Fake LE Intermediate X1 LetsEncrypt

40Q · April 25, 2016, 1:51pm

I tried switching to secure https in one of my client’s site.

I ran

ansible-playbook server.yml -e env=<environment> --tags wordpress

and

ansible-playbook server.yml -e env=<environment> --tags letsencrypt

as @fullyint suggested, but after provisioning and deploying the red chain in google Chrome appeared, with a “Your connection is not private” warning.

I decided to create a new provision on a new server on a fresh new trellis installation. After completing provision and deploying the site’s certificates still seems not to be working correctly.

When clicking on Certificate’s detail issuer is Fake LE Intermediate X1.

I can get site to work on https. Any ideas of what could be happening?

darjanpanic · April 25, 2016, 2:52pm

It may not be a solution but i think let’s encrypt requires the domain to point to the server ip so i’d check the dns propagation. As i said it may be something to check but may not be a solution.

40Q · April 25, 2016, 2:57pm

Thanks @darjanpanic, unfortunately the DNS are pointing to the server’s IP. I tested with a fresh new site and it worked.

I don’t know if it has something to do with the domain or the fact that I did all these settings from an existing installation.

swalkinshaw · April 25, 2016, 3:10pm

So it’s all working now?

40Q · April 25, 2016, 3:19pm

Unfortunately not, @swalkinshaw.

I rolled back changes on trellis and disabled ssl as Chrome’s (or any other browser) warning may prevent users from visiting the site.

The site I mentioned to be working was another one which I used for testing purposes only.

fullyint · April 25, 2016, 3:25pm

@40Q you mention the X1 cert. I remember Trellis updated about a month ago to capture LE’s change from X1 to X3. Are you using the latest Trellis?

40Q · April 25, 2016, 3:38pm

Yes, @fullyint, thanks for the answer. I updated to the latest Trellis version considering those issues and still getting this warning.

Also checked SSL Server Test and it went wrong.

If I can provide any other detail I’d be grateful.

40Q · April 26, 2016, 8:41pm

Thanks everyone for the answers. I reinstalled Trellis and found there was a var defined as letsencrypt_ca: “https://acme-staging.api.letsencrypt.org” in our group_vars/all/main.yml, which should have been at the staging group

I tried reprovisioning the server without success, so we move to a fresh new droplet and we now have our brand new ssl on the domain.

Roots’ team