StartSSL SSL certificate showing up as net::ERR_CERT_AUTHORITY_INVALID in browser

I’ve “purchased” a 3 year StartSSL free Class 1 DV certificate for my development domain, and installed it on NGINX as per their instructions.

I notice that the nginx certificate they provide contains the DV certificate, with my 10 domain aliases added to it, and also the intermediate certificate, which they say should be valid according to the browser (I’ve tried it on Chrome and Firefox with similar results).

  • Docker build takes too long
  • IBM Containers: Unable to login with “cf ic login”
  • docker build is very slow even with simple commands
  • Where to put ebextensions config in AWS Elastic Beanstalk Docker deploy with dockerrun source bundle?
  • How can I run a Docker container in AWS Elastic Beanstalk with non-default run parameters?
  • Manage multiple nginx containers on the same host with Docker Swarm
  • The certificate is appearing as invalid: https://gb.qa.vendigo.build/

    However nearly every SSL validation tool is showing it as a complete chain, no problems at all, with the exception of one tool:

    http://www.sslchecker.com/sslchecker?su=1e9941a064b5bc0b92fbfa310aae796b

    which shows a missing ‘root’ certificate. However adding that root certificate doesn’t help, and in fact SSL checker (listed above) will then show root as present, but then list another missing certificate instead. Downloading and installing these certificates just makes that chain keep growing to no avail.

    I’ve become quite stuck now! Am I missing something obvious or is this just a bad certificate?

    nginx configuration looks like:

    # gb.qa.vendigo.build
    upstream cc574309c4214a6c01eb8d3dbe9f701eee9daf3d {
                ## Can be connect with "bridge" network
                # sample-1.antony-cert-test.11b35827
                server 172.17.0.6:80;
                ## Can be connect with "dockercloud" network
                # sample-1.antony-cert-test.11b35827
                server 10.7.0.24:80;
    }
    server {
        server_name gb.qa.vendigo.build;
        listen 80 ;
        listen [::]:80 ;
        access_log /var/log/nginx/access.log vhost;
        return 301 https://$host$request_uri;
    }
    server {
        server_name gb.qa.vendigo.build;
        listen 443 ssl http2 ;
        listen [::]:443 ssl http2 ;
        access_log /var/log/nginx/access.log vhost;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-   POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
        ssl_prefer_server_ciphers on;
        ssl_session_timeout 5m;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;
        ssl_certificate /etc/nginx/certs/vendigo.build.crt;
        ssl_certificate_key /etc/nginx/certs/vendigo.build.key;
        add_header Strict-Transport-Security "max-age=31536000";
        location / {
            proxy_pass http://cc574309c4214a6c01eb8d3dbe9f701eee9daf3d;
        }
    }
    

  • ECS network host mode and links = CannotCreateContainerError: Container already exists
  • How to alter the official mongo docker for authentication and data separation?
  • How to access files downloaded on my windows machine from boot2docker?
  • Will copying 'images' folder between machines be used to move images between docker hosts?
  • nginx load balancer IP-requester based
  • Unable to create machine in docker
  • 2 Solutions collect form web for “StartSSL SSL certificate showing up as net::ERR_CERT_AUTHORITY_INVALID in browser”

    Thanks to my friend Geoff, and @tkausl for the rapid answers – StartSSL is no longer considered a reputable provider:

    https://danconnor.com/posts/50f65364a0fd5fd1f7000001/avoid_startcom_startssl_like_the_plague_

    and the link in @tkausl’s response, which oddly didn’t come up in any of my searches.

    I guess I’ll be paying for a certificate then!

    Distrusting New WoSign and StartCom Certificates

    Check letsencrypt, it should satisfy your needs.

    Docker will be the best open platform for developers and sysadmins to build, ship, and run distributed applications.