TLS Certificate is not trusted

mcblum · January 7, 2021, 4:23pm

My domain is: goodpolyamory.com

I ran this command: I use Dehydrated for generating certs automatically

It produced this output: The fullchain / privkey files, as always

My web server is (include version): Nginx 1.16.1

The operating system my web server runs on is (include version): Ubuntu 16

My hosting provider, if applicable, is: Self-hosted

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Whatever Dehydrated uses!

So I've got a bunch of domains, and all of the certs appear to be working correctly! I've generated a cert for goodpolyamory.com and Chrome shows the lock, but the SSL checker shows that there's something wrong.

TLS Certificate is not trusted

The certificate is not signed by a trusted authority (checking against Mozilla's root store). If you bought the certificate from a trusted authority, you probably just need to install one or more Intermediate certificates. Contact your certificate provider for assistance doing this for your server platform.

This is the first time this has happened and I'm not sure what the issue is, everything appears to be configured correctly.

Thank you!
Matt

sahsanu · January 7, 2021, 4:34pm

Hello @mcblum,

Seems you are not serving the right intermediate cert, your site is serving Let's Encrypt certificate X3 instead of the new R3 and that is the reason for the errors. Chrome doesn't have issues because it should has the R3 cert already cached.

You should check the reason you are serving the old X3 intermediate cert instead of R3.

Cheers,
sahsanu

mcblum · January 7, 2021, 4:35pm

Thanks @sahsanu -- this process all happens automatically, so I'm not exactly sure where to make that change. I have one domain that's working, one that is not. Is it possible to look at the fullchain.pem files and see what the issue is, and perhaps manually correct it?

All of my stuff is configured with Puppet + Dehydrated, so I want to make sure I fix it at the source.

Osiris · January 7, 2021, 4:37pm

Or your webserver isn't using (the correct) fullchain.pem?

mcblum · January 7, 2021, 4:39pm

@Osiris so when this process runs, I get a bunch of files, and it does appear that I'm using the correct fullchain for this domain. It's just for whatever reason, the root cert in one is different than the other. I have one section of the fullchain called DH Parameters, then the (I believe?) root cert below that.

I can see that the DH section and the cert below it are different for the working domain and the non-working domain.

mcblum · January 7, 2021, 4:44pm

If I were to take the bottom portion of the fullchain cert, after the DH thing, from the working domain and just copy it into the cert file of the non-working domain, would that fix it?

I'd also have to do it on the Puppet server where I see the wildcard.goodpolyamory.com_ca.pem file is also different, but I could do that manually and I guess just assume that when it renews it will be correct?

sahsanu · January 7, 2021, 4:49pm

You can check it, example using fullchain.cer as the fullchain file name.

openssl crl2pkcs7 -nocrl -certfile fullchain.cer | openssl pkcs7 -print_certs -text -noout