SSL certificate obtained invalid?

[aiqinxuancai]

I use the following function to simply get an SSL certificate for a website. Everything seems to run smoothly, and I can obtain the certificate chain. However, after adding the private key and certificate to the website, the browser prompts that the certificate is invalid with "NET::ERR_CERT_AUTHORITY_INVALID" error.

I don't have much knowledge about the Acme protocol, so I'm really not sure what the reason could be.

private async Task Init()
{
    if (string.IsNullOrWhiteSpace(_email))
    {
        throw new ArgumentNullException();
    }

    var pemPath = Path.Combine(kNASPath, _email + ".pem");

    try
    {
        if (File.Exists(pemPath))
        {
            var accountKey = KeyFactory.FromPem(File.ReadAllText(pemPath));
            var acme = new AcmeContext(WellKnownServers.LetsEncryptStagingV2, accountKey);
            var account = await acme.Account();

            _acme = acme;
            _account = account;
        }
        else
        {
            var acme = new AcmeContext(WellKnownServers.LetsEncryptStagingV2);
            var account = await acme.NewAccount(_email, true);
            var pemKey = acme.AccountKey.ToPem();

            File.WriteAllText(pemPath, pemKey);

            _acme = acme;
            _account = account;
        }
    }
    catch (Exception ex)
    {
        Console.WriteLine(ex.ToString());
        throw new Exception($"Init Error#1 {ex}");
    }

    if (_account == null)
    {
        throw new ArgumentNullException("Init Error#2");
    }
}

/// <summary>
/// 
/// </summary>
/// <param name="domains">"*.your.domain.name"</param>
public async Task<(string privateKey, string pem)> Order(string domain)
{
    if (_account == null)
    {
        await Init();
    }

    var orderContext = await _acme.NewOrder(new List<string> { domain });

    var authz = (await orderContext.Authorizations()).First();

    Certify.ACME.Anvil.Acme.Resource.Challenge validateResult = new Certify.ACME.Anvil.Acme.Resource.Challenge();
    bool isAddRecord = false;
    var httpChallenge = await authz.Http();
    var keyAuthz = httpChallenge.KeyAuthz;
    Console.WriteLine("token2：" + keyAuthz);


    do
    {
        if (!isAddRecord)
        {
            //Auth
            await TencentCloudAPIManager.Instance.UpdateFile(httpChallenge.Token, keyAuthz);
            isAddRecord = true;
            await Task.Delay(10 * 1000);
        }

        try
        {
            var v = await httpChallenge.Validate();
            Console.WriteLine(v.Status.ToString());

            await Task.Delay(10 * 1000);

            validateResult = await httpChallenge.Resource();
            Console.WriteLine(validateResult.Status.ToString());
        }
        catch (Exception e) 
        {
            Console.WriteLine(e);
        }
        await Task.Delay(1000 * 60);

    } while (validateResult.Status != ChallengeStatus.Valid);

    await Task.Delay(3000);

    var privateKey = KeyFactory.NewKey(KeyAlgorithm.RS256);

    var order = await orderContext.Finalize(new CsrInfo
    {
        CommonName = domain,
    }, privateKey);


    if (order.Status == OrderStatus.Processing)
    {
        var attempts = 10;
        while (attempts > 0 && order.Status == OrderStatus.Processing)
        {
            var waitMS = 3000;
            if (orderContext.RetryAfter > 0 && orderContext.RetryAfter < 60)
            {
                waitMS = orderContext.RetryAfter * 1000;
            }

            await Task.Delay(waitMS);
            order = await orderContext.Resource();
            attempts--;
        }
    }

    if (order.Status != OrderStatus.Valid)
    {
        throw new Exception("Error#1");
    }

    CertificateChain certificateChain = await orderContext.Download();

    //X509Certificate2 cert = new X509Certificate2(certificateChain.Certificate.ToDer());
    var privateKeyPem = privateKey.ToPem();

    var certPem = certificateChain.ToPem();

    Console.WriteLine(privateKeyPem);
    Console.WriteLine(certPem);

    return (privateKeyPem, certPem);
}

[webprofusion-chrisc]

Your code uses WellKnownServers.LetsEncryptStagingV2 as the CA directory URL, that means the cert you get will be from the Let's Encrypt Staging API, which is a fake CA with a test API. Their root cert will not be trusted by any operating system. Try WellKnownServers.LetsEncryptV2

[aiqinxuancai]

Thank you! The problem perfectly solved.