Certificate OK but bank problem "unable to get local issuer certificate"

My web server is: dedicated server with apache

Website: mielbio.fr

The operating system my web server runs on is: CentOS7

I can login to a root shell on my machine : Yes

I’m using a control panel to manage my site : Webmin/virtualmin

All worked fine, until i moved my online shop to another server 2 days ago. Same OS, same URL, same serversoftware, same shopsoftware. All browsers and the new server are OK with the certificate on the new server.

But not our bank. When i try to make a payment with a bank card the money goes to my bank account. But the order is not validated, there is an issue when the bank goes back to my shop.
The error message of my bank is:

SSL certificate problem: unable to get local issuer certificate

I phoned several times with the support of my bank, they told me that it is a problem with my certificate.
I am running out of ideas where to search.

Thank You for help.

1 Like

Assuming they’re connecting to https://mielbio.fr/ or https://www.mielbio.fr/, but both websites appear to be set up correctly.

(Sometimes Apache can fail to reload correctly and you can get stuck with a couple worker processes with a different, older configuration. There’s no reason to think that’s happening here, but I don’t want to categorically rule it out either.)

https://www.ssllabs.com/ssltest/analyze.html?d=mielbio.fr&hideResults=on
https://www.ssllabs.com/ssltest/analyze.html?d=www.mielbio.fr&hideResults=on

Can your bank provide more detailed information about the error or their HTTP client?

One possibility is that they’re using an obsolete client that doesn’t support the SNI extension – standardized around 2003, and mostly entirely implemented within ten years – and they’re getting your server’s default, self-signed certificate. If so, configuring Apache to use your Let’s Encrypt certificate instead of the self-signed certificate should resolve the problem.

(But I’m not sure how to do that properly with Webmin.)

The only other logical explanation for the error message is that the bank doesn’t support Let’s Encrypt at all.

1 Like

Hi @Bousquet

checking your domain the main things are ok - https://check-your-website.server-daten.de/?q=mielbio.fr

One thing may be critical:

Fatal: Inconsistency between delegation and zone. The set of NS records served by the authoritative name servers must match those proposed for the delegation in the parent zone.: ns3436340.ip-188-165-193.eu (188.165.193.44): Delegation: ns3436340.ip-188-165-193.eu,sdns2.ovh.net, Zone: ns3436340.ip-188-165-193.eu

This isn't good, so you should fix it. But it isn't directly the error message.

Your certificate is ok, same with your chain:

Chain (complete)	
	1	CN=mielbio.fr
	2	CN=Let's Encrypt Authority X3, O=Let's Encrypt, C=US
1 Like

Thank You mnordhoff and JuergenAuer,

Every website on my server has its own certificate.
The bank told me that the problem is in the “chain”.
They refer to this website: https://www.tbs-internet.com/php/HTML/testssl_verif.php

1 Like

That's simple: That tool shows a wrong answer. And it's bad if the bank uses such a tool as reference.

Your chain is correct, that's the reason I've shared the output.

And this (answer from that tool)

CERTIFICATION CHAIN

• ROOT: ERROR - Certificate not recognized!
Unknown root certificate!

is wrong. A site should never send the root certificate. The client selects the list of trusted root certificates, not the serveer.

Check my site server-daten.de, the same answer.

Or check letsencrypt.org.

2 Likes

Hello,

now it works. I did not change anything.
The only explanation i found is that the new IP was not recognized by the bank and now it is.

Thank You very much for Your support :slight_smile:

2 Likes

That tool https://www.tbs-internet.com/php/HTML/testssl_verif.php has again the wrong result.

So the bank may ignore that tool now.

1 Like

I will let them know, hoping they would follow Your advice.
Thank You again.

1 Like

The bank might also have some kind of peculiarity in its own systems, for example using an outdated list of root certificates or one that’s different from the roots accepted by modern web browsers.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.