Certs issued by CN=R3 are not recognized

pmastren · December 28, 2020, 10:51pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: s.hdnux.com

I ran this command:

curl -v --resolve s.hdnux.com:443:98.129.228.59 https://s.hdnux.com/photos/01/15/65/46/20404665/3/ratio3x2_300.jpg

It produced this output:

* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate

My web server is (include version):
apache2 2.4.7-1ubuntu4.8

The operating system my web server runs on is (include version):
Ubuntu 14.04

My hosting provider, if applicable, is:
Rackspace

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 0.26.1

We have 135 certs that are renewed on a rolling basis. Four of them renewed last night and this morning our CDN, Fastly, was unable to connect to origin because they do not recognize the new certs. The certs are:

s.hdnux.com
newstimes.com
stamfordadvocate.com
greenwichtime.com

The prior certs were issued by:
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

The problematic certs were issued by:
issuer= /C=US/O=Let's Encrypt/CN=R3

JuergenAuer · December 28, 2020, 11:06pm

Hi @pmastren

there is no Letsencrypt certificate, there is a GlobalSign certificate.

So it's impossible to check your server.

That's changed. Your server must send the new R3 certificate. If not, the error is expected.

sahsanu · December 28, 2020, 11:18pm

Hello @pmastren,

It is a bit strange that you are testing your server pointing to ip 98.129.228.59 instead of the ip resolved by your dns but... the problem is that you are not serving the Let's Encrypt chain in your Apache conf so you are not serving the intermediate cert (R3):

$ echo | openssl s_client -connect 98.129.228.59:443 -servername s.hdnux.com -showcerts 2>/dev/null | grep '^ [0-1]'
 0 s:CN = s.hdnux.com

If you were serving the intermediate certificate you should see one more line:

1 s:C = US, O = Let's Encrypt, CN = R3

If you paste your apache conf we could show you the right conf.

Edit: I didn't see you were using Apache 2.4.7 so in this case, you should have a line like this in the VirtualHost where you are defining the SSL directives:

SSLCertificateChainFile /etc/letsencrypt/live/s.hdnux.com/chain.pem

Cheers,
sahsanu

rg305 · December 28, 2020, 11:19pm

There is a cert issued:
crt.sh | 3839647697

~~The problem is within your system (that's doing the curling).~~
~~It must needs an update to the /etc/ssl/certs/ca-certificates.crt file.~~
~~Mine has a size of 233394 and is dated Mar 6, 2019.~~

~~Need I say more?~~

sahsanu · December 28, 2020, 11:44pm

If you try to issue the same command @pmastren is using, you will receive the same error (it doesn't matter whether you have the ca certificates up to date)

$ curl -v --resolve s.hdnux.com:443:98.129.228.59 https://s.hdnux.com/photos/01/15/65/46/20404665/3/ratio3x2_300.jpg                                  60 < 00:38:39
* Added s.hdnux.com:443:98.129.228.59 to DNS cache
* Hostname s.hdnux.com was found in DNS cache
*   Trying 98.129.228.59:443...
* TCP_NODELAY set
* Connected to s.hdnux.com (98.129.228.59) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

rg305 · December 28, 2020, 11:49pm

@sahsanu, I do now see what you see.
And can confirm is with:
openssl s_client -connect 98.129.228.59:443 -servername s.hdnux.com -showcerts

And also to the default cert name provided by the IP:

Name:    newstimes.com
Address:  98.129.228.59

curl -v https://newstimes.com/
*   Trying 98.129.228.59...
* TCP_NODELAY set
* Connected to newstimes.com (98.129.228.59) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, Server hello (2):
* SSL certificate problem: unable to get local issuer certificate
* stopped the pause stream!
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

system · January 28, 2021, 1:01pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.