Fix SSL Certificate Not Trusted

Understanding the Error

Browser doesn't trust the certificate issuer.

Check Certificate Chain

# Verify full chain
openssl s_client -connect yourdomain.com:443 -showcerts

# Should show multiple certificates (server + intermediates)

Fix 1: Install Intermediate Certificates

Combine certificates in correct order:

# In Nginx:
ssl_certificate /path/to/fullchain.pem  # Contains server + intermediates
ssl_certificate_key /path/to/privkey.pem

# Create fullchain.pem:
cat server.crt intermediate.crt root.crt > fullchain.pem

Fix 2: Use Let's Encrypt (Free & Trusted)

sudo apt install certbot python3-certbot-nginx -y
sudo certbot --nginx -d yourdomain.com

Fix 3: Check Certificate Issuer

echo | openssl s_client -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -issuer

Issuer should be a trusted CA (DigiCert, Let's Encrypt, GlobalSign, etc.).

Fix 4: Self-Signed Certificates

Self-signed certs never trusted for public sites. Use Let's Encrypt instead.

Fix 5: Check Server Date/Time

date
# Wrong date causes "not yet valid" errors
sudo timedatectl set-ntp true

Test SSL Configuration

# Comprehensive test
https://www.ssllabs.com/ssltest/