Windows Plesk wildcard ssl giving error in few computer

I have install wildcard ssl via plesk its has auto installation to letsencrypt. After installation having ssl warning page in some computer and mobile but I have check ssl with ssl checker like
there is no error showing here. Please help to find where is the problem

My domain is:

Thanks in advance

Hi @san2roy, welcome to the LE community forum :slight_smile:

Please show an example of the warnings.

This may be unrelated, but it is a BAD redirection (that will never be secured by this wildcard cert):

curl -Iki
HTTP/2 303
cache-control: no-store, no-cache, must-revalidate,post-check=0, pre-check=0
pragma: no-cache
content-length: 0
content-type: text/html; charset=UTF-8
expires: Fri, 28 May 1999 00:00:00 GMT
last-modified: Wed, 01 Sep 2021 05:46:25 GMT

error is NET::ERR_CERT_AUTHORITY_INVALID and "This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store." when i am check certificate details.

You are not showing enough to be certain.
It looks like your test client might be unable to match the R3 intermediate cert to a trusted root.
If so, it is highly likely that your test client is rather outdated and may need to update its' root store.

If that is the case, and you are unable to update the test clients, then you may need to switch to another FREE CA - one that uses a much older trusted root [and might be found in your test client root store].

1 Like

You have configured your ACME client to request the ISRG Root X1 certificate chain by default. This chain is not compatible with old clients like Android V7.0 and lower, or Windows XP.

To gain compatibility with these older clients you need to revert to using the default chain (Your Certificate > R3, ISRG Root X1 > DST Root CA X3).

While the DST Root CA X3 root will be expiring at the end of September, for most clients that's OK, but for some (like some versions of OpenSSL etc) it won't be. As @rg305 mentioned your other alternative is to switch to a different CA which does have a trusted root that all your clients have (you would have to test).

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.