lets encrypt certificate not trusted for web-gui

[tj-flens]

Hi,
I've been working with Opnsense for a few weeks now. I am on version 24.1.2 and have been using self signed certificates. Everything works great so far.
Now I would like to use my domain internally and switch to a Let's encrypt certificate.
For this I use DNS-01 Challenge via Cloudflare and can also create certificates for my opnsens. host name is : router. "domain".net.
I have entered the certificate under Systems/Settings/Administration and System/Settings/General (hostname/domain) and restart the web interface.
Opnsense can now be reached at this address, but the certificate is not secure!

I have searched through various tutorials but found nothing.
Thanks for tips

[Patrick M. Hausen]

Did you not only place the FQDN in the CN field but also as a SAN? This is now mandated by browsers.

[tj-flens]

If I got your point correctly I need to put the router.domain.net into the alternate names field: router.domain.net.

Done - re-issued - but no change. the cert is still not trusted.

[Patrick M. Hausen]

Then a screenshot of the certificate chain as the browser shows it is the only way I know to diagnose. Difficult if you don't want to share your FQDN. Possibly blur that part ...

[tj-flens]

I've captured the info from firefox. hope this helps

[Patrick M. Hausen]

First pictures says it all - you are using the STAGING CA of Letsencrypt.

You cannot change the CA of your registered account in the UI after the fact - the help text even states as much. You need to delete and create the account again, this time with the production CA.

[tj-flens]

thank you so much for you help!!!