PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE)

For the record, I’ve had the same issue and the problem was that I forgot to redirect port 80 to the server.

The DNS check done by discourse-server.sh might be done on port 443 only and did not detect the problem.

But Let’s Encrypt does need the port 80 also open.