Applicable to:
- Plesk for Linux
- Plesk for Windows
Symptoms
- Online SSL checker (such as thawte CryptoReport, Qualsys SSL Labs, SSL Shopper) shows an error like:
CONFIG_TEXT: Intermediate certificate missing
CONFIG_TEXT: The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate.
CONFIG_TEXT: This server's certificate chain is incomplete
-
A browser can show:
CONFIG_TEXT: Your connection is not private NET::ERR_CERT_AUTHORITY_INVALID
-
Browser is rejecting certificates based on the intermediate one
-
When trying to log in via an e-mail client, one of the following errors is shown:
CONFIG_TEXT: The server you are connected to is using a security certificate that cannot be verified. The target principal name is incorrect.
CONFIG_TEXT: Could not verify this certificate because the issuer is unknown
Cause
The certificate consists of 3 parts:
- *.key file private key;
- *.crt - certificate itself;
- *-ca.crt - certificate of Certificate Authority.
The error means Certificate Authority (ca.crt) part of a certificate is missing.
Resolution
*.key / *.crt / *-ca.crt parts of the certificate should be provided by your Certificate Authority.
Contact the certificate issuer and ask to provide CA part of the certificate:
Rename the existing certificate under Plesk > Domains > example.com > SSL/TLS Certificates > certificate _name > Rename.
Then, install the certificate again. All three parts should be uploaded/filled for the certificate:
Additional information
How to install SSL certificate for a domain in Plesk
How to generate certificate signing request (CSR) for a domain in Plesk
Comments
6 comments
Hello @Don Duke,
An intermediate certificate should be manually added directly in CA certificate section.
For example, certificates have been signed in the following order:
Root CA > Intermediate1 > Intermediate2 > domain certificate.
The content of the certificates should be manually added directly in CA certificate (*-ca.crt) section in Plesk at Tools & Settings > SSL/TLS Certificates > Add SSL/TLS Certificates or in Domains > example.com > SSL/TLS Certificates > Add SSL/TLS Certificates in the following order (domain certificate is not used):
Intermediate2, Intermediate1, Root CA
Hi, @Miha.
For me, certificate is showing fine in my desktop browser. I do not have the iPhone to check how it is working there, but I believe that the issue exists for you.
Maybe some Apple OS browsers require additional tuning in the server side to work properly but we did not face any such cased before as there are no articles on that in our knowledge base.
I suggest clarifying how it is possible that Apple OS browser is showing that SSL is not trusted while Chrome or Firefox is showing the things fine. Maybe you will get an advice on what to adjust.
This solution doesnt work.
There should be 3 .crt uploads in Plesk, not just one.
Often the intermediate certificate is a separate crt, so you have the main .crt, then the -ca.crt, then the intermediate .crt.
How we do install a certificate built like this in Plesk??
Hi,
I have similar problem with SSL letsencrypt where ROOT 1 missing. I test on https://www.sslchecker.com/sslchecker
I have Plesk/Onyx 17.8 with Nginx+Apache, Extensions are all updated.
And on even new iPhone I get error in browser:
Any idea how to solve that?
Regards, Miha
Hi,
no it was an error on classic website, example https://1987.si/ We notice that this page doesn't work on many Apple OS.
Regards,
Hello, @Miha!
Missing root 1 certificate reported by sslchecker.com seemed to be an issue on their side according to the following topic in Let's Encrypt community: https://community.letsencrypt.org/t/my-cert-is-missing-root-1/30309/15
As for the 'This connection is not private' message, could you please clarify whether or not you are trying to access Plesk interface on port 8443 before facing this error?
Please sign in to leave a comment.