upload a cert and a private key. I've been using fullchain.pem and privkey.pem. I've also tried using cert.pem in place of fullchain.pem. There's an additional option to upload a CA cert and I've tried that but also to no avail.
I find this strange because until recently this was all working smoothly.
What did you try uploading there? The combination cert.pem in the certificate upload place and chain.pem in the CA cert upload place could (should) do the trick.
If nothing works, please contact your hosting provider for assistance.