CERTIFICATE_VERIFY_FAILED self signed certificate in certificate chain

Help
1

We are moving a live site to a new server. I am following the instructions from Certbot - Ubuntufocal Apache. Currently the domain is pointing to the old server ip; I am using a host file entry for now. While a short amount of down time is acceptable, since the process is effectively failing at the first step I really want to get this resolved before we do the move.

It is required that we have a cert from https://surfprotect.co.uk/ installed. I received the error listed below. I removed the cert for diagnostic purposes (deleted the crt file and sudo dpkg-reconfigure ca-certificates) and am still getting the same message so no longer think it's related (and fwiw I get a similar message doing curl https://google.com).

My domain is:
Not yet pointing at the problem server as per above

I ran this command:
sudo certbot --apache

It produced this output:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): blah@blah.com
An unexpected error occurred:
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1131)')))

My web server is (include version):
Apache/2.4.41 (Ubuntu)

The operating system my web server runs on is (include version):
Ubuntu 20.04.2 LTS

My hosting provider, if applicable, is:
NA (internally controlled VM)

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 1.18.0

Server management is really not my specialty so any suggestion is welcome, I could easily have overlooked something that should be obvious!

2

Please show the certificate that you are being presented.
[I suspect there is some inline HTTPS inspection device]

3

There seem to be three things going wrong:

  1. The SurfProtect cert wasn't properly installed (and was then removed - but it is required).
  2. curl is unable to validate any certs for HTTPS Internet sites (requires fixing #1).
  3. certbot --apache will most likely still fail (even after the required fixing of #1, so #2 can work).
    Because LE won't be affected by any temporary host file entries, it will still try to validate the new server at the existing IP of that name and thus the renewal attempts will fail.

Unless I missed something...

4

Thank you for your replies.

To address your second reply, I have now reinstated the certificate in the same way I initially installed it: I saved the certificate to "/usr/local/share/ca-certificates/surfprotect/surfprotect.crt" and "/usr/share/ca-certificates/surfprotect/surfprotect.crt" (when initially looking into this I saw people referring to both usr/local and usr/share so decided to cover both bases). I then ran sudo dpkg-reconfigure ca-certificates and selected the SurfProtect one, which gave me

Updating certificates in /etc/ssl/certs...
2 added, 0 removed; done.
Processing triggers for ca-certificates (20210119~20.04.1) ...
Updating certificates in /etc/ssl/certs...
2 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
done.

Is this correct?

Apparently I never ran curl before I removed the certificate since it now seems to work (although interestingly I continue to get "Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings" when I reboot, which I didn't get before when the SurfProtect certificate had been added so I guess something is screwy somewhere).

With regards to point 3, I had expected it to fail to complete but I thought I would at least reach the point where it would have a look at the vhosts on the machine and offer a list of sites first. Is this an erroneous assumption?

Finally, with regards to your first reply, I'm sorry I'm not sure I understand. Are you asking to see the SurfProtect certificate?

1 Like
5

When certbot tried to reach https://acme-v02.api.letsencrypt.org/directory it "failed" because

which means it was presented with a certificate (just NOT one that it trusts for the name requested).
I was hoping to see that cert and it could explain why this problem is happening. But that seems rather obvious now.

I would have to differ you to any SurfProtect instructions regarding "how to" install their cert into your particular system.
But from an uninformed third-party perspective... that seems right.

I suppose the SurfProtect system is "Protecting" you from that site - LOL
OR
hmm...
Maybe HSTS is involved?

It is not a bad assumption; But I can't say for sure that it does work that way.
Seeing that it didn't, I would suspect that it must first speak with LE before offering those choices.
[just a somewhat logical assumption on my part - I had no part in coding nor maintaining certbot code]
Either way it won't be able to get you a cert (as is).

6

This makes sense. The delay in reply is because I had the ip address for the domain (assessments.kite.academy) updated to point to the new server (this isn't something I have access to myself). When the transfer was complete I ran sudo certbot --apache again and am receiving the same error at the same point. Is there a way I can I determine / view which certificate it's complaining about?

I've looked at the letsencrypt.log and it contains

2021-08-19 23:23:13,265:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 97
2021-08-19 23:23:13,653:DEBUG:certbot._internal.main:certbot version: 1.18.0
2021-08-19 23:23:13,653:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/1343/bin/certbot
2021-08-19 23:23:13,653:DEBUG:certbot._internal.main:Arguments: ['--apache', '--preconfigured-renewal']
2021-08-19 23:23:13,653:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-08-19 23:23:13,665:DEBUG:certbot._internal.log:Root logging level set at 30
2021-08-19 23:23:13,666:DEBUG:certbot._internal.plugins.selection:Requested authenticator apache and installer apache
2021-08-19 23:23:13,757:DEBUG:certbot_apache._internal.configurator:Apache version is 2.4.41
2021-08-19 23:23:13,922:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: Installer, Authenticator, Plugin
Entry point: apache = certbot_apache._internal.entrypoint:ENTRYPOINT
Initialized: <certbot_apache._internal.override_debian.DebianConfigurator object at 0x7fb27e121bb0>
Prep: True
2021-08-19 23:23:13,922:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_apache._internal.override_debian.DebianConfigurator object at 0x7fb27e121bb0> and installer <certbot_apache._internal.override_debian.DebianConfigurator object at 0x7fb27e121bb0>
2021-08-19 23:23:13,923:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator apache, Installer apache
2021-08-19 23:23:20,381:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2021-08-19 23:23:20,382:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2021-08-19 23:23:20,494:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/snap/certbot/1343/lib/python3.8/site-packages/urllib3/connectionpool.py", line 699, in urlopen
    httplib_response = self._make_request(
  File "/snap/certbot/1343/lib/python3.8/site-packages/urllib3/connectionpool.py", line 382, in _make_request
    self._validate_conn(conn)
  File "/snap/certbot/1343/lib/python3.8/site-packages/urllib3/connectionpool.py", line 1010, in _validate_conn
    conn.connect()
  File "/snap/certbot/1343/lib/python3.8/site-packages/urllib3/connection.py", line 411, in connect
    self.sock = ssl_wrap_socket(
  File "/snap/certbot/1343/lib/python3.8/site-packages/urllib3/util/ssl_.py", line 449, in ssl_wrap_socket
    ssl_sock = _ssl_wrap_socket_impl(
  File "/snap/certbot/1343/lib/python3.8/site-packages/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
  File "/snap/certbot/1343/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "/snap/certbot/1343/usr/lib/python3.8/ssl.py", line 1040, in _create
    self.do_handshake()
  File "/snap/certbot/1343/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1131)

It then goes on to have other exceptions during the handling of that, but given that this is the first error encountered I think it's probably safe to assume this is what I should worry about first. There isn't anything leaping out at me though - is there anything in there that I am missing?

I didn't actually receive any explicit instructions - I am led to believe that there isn't anything special required when installing it.

FYI: I looked into the "Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings" issue a little more. Turns out the message got cached while I had disabled the cert. I just had to remove "/var/lib/ubuntu-release-upgrader/release-upgrade-available" and all is good.

7

The log you provided should show us... I'll review it after posting.
If not, you can rerun the command to show much more detail, with:
-vvv

Probably some required integration with SurfProtect and certbot.

8

I've never seen --preconfigured-renewal.
In fact, I tested those same parameters with version 1.18.0 and it doesn't even recognize it:

certbot --apache --pre-configured-renewal
usage:
  certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates.  By default,
it will attempt to use a webserver both for obtaining and installing the
certificate.
certbot: error: unrecognized arguments: --pre-configured-renewal

EDIT: It turns out that it adds that parameter in by itself; but it can't be requested at the command line.
With command:
certbot --apache -vvv
I get:

2021-08-19 23:43:39,728:DEBUG:urllib3.connectionpool:http://localhost:None "GET /v2/connections?snap=certbot&interface=content HTTP/1.1" 200 97
2021-08-19 23:43:40,203:DEBUG:certbot._internal.main:certbot version: 1.18.0
2021-08-19 23:43:40,203:DEBUG:certbot._internal.main:Location of certbot entry point: /snap/certbot/1343/bin/certbot
2021-08-19 23:43:40,203:DEBUG:certbot._internal.main:Arguments: ['--apache', '-vvv', '--preconfigured-renewal']

Why don't we try using --webroot instead of --apache
At least to see if that error goes away.

10

Having run sudo certbot --webroot I get

With the webroot plugin, you probably want to use the "certonly" command, eg:

    certbot certonly --webroot

(Alternatively, add a --installer flag. See https://eff.org/letsencrypt-plugins
 and "--help plugins" for more information.)

Although it made a nice change to receive a different message (yay!) I'm not prompted for an email address, so I'm guessing it's stopping before it reaches the problem area rather than bypassing the problem.

Running certbot --apache -vvv gives me

Root logging level set at 0
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requested authenticator apache and installer apache
Apache version is 2.4.41
Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: Installer, Authenticator, Plugin
Entry point: apache = certbot_apache._internal.entrypoint:ENTRYPOINT
Initialized: <certbot_apache._internal.override_debian.DebianConfigurator object at 0x7f981d2f7dc0>
Prep: True
Selected authenticator <certbot_apache._internal.override_debian.DebianConfigurator object at 0x7f981d2f7dc0> and installer <certbot_apache._internal.override_debian.DebianConfigurator object at 0x7f981d2f7dc0>
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices)
 (Enter 'c' to cancel): blah@blah.com
Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
Exiting abnormally:
Traceback (most recent call last):
  File "/snap/certbot/1343/lib/python3.8/site-packages/urllib3/connectionpool.py", line 699, in urlopen
    httplib_response = self._make_request(
  File "/snap/certbot/1343/lib/python3.8/site-packages/urllib3/connectionpool.py", line 382, in _make_request
    self._validate_conn(conn)
  File "/snap/certbot/1343/lib/python3.8/site-packages/urllib3/connectionpool.py", line 1010, in _validate_conn
    conn.connect()
  File "/snap/certbot/1343/lib/python3.8/site-packages/urllib3/connection.py", line 411, in connect
    self.sock = ssl_wrap_socket(
  File "/snap/certbot/1343/lib/python3.8/site-packages/urllib3/util/ssl_.py", line 449, in ssl_wrap_socket
    ssl_sock = _ssl_wrap_socket_impl(
  File "/snap/certbot/1343/lib/python3.8/site-packages/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
  File "/snap/certbot/1343/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "/snap/certbot/1343/usr/lib/python3.8/ssl.py", line 1040, in _create
    self.do_handshake()
  File "/snap/certbot/1343/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1131)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/snap/certbot/1343/lib/python3.8/site-packages/requests/adapters.py", line 439, in send
    resp = conn.urlopen(
  File "/snap/certbot/1343/lib/python3.8/site-packages/urllib3/connectionpool.py", line 755, in urlopen
    retries = retries.increment(
  File "/snap/certbot/1343/lib/python3.8/site-packages/urllib3/util/retry.py", line 574, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1131)')))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/snap/certbot/1343/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/snap/certbot/1343/lib/python3.8/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/snap/certbot/1343/lib/python3.8/site-packages/certbot/_internal/main.py", line 1566, in main
    return config.func(config, plugins)
  File "/snap/certbot/1343/lib/python3.8/site-packages/certbot/_internal/main.py", line 1273, in run
    le_client = _init_le_client(config, authenticator, installer)
  File "/snap/certbot/1343/lib/python3.8/site-packages/certbot/_internal/main.py", line 756, in _init_le_client
    acc, acme = _determine_account(config)
  File "/snap/certbot/1343/lib/python3.8/site-packages/certbot/_internal/main.py", line 673, in _determine_account
    acc, acme = client.register(
  File "/snap/certbot/1343/lib/python3.8/site-packages/certbot/_internal/client.py", line 182, in register
    acme = acme_from_config_key(config, key)
  File "/snap/certbot/1343/lib/python3.8/site-packages/certbot/_internal/client.py", line 46, in acme_from_config_key
    client = acme_client.BackwardsCompatibleClientV2(net, key, config.server)
  File "/snap/certbot/1343/lib/python3.8/site-packages/acme/client.py", line 835, in __init__
    directory = messages.Directory.from_json(net.get(server).json())
  File "/snap/certbot/1343/lib/python3.8/site-packages/acme/client.py", line 1179, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/snap/certbot/1343/lib/python3.8/site-packages/acme/client.py", line 1128, in _send_request
    response = self.session.request(method, url, *args, **kwargs)
  File "/snap/certbot/1343/lib/python3.8/site-packages/requests/sessions.py", line 542, in request
    resp = self.send(prep, **send_kwargs)
  File "/snap/certbot/1343/lib/python3.8/site-packages/requests/sessions.py", line 655, in send
    r = adapter.send(request, **kwargs)
  File "/snap/certbot/1343/lib/python3.8/site-packages/requests/adapters.py", line 514, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1131)')))

Should I now try certbot certonly --webroot?

11

--webroot requires a bit more.
We know that --apache is having trouble, there is no need to continue using that.
We need the following:
certbot certonly \
--webroot -w /the/actual/path/to/document/root \
-d "your.domain,ww.your.domain" \
--dry-run \
-vvv

The --dry-run is to run this a a TEST only.
We use the testing environment first and until we are fairly certain that it works before trying to get a real cert from the production environment.
Otherwise we are just testing with the production environment :frowning:

Let me know the outcome or if you have any question.

12

Ok, I've run the command as you instructed:

Root logging level set at 0
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requested authenticator webroot and installer None
Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: Authenticator, Plugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7f75153d9e50>
Prep: True
Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x7f75153d9e50> and installer None
Plugins selected: Authenticator webroot, Installer None
Sending GET request to https://acme-staging-v02.api.letsencrypt.org/directory.
Starting new HTTPS connection (1): acme-staging-v02.api.letsencrypt.org:443
Exiting abnormally:
Traceback (most recent call last):
  File "/snap/certbot/1343/lib/python3.8/site-packages/urllib3/connectionpool.py", line 699, in urlopen
    httplib_response = self._make_request(
  File "/snap/certbot/1343/lib/python3.8/site-packages/urllib3/connectionpool.py", line 382, in _make_request
    self._validate_conn(conn)
  File "/snap/certbot/1343/lib/python3.8/site-packages/urllib3/connectionpool.py", line 1010, in _validate_conn
    conn.connect()
  File "/snap/certbot/1343/lib/python3.8/site-packages/urllib3/connection.py", line 411, in connect
    self.sock = ssl_wrap_socket(
  File "/snap/certbot/1343/lib/python3.8/site-packages/urllib3/util/ssl_.py", line 449, in ssl_wrap_socket
    ssl_sock = _ssl_wrap_socket_impl(
  File "/snap/certbot/1343/lib/python3.8/site-packages/urllib3/util/ssl_.py", line 493, in _ssl_wrap_socket_impl
    return ssl_context.wrap_socket(sock, server_hostname=server_hostname)
  File "/snap/certbot/1343/usr/lib/python3.8/ssl.py", line 500, in wrap_socket
    return self.sslsocket_class._create(
  File "/snap/certbot/1343/usr/lib/python3.8/ssl.py", line 1040, in _create
    self.do_handshake()
  File "/snap/certbot/1343/usr/lib/python3.8/ssl.py", line 1309, in do_handshake
    self._sslobj.do_handshake()
ssl.SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1131)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/snap/certbot/1343/lib/python3.8/site-packages/requests/adapters.py", line 439, in send
    resp = conn.urlopen(
  File "/snap/certbot/1343/lib/python3.8/site-packages/urllib3/connectionpool.py", line 755, in urlopen
    retries = retries.increment(
  File "/snap/certbot/1343/lib/python3.8/site-packages/urllib3/util/retry.py", line 574, in increment
    raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host='acme-staging-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1131)')))

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/snap/certbot/1343/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/snap/certbot/1343/lib/python3.8/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/snap/certbot/1343/lib/python3.8/site-packages/certbot/_internal/main.py", line 1566, in main
    return config.func(config, plugins)
  File "/snap/certbot/1343/lib/python3.8/site-packages/certbot/_internal/main.py", line 1408, in certonly
    le_client = _init_le_client(config, auth, installer)
  File "/snap/certbot/1343/lib/python3.8/site-packages/certbot/_internal/main.py", line 756, in _init_le_client
    acc, acme = _determine_account(config)
  File "/snap/certbot/1343/lib/python3.8/site-packages/certbot/_internal/main.py", line 673, in _determine_account
    acc, acme = client.register(
  File "/snap/certbot/1343/lib/python3.8/site-packages/certbot/_internal/client.py", line 182, in register
    acme = acme_from_config_key(config, key)
  File "/snap/certbot/1343/lib/python3.8/site-packages/certbot/_internal/client.py", line 46, in acme_from_config_key
    client = acme_client.BackwardsCompatibleClientV2(net, key, config.server)
  File "/snap/certbot/1343/lib/python3.8/site-packages/acme/client.py", line 835, in __init__
    directory = messages.Directory.from_json(net.get(server).json())
  File "/snap/certbot/1343/lib/python3.8/site-packages/acme/client.py", line 1179, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/snap/certbot/1343/lib/python3.8/site-packages/acme/client.py", line 1128, in _send_request
    response = self.session.request(method, url, *args, **kwargs)
  File "/snap/certbot/1343/lib/python3.8/site-packages/requests/sessions.py", line 542, in request
    resp = self.send(prep, **send_kwargs)
  File "/snap/certbot/1343/lib/python3.8/site-packages/requests/sessions.py", line 655, in send
    r = adapter.send(request, **kwargs)
  File "/snap/certbot/1343/lib/python3.8/site-packages/requests/adapters.py", line 514, in send
    raise SSLError(e, request=request)
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-staging-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1131)')))
An unexpected error occurred:
requests.exceptions.SSLError: HTTPSConnectionPool(host='acme-staging-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self signed certificate in certificate chain (_ssl.c:1131)')))
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
13

Please show the output of:
openssl s_client -connect acme-staging-v02.api.letsencrypt.org:443 --showcerts

14

Output follows (I'm assuming these are public certificates and safe to put here in full, please let me know if I am mistaken!):

CONNECTED(00000003)
depth=2 C = GB, ST = England, O = Exa Networks Ltd, OU = Exa Networks Ltd Certificate Authority, CN = Exa Networks Ltd Root CA
verify return:1
depth=1 C = GB, ST = England, O = Exa Networks Ltd, OU = SurfProtect Intermediate Certificate Authority, CN = "SurfProtect London 2021,2022"
verify return:1
depth=0 O = SurfProtect
verify return:1
---
Certificate chain
 0 s:O = SurfProtect
   i:C = GB, ST = England, O = Exa Networks Ltd, OU = SurfProtect Intermediate Certificate Authority, CN = "SurfProtect London 2021,2022"
-----BEGIN CERTIFICATE-----
MIID6TCCAdGgAwIBAgIQdg3tZz9JMliP6YaRz4YU7TANBgkqhkiG9w0BAQsFADCB
mjELMAkGA1UEBhMCR0IxEDAOBgNVBAgMB0VuZ2xhbmQxGTAXBgNVBAoMEEV4YSBO
ZXR3b3JrcyBMdGQxNzA1BgNVBAsMLlN1cmZQcm90ZWN0IEludGVybWVkaWF0ZSBD
ZXJ0aWZpY2F0ZSBBdXRob3JpdHkxJTAjBgNVBAMMHFN1cmZQcm90ZWN0IExvbmRv
biAyMDIxLDIwMjIwHhcNMjEwODE5MTYyMzAwWhcNMjIwODE5MTYyMzAwWjAWMRQw
EgYDVQQKEwtTdXJmUHJvdGVjdDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABL7P
l+qkNo61zm4LuxIWHKkasEGLXEK7RXpdkEOIeZ7XDgsaKEInM/RcRETT6VO2N4IN
NlzJuVCZVyjzCaduuo+jeTB3MA4GA1UdDwEB/wQEAwIFoDATBgNVHSUEDDAKBggr
BgEFBQcDATAfBgNVHSMEGDAWgBSwv57YmByp1uYknuXnRp8H1FG9gjAvBgNVHREE
KDAmgiRhY21lLXN0YWdpbmctdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcwDQYJKoZI
hvcNAQELBQADggIBAGIberQ9y7dKjG2T35FrNZTEsMxzaD7CwWVk1shs/GHmWj6V
ba5lEClixw+Y+RTxT+FOAkxwhHblMSlrhHtNfDu0uEH9sLc8S3YDIUxGZQl6Lr9i
08kJ0gqmnXGQNF5VTX2SfT8qeUkUphPMZ2cQTCQBQxwsa5Q+DUPo509l0LzfJ2Ck
ni7xbajD1G8dTKEZYanMrK0nrDjxG1hv4FMMhb+8SFxU1UNaN7ahIVWdDryRRQlc
vHk6Z12LDa7Jl1QumE9Eod+EvdsAqC1cmp4VW42mgV0XgiUc9IC90NEX3b2cF7T3
im7oaX2PiV/DFYCsMiWx3DFNB9uRZny73dDNZRDj6j83ueiBqN1qcxct+UP0corY
ng0e3Bkoz4RoBRMhHFf3+mwJOG/2wIrJTxoGDffJnpDXWFffD2LVLaWPqRPrKVaH
c+s1dd6re2mRoVi7DyZPwHH6WasNBBSlIK4W3eyYXbQlJKeoXZTc5FD0azWMfUi3
1KFO9hu3LQdaVqihDnPu1zZQsetgH/arQpXBRxCerXQx2Ka6O3lM/QVlyWoXIVoJ
K1psvQJoiwnWocQ/Sibv6U0G+8IuD8qy8zav4gs5APsy5FZM2OcHdpDNEZoIN9oN
rk6eyfxOBHumPtyxwJqP7BeTpeHeL5vYkA5VvKlNRUFhpvy0aMCH/yXBnyQ1
-----END CERTIFICATE-----
 1 s:C = GB, ST = England, O = Exa Networks Ltd, OU = SurfProtect Intermediate Certificate Authority, CN = "SurfProtect London 2021,2022"
   i:C = GB, ST = England, O = Exa Networks Ltd, OU = Exa Networks Ltd Certificate Authority, CN = Exa Networks Ltd Root CA
-----BEGIN CERTIFICATE-----
MIIGDDCCA/SgAwIBAgICEAYwDQYJKoZIhvcNAQELBQAwgY4xCzAJBgNVBAYTAkdC
MRAwDgYDVQQIDAdFbmdsYW5kMRkwFwYDVQQKDBBFeGEgTmV0d29ya3MgTHRkMS8w
LQYDVQQLDCZFeGEgTmV0d29ya3MgTHRkIENlcnRpZmljYXRlIEF1dGhvcml0eTEh
MB8GA1UEAwwYRXhhIE5ldHdvcmtzIEx0ZCBSb290IENBMB4XDTIxMDgwMTAwMDAw
MFoXDTIyMDkzMDAwMDAwMFowgZoxCzAJBgNVBAYTAkdCMRAwDgYDVQQIDAdFbmds
YW5kMRkwFwYDVQQKDBBFeGEgTmV0d29ya3MgTHRkMTcwNQYDVQQLDC5TdXJmUHJv
dGVjdCBJbnRlcm1lZGlhdGUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MSUwIwYDVQQD
DBxTdXJmUHJvdGVjdCBMb25kb24gMjAyMSwyMDIyMIICIjANBgkqhkiG9w0BAQEF
AAOCAg8AMIICCgKCAgEApWyoxXJ5Ax/EnYekleY3uYBmfAPlNZxgGvb4klYxiqcn
vQu+/b0V+35W6W0ZjUmoLeFsJIKVk28rG06azeAGuI+45nL8kUZ90mTjUIexwxkf
gaKFUUJaEzZttvm/x4l97XW3aAESqpeZn3uQ5FHw/PmIm3W6CWFF7aOVhvjPTjVE
uJttWFTIglLW26DQALv+N1smick55mLItXaNuRCYyLDzMKZZuNJLY6h1PQ1Jaui0
naCtGqPPI616gGOoA+kYIWeTTOcAJw0/3k3+rO/qNejaTD9kzyZUknEc8YPmv5CH
MMuXipBnQW8hPRqrmZuEfxuSTqdk670dSQPrIz5NgABhivA6MmhyAoGZlDaTtPVO
doU72CExcqO5Gkt4quXzPHuTGnqVD9JxubX64fpY/b6s8x7xKQbC4KRP0qLQ9mKs
AlkyQye/XqLQvz2EoU2hqomsVBJT77ngWGZ4TtafUCSsj2BrCN4fw0CRfQBV9P8s
RKWYL6XnndYYY2cNZvPaY8ZmmHw4INlLUCsuloLfs4L/QS3yyvUSK/9NJBCEafQU
3WdBunlKBGQq74UnJ0q1qiZebbdfww/oqSHDxg72cIXuCxJJKCI77QCLHhCQM/IG
gLcsPUOWMM9yOfsRBOY0EFlLdJ81BEDERHSz2wxBG7sIgu/7+bWHlhWSv9MvvOsC
AwEAAaNmMGQwHQYDVR0OBBYEFLC/ntiYHKnW5iSe5edGnwfUUb2CMB8GA1UdIwQY
MBaAFPMOwEZGb35T+q0oLrEZL4dNzUifMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYD
VR0PAQH/BAQDAgGGMA0GCSqGSIb3DQEBCwUAA4ICAQAbx+KWTa6T5M7/EopDZ6zF
nkKax2uZdyum7M63Q0LgqwM66bo2CEULUyYVAVESV7zOOUU4n8k5WWHwt2NfJJvy
lGe5gjvLzVtuAGtCmt5fosSu96hy+mkiLF2+Vv8LcbX7H7sl3dDD47t0BVl0IqO9
NAMrNLUJVKBPOVsD0HdA2ssJxtvmUYFp2mL0LjsOuzFTnr6bltxYKPm8Ct/oNsal
UysUN7Ayc/v6XVWgRNlnyw7fXFfBYuLkxai4UBu8Uq0go78mQo4dyoL/j3PkiIoq
fMlllK2Pm5/LW/70ZSJ2JiLLUInRggWdF0TE2MmFkfQ5Cx4RMdkCr13K6QrE+Rw9
OZSIIq9CBzAH9JAyp76SH2F/W4hVTyrroGngMZo4kgtvk36onRH6Jis+wwTM4isO
lZK8wMXo23LOO8HZLUAiQqY52z/BusEnaNVwkuJSxNRD4GqfOVCrBWQLncBGemi4
Uylo4GCcU1tC6D71+JA0RWhwrIPgR9V3YaqLNYgcWWn/cIYXIDuQBCRZXDfyOGRw
DuJmdbxm4lCEsdMflRFYKIJ0T7kS1XaHaXXqgYvQSDfA+kHp06nam/dKZNQkj/E3
uKnKBAR4K31fjX315rcsgi1I7LbEZY52LgT329NMOQWt9T5+15ByH+15GQ7lzDtT
/VnytWorWAxxHDu/z5MkuQ==
-----END CERTIFICATE-----
 2 s:C = GB, ST = England, O = Exa Networks Ltd, OU = Exa Networks Ltd Certificate Authority, CN = Exa Networks Ltd Root CA
   i:C = GB, ST = England, O = Exa Networks Ltd, OU = Exa Networks Ltd Certificate Authority, CN = Exa Networks Ltd Root CA
-----BEGIN CERTIFICATE-----
MIIGBDCCA+ygAwIBAgIJAKZriI83HamPMA0GCSqGSIb3DQEBCwUAMIGOMQswCQYD
VQQGEwJHQjEQMA4GA1UECAwHRW5nbGFuZDEZMBcGA1UECgwQRXhhIE5ldHdvcmtz
IEx0ZDEvMC0GA1UECwwmRXhhIE5ldHdvcmtzIEx0ZCBDZXJ0aWZpY2F0ZSBBdXRo
b3JpdHkxITAfBgNVBAMMGEV4YSBOZXR3b3JrcyBMdGQgUm9vdCBDQTAeFw0xNjA3
MjIwMDAwNThaFw0zNjA3MTcwMDAwNThaMIGOMQswCQYDVQQGEwJHQjEQMA4GA1UE
CAwHRW5nbGFuZDEZMBcGA1UECgwQRXhhIE5ldHdvcmtzIEx0ZDEvMC0GA1UECwwm
RXhhIE5ldHdvcmtzIEx0ZCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkxITAfBgNVBAMM
GEV4YSBOZXR3b3JrcyBMdGQgUm9vdCBDQTCCAiIwDQYJKoZIhvcNAQEBBQADggIP
ADCCAgoCggIBAK2cr24ykpEARj/iagaV0deLUl9Fw9b9U3K5PyhvmBsGPyOem1Q9
SzQUL3CoHMc0gfC+Xo3cVuuuaGPhmmyBXA5ZohO1gTOUL7fJnsfm8cGmYQB74AGn
lZDWIN5K0utoCIfkcucJQhVjblVuNPlshxGv44NsMM0tXNJldNpu05GFoXwy1kYc
+rZaWQ1pddYZVYDW+bmxPqzSrhBAya5Uvmvolm24LclpHmqLCRycgPPozJ/ayttR
2182oFPmpakRDhWMP8neIacrMWZglFkuJtpvGIEgNN0MwA7Pw8/UDoigZNv9Cdd2
d77HnlVbJ5v7wgeRWIEDsiIm7DBvbyKGAfHbuK8j0a6Gz2YWBUOkYq2ZuuQSOAN5
60XyGO1D+8IB0WLPklhnaJgOrSK/dZtFmPOjuYZ177b8KeOBb0D9LycgZtwrvsiJ
66KpWJfPGoQevpboPj35i/gh/HmMCmeSUa6pEWeSOUvzJEUjWWnvhIfkJwrc2dVg
CeItRppO5Rqhbm9dKWNAw6fw7ceP5LoHKMyuYDqRDdCDgIcgBB4JNfHgoTxWxU9a
+E6ffqEpDu0i04RXwhifcBeSIko4zTahFWcn12DUFdRgSzk0xRWh2TK+0Xw/HgxS
mOLSYqlI2N2Bm2gms67bm6tXcCtKtIuCTVfJpnCgdNQAv7lS7JOZ9bxlAgMBAAGj
YzBhMB0GA1UdDgQWBBTzDsBGRm9+U/qtKC6xGS+HTc1InzAfBgNVHSMEGDAWgBTz
DsBGRm9+U/qtKC6xGS+HTc1InzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQE
AwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAmOv6DUTb5npvoGt2cdgvqx0s6hWh0Rg7
SrEZG0AupNMMbDEcYItDViLtVNXoPYTA1LxJipbsmbMSlpF5iOI9TDaRmv6Oov5/
5UDCbkGcL8gVvFTL1qEdchbYCTX9b8RoKW+58VxyBffql1cNBCD0QOqYzqd3fUwY
uT4MZrc17RWZpqueC2S4KQzqk0HEjLTex0h6BPVDyjT3pVwlYjW5AlbGxVvxVWkK
XR03wPKfzOz8IJEUMQVF+TBDTTbvfEtGrtAWzCO44/E1Lo+Ff8Adqf62vjrQL87n
+1fD3z53z5vgIFo4U3OfyfLMIjxNWkRJpIJkgMEagSbccKIIEXBOXLhESsyOYIXz
T8ek/No/E6NpAp+7OZ1NyQZ8mRsKezwH8Ev4zEls8gZgoKpg/jyVadHQRcDbXv3f
pbilPLDkOC9FqFhbaAwR7rYiw4uDXtIYze52SOZf2Xbc899EeGBT65kxlb1p9VLS
8PFUPeUW/fCMboBdWQtwe3QKEzrGG/QOFuJIJauoBMq9odwH96ay+B2vmhoa7qK9
snDqjkSJIvRtk1U8yx39MoWUZipjjSDEaAvlZHjt3aeCG0wFE+yvq6TU1jA+DIu2
PR0dN/Zl6IPL/PfvZK5Zt/BfK5M/dCIWC63Ntm7fX9Vts8UBPB0nTmgpwx7LWB4O
nBdrWCwN9sY=
-----END CERTIFICATE-----
---
Server certificate
subject=O = SurfProtect

issuer=C = GB, ST = England, O = Exa Networks Ltd, OU = SurfProtect Intermediate Certificate Authority, CN = "SurfProtect London 2021,2022"

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: ECDSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4563 bytes and written 454 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256
Server public key is 256 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES128-GCM-SHA256
    Session-ID: 18A74F5A67B71050B6197FDE27F288014414F579C66D64C4ED6E9B3A2E4D3B0C
    Session-ID-ctx:
    Master-Key: DCDF43812E70FD5DCF18B362BBA76736B8C3FCE125273130B6EFEE900CA62BD8B59878EF04EE07B4D51CF8B0EA6E0C47
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket:
    0000 - dd c4 72 b8 51 ad 5d 17-a4 19 e6 97 1d 2b 6c a9   ..r.Q.]......+l.
    0010 - e6 4a 69 7d 74 bc 60 30-61 6c d6 66 80 5f 44 cd   .Ji}t.`0al.f._D.
    0020 - 2a 64 6b 42 04 40 cf cc-d2 6d 30 9a 5c 80 75 a6   *dkB.@...m0.\.u.
    0030 - 35 07 f8 ea fa 2c be 23-4e 76 d8 4c 4d 99 e7 1f   5....,.#Nv.LM...
    0040 - 2d 7f b4 a2 fd 9b f7 32-cd 4d 2d 65 16 40 a0 b2   -......2.M-e.@..
    0050 - 58 a5 a2 be 1e 9d 87 be-51 4c db 0a 93 28 d3 0c   X.......QL...(..
    0060 - cd 98 07 c4 2a 86 70 92-06 88 2b 2d 28 39 7e aa   ....*.p...+-(9~.
    0070 - 4f 4d 6e 87 8d 5f ba bb-28 a0 b9 93 0f 0a 23 cc   OMn.._..(.....#.
    0080 - 2f ea 6a e4 8a 20 5e fb-1e 01 69 e4 fd c2 ef 08   /.j.. ^...i.....
    0090 - d1 a2 35 89 f7 c4 7c cf-11 3c 2a 3a               ..5...|..<*:

    Start Time: 1629478491
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
15

The cert is from the inline (MITM) proxy.
You need to speak with whomever manages your SurfProtect software (or their company directly) about it and how it should handle requests to LetsEncrypt.

Here is a more visual representation of that certificate (and yes that is all public information):

image
image406×516 10.5 KB

16

I am passing this across to the people who would deal with it. If anything else emerges that may help the next person I will add another reply.

Thank you very, very much. I really appreciate your time and help!

1 Like
17

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.