Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: greenstopcannabis.ca
I ran this command: n/a
It produced this output: n/a
My web server is (include version): n/a
The operating system my web server runs on is (include version): n/a
My hosting provider, if applicable, is: canhost?
I can login to a root shell on my machine (yes or no, or I don't know): no
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
For some reason sites are unable to access the site any longer. Getting this error when they attempt to connect
The certificate used by this server has been marked as untrustworthy and the connection is not safe.
This error was caused by an invalid OCSP response, which has to be valid because OCSP stapling is used.
Try connecting again later or from a different internet connection.
Access to it has been blocked.
greenstopcannabis.ca is fully accessible. The only trouble I can see that you might be facing is that the server for greenstopcannabis.ca is serving the short chain:
Appreciate the info. I was looking at sslabs as well, I am not super up to speed with certificates but I did see what you see. It seems we are missing part of the chain. How would one go about correcting that?
your hosting provider's certificate management software (cPanel or something like that) is not including both intermediate certificates (in the CA bundle) when installing your certificates
your ACME client is configured to retrieve the alternate chain from Let's Encrypt rather than the default chain when acquiring your certificates
The former is fixed by overriding the CA bundle with the last two certificates in the long chain I gave you (basically by appending the ISRG Root X1 certificate to the end). The latter is fixed by changing the parameters of your ACME client software to not select the alternate chain (or not select a preferred chain at all so that the default chain is used).
Fantastic info!! This is where I show my newby ness of using certificates. I have done simple things in the past when it comes to downloading and installing certs, I am not sure what to do next? Again, this will be my newb coming out!
@mbodfield
Another possibility is that your client doesn't have the "ISRG Root X1" cert in its' trusted root store.
Which client O/S and browser (and their versions) are you having this trouble with?
It's possible, if you can provide other example domains?
If the problem is all from your machine the most likely thing is your machine just doesn't have the ISRG Root X1 cert installed, so all sorts of other website would have stopped working as well. You can try this method to see if it's just your machine: