Cerificate not working on aws instance node application

kerlosense · June 26, 2020, 9:46pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: https://swpdev.macbiz.co/

I ran this command: I have not run any command but dont know why my certificate is not working

It produced this output: Error: unable to verify the first certificate

My web server is (include version):

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is: Amazon

I can login to a root shell on my machine (yes or no, or I don’t know): no

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): certbot 0.27.0

_az · June 26, 2020, 10:02pm

The certificate is for macbiz.co, but not for the subdomain swpdev.macbiz.co.

The certificate you create needs to include every domain name that you plan to use it with.

kerlosense · June 26, 2020, 10:07pm

No Certificate is also working on swpdev.macbiz.co too

you can check below screen short thanks

_az · June 26, 2020, 10:09pm

Read that screenshot carefully. The paragraphs next to the yellow “warning” triangles explain that your certificate is not valid for that subdomain.

The other warning message is explaining that you are not sending your intermediate certificate. This is usually due to using cert.pem instead of fullchain.pem in your Node.js application.

You need to fix both issues to get rid of the warning screen.

kerlosense · June 26, 2020, 10:15pm

You mean my certificate is not valid for subdomain i need to generate certificate for my subdomain

_az · June 26, 2020, 10:16pm

Yes. You could also generate one certificate that would be valid for both macbiz.co and swpdev.macbiz.co.

kerlosense · June 26, 2020, 10:24pm

i have check my root domain please check below screen short

please advice because i think i have already install ssl certificate on my root domain https://macbiz.co

_az · June 26, 2020, 10:28pm

Well, your root domain looks like it is misconfigured in DNS:

macbiz.co.              600     IN      A       13.52.95.200
macbiz.co.              600     IN      A       184.168.131.241

It is pointing to two different servers, each of which have a different SSL setup. As a result, your online test is going to give random results, depending which server gets selected.

You should decide which server is correct, and remove the other one.

kerlosense · June 26, 2020, 10:37pm

how can i test my self that my root domain is pointed on two different server ?

_az · June 26, 2020, 10:40pm

nslookup, or dig, or something like https://dnschecker.org/#A/macbiz.co

kerlosense · July 3, 2020, 11:18pm

Please have a look at this screenshot, i think its properly installed now. but still showing chain certificate issue. i am using docker without having any web server.

Thanks for your help

_az · July 3, 2020, 11:22pm

Your Node.js server is still not sending the intermediate.

Here's a previous post showing how to send the full certificate chain with Node.js:

kerlosense · July 4, 2020, 2:03am

i have tried this but its not working

kerlosense · July 4, 2020, 2:08am

I am using aws ubuntu, however when i tried to cd into /etc/letsencrypt/live/ it doesn’t want me to go there, says permission denied so i can’t view what is inside the folder.

but i tried the above commands that you gave me but it doesn’t work. am i missing something?

kerlosense · July 4, 2020, 2:35am

please check below screen short

_az · July 4, 2020, 2:38am

Indeed, the certificate files are by default only readable as root. If your Node.js process runs as a different user, then you need to find a way for that user to access those files.

You can use deploy hooks to copy the certificate and private key for your Node.js user, or you can use group permissions, or you can use ACLs.

OK. So the certificate inside /etc/letsencrypt is expired. But you can see that now the full chain is used, there is no complaint about a missing intermediate.

Where did you get your other (unexpired) certificate?

What does this show:

sudo certbot certificates

kerlosense · July 4, 2020, 2:47am

i have run this command sudo certbot certificates

and get below output

_az · July 4, 2020, 2:52am

That suggests that you are not using the certificate from /etc/letsencrypt/live/swpdev.macbiz.co/.

kerlosense · July 4, 2020, 2:59am

this is how i am using the certificate , as you can see i also put the chain certificate into my certs/ directory…

when i try to access the directory what you gave me … my application crashes so i tried to manually change directory and tried to access the location that you gave me but i am getting a permission issue.

can this be the reason that its not reading the files from that location because of having permission issue? can i generate ssl certificate somewhere so i could paste it into the text file like i am doing now?

system · August 3, 2020, 3:13am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.