Certificate was signed by unknown authority on Nginx


#1

My domain is: https://advancedrestclient.com/

I ran this command: ./certbot-auto renew --pre-hook “service nginx stop” --post-hook “service nginx start”

It produced this output:
In first run:


Processing /etc/letsencrypt/renewal/api.chromerestclient.com.conf

Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/advancedrestclient.com.conf

Cert is due for renewal, auto-renewing…
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Running pre-hook command: service nginx stop
Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for www.advancedrestclient.com
tls-sni-01 challenge for advancedrestclient.com
Waiting for verification…
Cleaning up challenges
Generating key (2048 bits): /etc/letsencrypt/keys/0007_key-certbot.pem
Creating CSR: /etc/letsencrypt/csr/0007_csr-certbot.pem


new certificate deployed without reload, fullchain is
/etc/letsencrypt/live/advancedrestclient.com/fullchain.pem

The following certs are not due for renewal yet:
/etc/letsencrypt/live/api.chromerestclient.com/fullchain.pem (skipped)
Congratulations, all renewals succeeded. The following certs have been renewed:
/etc/letsencrypt/live/advancedrestclient.com/fullchain.pem (success)
Running post-hook command: service nginx start

When trying to run it again:


Processing /etc/letsencrypt/renewal/api.chromerestclient.com.conf

Cert not yet due for renewal


Processing /etc/letsencrypt/renewal/advancedrestclient.com.conf

Cert not yet due for renewal

The following certs are not due for renewal yet:
/etc/letsencrypt/live/api.chromerestclient.com/fullchain.pem (skipped)
/etc/letsencrypt/live/advancedrestclient.com/fullchain.pem (skipped)
No renewals were attempted.
No renewals attempted, so not running post-hook

My operating system is (include version):
Distributor ID: Ubuntu
Description: Ubuntu 14.04.5 LTS
Release: 14.04
Codename: trusty

My web server is (include version): nginx/1.4.6 (Ubuntu)

My hosting provider, if applicable, is: Google Compute Engine

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No, ssh only.

According to my browser: Certificate was signed by unknown authority. I tried to remove the certificate from the server and renew it. Nothing helped. Interesting fact, it was forking for almost a month since last renewal. Since then I wasn’t changing anything on the server. It just happened. Not sure why and how. Only I have access to the server.
Hope someone can help me with this.


#2

Nginx isn’t configured to send the entire certificate chain. You need to change this:

ssl_certificate /etc/letsencrypt/live/advancedrestclient.com/cert.pem

to this:

ssl_certificate /etc/letsencrypt/live/advancedrestclient.com/fullchain.pem

https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate
https://whatsmychaincert.com/
https://www.ssllabs.com/ssltest/analyze.html?d=advancedrestclient.com&hideResults=on

Edit: Wrong domain. Oops.


#3

That helped. Thanks.
Is that something I did wrong? Or is is a configuration script tat put wrong certificate?


#4

Probably you, no offense. :sweat: Certbot’s Nginx plugin is a fairly recent feature, so you most likely wrote the Nginx configuration by hand, and presumably Certbot’s plugin generates the proper configuration.


#5

It’s more confusing than we might like because different software expects either one file with all these certificates, certbot calls that fullchain.pem, or separate files for certificate and chain, provided as cert.pem and chain.pem

If you’re new to this, and figure cert.pem is the certificate (which it is) without realising there might be more to it (you should configure intermediate certificates too, somehow) on the software you’re using, it’s easy to fall into this trap. I think our brightest hope for the future is that Let’s Encrypt is so popular and so easy to develop against that software Just Works™ and most people never need to know about this.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.