Windows Plesk wildcard ssl giving error in few computer

san2roy · September 1, 2021, 5:19am

I have install wildcard ssl via plesk its has auto installation to letsencrypt. After installation having ssl warning page in some computer and mobile but I have check ssl with ssl checker like https://www.sslshopper.com/ssl-checker.html#hostname=https://www.deyspharma.com/
there is no error showing here. Please help to find where is the problem

My domain is:https://www.deyspharma.com/

Thanks in advance

rg305 · September 1, 2021, 5:41am

Hi @san2roy, welcome to the LE community forum

Please show an example of the warnings.

rg305 · September 1, 2021, 5:48am

This may be unrelated, but it is a BAD redirection (that will never be secured by this wildcard cert):

curl -Iki https://103.16.100.27/
HTTP/2 303
cache-control: no-store, no-cache, must-revalidate,post-check=0, pre-check=0
pragma: no-cache
content-length: 0
content-type: text/html; charset=UTF-8
expires: Fri, 28 May 1999 00:00:00 GMT
last-modified: Wed, 01 Sep 2021 05:46:25 GMT
location: https://103.16.100.27/login.php?success_redirect_url=%2F

san2roy · September 1, 2021, 5:51am

error is NET::ERR_CERT_AUTHORITY_INVALID and "This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store." when i am check certificate details.

rg305 · September 1, 2021, 5:53am

You are not showing enough to be certain.
It looks like your test client might be unable to match the R3 intermediate cert to a trusted root.
If so, it is highly likely that your test client is rather outdated and may need to update its' root store.

If that is the case, and you are unable to update the test clients, then you may need to switch to another FREE CA - one that uses a much older trusted root [and might be found in your test client root store].

webprofusion · September 1, 2021, 6:15am

You have configured your ACME client to request the ISRG Root X1 certificate chain by default. This chain is not compatible with old clients like Android V7.0 and lower, or Windows XP.

To gain compatibility with these older clients you need to revert to using the default chain (Your Certificate > R3, ISRG Root X1 > DST Root CA X3).

While the DST Root CA X3 root will be expiring at the end of September, for most clients that's OK, but for some (like some versions of OpenSSL etc) it won't be. As @rg305 mentioned your other alternative is to switch to a different CA which does have a trusted root that all your clients have (you would have to test).

system · October 1, 2021, 6:15am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.