Untrusted TLS/SSL server X.509 certificate (tls-untrusted-ca)

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: www.tolimoli.comcom

I ran this command: NA

It produced this output: NA

My web server is (include version): apache 2.4.51

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: linode

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No control panel required

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.31.0

I have checked my SSL certificate at ssllab without any issue (Overall Rate 'A') when I run nexpose (Rapid7) VA scan, I got this error. Can advise how to fix? Thank you.

Untrusted TLS/SSL server X.509 certificate (tls-untrusted-ca)

The server's TLS/SSL certificate is signed by a Certification Authority (CA) that is not well-known or trusted. This could happen if: the
chain/intermediate certificate is missing, expired or has been revoked; the server hostname does not match that configured in the
certificate; the time/date is incorrect; or a self-signed certificate is being used. The use of a self-signed certificate is not recommended
since it could indicate that a TLS/SSL man-in-the-middle attack is taking place

Affected Nodes:
Affected Nodes: Additional Information:
###.###.###.###:443 TLS/SSL certificate signed by unknown, untrusted CA: CN=R3, O=Let's
Encrypt, C=US -- NotAfter: Thu Sep 30 14:01:15 UTC 2021.

Then the second test is missing the point (OR missing the "ISRG Root X1" root from their trust store).

For comparison, try running both tests against "letsencrypt.org".

1 Like

Thank you rg305. I happened the same thing when I scan letsencrypt.org. X.509 Certificate Subject CN Does Not Match the Entity Name (certificate-common-name-mismatch). May be I might need to wait for nexpose new update to see if they have added ISRG Root X1 in their trust store.

1 Like

Yes, it seems not everyone has updated their software to take this new situation into account.
But they all will OR people will just stop using their software - LOL

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.