I've been using certbot and letsencrypt to add SSL to a friends website for the last couple of years. I've been using DNS challenges because their hosting provider does not allow ssh access.
It was working fine until a short time ago when I started to see this message: TLS Certificate is not trusted
The domains are onewave.ie and www.onewave.ie
It works on chrome because it caches certs, but for iPhone users they are blocked from viewing the site.
I'm wondering is this because there are two TXT records for www.onewave.ie? One is my record for the DNS challenge and the other must have come from the hosting provider. I can't remove the extra record as I don't have that kind of access.
This shows the records: Dig (DNS lookup)
I used https://www.digicert.com/help to verify the certs aren't trusted as I don't have an iPhone to test with and it shows that the certs are not trusted.
This is the command I ran to generate the certs, FYI this worked fine on my other domains which I renewed only a couple of weeks ago, but those are on my VPS and don't require DNS challenges.
certbot -d onewave.ie -d www.onewave.ie --manual --preferred-challenges dns certonly
The issue probably is that only the end-leaf certificate is send by the server:
0 s:CN = www.onewave.ie
i:C = US, O = Let's Encrypt, CN = R3
It should also send the intermediate certificate R3.
Depending on how you've installed the certificate at the hosting provider you either need to replace
fullchain.pem or keep using
cert.pem and also use
chain.pem in the appropriate place at the hosting providers configuration panel.
Thanks for the reply. Unfortunately I only have the option to upload a cert and a private key. I've been using fullchain.pem and privkey.pem. I've also tried using cert.pem in place of fullchain.pem. There's an additional option to upload a CA cert and I've tried that but also to no avail.
I find this strange because until recently this was all working smoothly.
What did you try uploading there? The combination
cert.pem in the certificate upload place and
chain.pem in the CA cert upload place could (should) do the trick.
If nothing works, please contact your hosting provider for assistance.
I tried that just now, but no change. I'll open a ticket with the hosting provider. Thanks for the suggestions.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.