Chain.pem unreadable

Hello,

My ssl_stapling in Nginx has fallen since the beginning of this week because chain.pem is unreadable (if I well understand the log below). I didn’t touch my config (nginx/certbot or other and I check that chain.pem is present in the default folder /etc/letsencrypt/live/mywebsite/chain.pem).
=> Why now chain.pem is unreadable ? What is wrong ?

command: sudo service nginx status
result: août 01 21:06:19 raspberrypi nginx[603]: nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org"

command: sudo openssl ocsp -issuer chain.pem -cert tm.pem -text -url http://ocsp.int-x3.letsencrypt.org
result: Error opening issuer certificate chain.pem 1995642976:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('chain.pem','r') 1995642976:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400: unable to load certificate

Nginx config:
ssl_stapling on; resolver 80.67.169.12 valid=30s; resolver_timeout 5s; ssl_stapling_verify on; ssl_trusted_certificate /etc/letsencrypt/live/mywebsite/chain.pem;

Have a nice day.

Did you cd /etc/letsencrypt/live/mywebsite before running this test? It will try to read chain.pem from the current directory.

Edit: or, is the command that you’re running with sudo a command that you’re running interactively from the command line as a test, or a command that’s somehow being run automatically?

By the way, I think the error message that you see is usually a firewall or container issue (that your nginx process is not being allowed to make a DNS lookup and/or outbound network connections, which it needs to do for OCSP stapling), rather than a problem related to the chain.pem file. We just had someone else getting a similar error which turned out to be related to container permissions (basically, that a particular container wasn’t allowed to make some kind of outbound network requests).

Hello,

These commands are used as test to try to understand where is the issue. I use “sudo” because I can’t access to files (below the right access).

Command: sudo ls -l /etc/letsencrypt/live/
drwxr-xr-x 2 root root 4096 juil. 12 08:43 mywebsite1
drwxr-xr-x 2 root root 4096 juil. 24 11:24 mywebsite2
drwxr-xr-x 2 root root 4096 juil. 24 18:40 mywebsite3
drwxr-xr-x 2 root root 4096 juil. 11 20:48 mywebsite4

Command: sudo ls -l /etc/letsencrypt/live/mywebsite1
lrwxrwxrwx 1 root root 40 juil. 11 20:48 cert.pem -> …/…/archive/mywebsite1/cert1.pem
lrwxrwxrwx 1 root root 41 juil. 11 20:48 chain.pem -> …/…/archive/mywebsite1/chain1.pem
lrwxrwxrwx 1 root root 45 juil. 11 20:48 fullchain.pem -> …/…/archive/mywebsite1/fullchain1.pem
lrwxrwxrwx 1 root root 43 juil. 11 20:48 privkey.pem -> …/…/archive/mywebsite1/privkey1.pem
-rw-r–r-- 1 root root 543 juil. 11 20:48 README

I don’t understand because I don’t touch my server during these last 2 weeks. So what’s the problem ? Or how I can find it ?

Have a nice day.

the obvious first step would be

what is the output of cat /etc/letsencrypt/live/mywebsite/chain.pem

Something may have corrupted the certificate or there may have been a system update of software such as NGINX or OpenSSL which has introduced a bug

Establish that you have a valid certificate file first then move to other problems

=> Why now chain.pem is unreadable ? What is wrong ?

No idea. Stop asking this question please. You are getting an error message so the first step is to confirm what the error message is and if it’s correct. If you follow the error message you will most likely get a resolution quickly.

The error message is usually to do when a file is not present on the filesystem (it’s an openssl error message).

Trying to figure out how things happen is what you do AFTER you fix the problem. Someone may have deleted the wrong folder or a script may have removed something.

Andrei

Hi @IssueFindings,

I would still like to hear your answers to these questions because I didn’t understand the context in which the command that failed was being run.

Hello,

I forgot to explain that before to post something here, and disturb everybody, I checked certificates (and I renewed certificates of one of my websites to ensure). After all of these preparatories actions, the issue is still there :cold_sweat:

Many thanks for your message. Have a nice day.

Sorry for the delay. The command cd /etc/letsencrypt/live/mywebsite works (previously, I must use the command sudo -i). I can edit the file chain.pem with nano editor directly form the current directory.

=> what do you mean ?

Have an nice day.

Earlier you wrote about an error you saw from the command

I didn't understand the circumstances in which you are running this command (why, when, and in what directory).

Hello,

When I discovered that my web sites were down, I try to search why. So first, I checked that locally I still accessed to them (without using Nginx service). That was true. Then, I checked the status of Nginx itself (error message posted previously). And finally, I understood that the issue was linked to certificates Let’s Encrypt. To ensure this point, I executed the command sudo openssl ocsp -issuer chain.pem -cert tm.pem -text -url http://ocsp.int-x3.letsencrypt.org but in the home directory :fearful:

So, I execute again commands below (I put the details to avoid careless mistake of mine).
sudo -i
cd /etc/letsencrypt/live/mywebsite/
openssl ocsp -issuer chain.pem -cert cert.pem -text -url http://ocsp.int-x3.letsencrypt.org -header "HOST" "ocsp.int-x3.letsencrypt.org"

Result:
OCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: XXXX Issuer Key Hash: XXX Serial Number: XXX Request Extensions: OCSP Nonce: XXX OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 Produced At: Aug 7 18:52:00 2017 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: XXX Issuer Key Hash: XXX Serial Number: XXXX Cert Status: good This Update: Aug 7 18:00:00 2017 GMT Next Update: Aug 14 18:00:00 2017 GMT Signature Algorithm: sha256WithRSAEncryption XXXXX WARNING: no nonce in response Response Verify Failure 1995540576:error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found:ocsp_vfy.c:92: cert.pem: good This Update: Aug 7 18:00:00 2017 GMT Next Update: Aug 14 18:00:00 2017 GMT

Have a nice day.

So, it looks like that OCSP check has completed successfully with no OCSP error when run in the appropriate directory, or did I misunderstand something?

You are true, except the error line below (what that means ?).

In other hand, when I use the comand sudo service nginx status -l I obtain the error message below.
`nginx.service - A high performance web server and a reverse proxy server
Loaded: loaded (/lib/systemd/system/nginx.service; enabled)
Active: active (running) since mar. 2017-08-08 01:01:45 CEST; 6h ago
Process: 825 ExecStart=/usr/sbin/nginx -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Process: 605 ExecStartPre=/usr/sbin/nginx -t -q -g daemon on; master_process on; (code=exited, status=0/SUCCESS)
Main PID: 829 (nginx)
CGroup: /system.slice/nginx.service
├─829 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
├─830 nginx: worker process
├─831 nginx: worker process
├─832 nginx: worker process
└─833 nginx: worker process

août 08 01:01:45 raspberrypi nginx[605]: nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org"
août 08 01:01:45 raspberrypi nginx[605]: nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org"
août 08 01:01:45 raspberrypi nginx[605]: nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org"
août 08 01:01:45 raspberrypi nginx[825]: nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org"
août 08 01:01:45 raspberrypi nginx[825]: nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org"
août 08 01:01:45 raspberrypi nginx[825]: nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org"
août 08 01:01:45 raspberrypi systemd[1]: Started A high performance web server and a reverse proxy server.`

I understand that an issue is pending between Nginx and OCSP. What do you think ?

Have a nice day.

Agreed, which might be the result of a network problem or an Nginx configuration problem.

Would you be willing to start a new topic called something like "OCSP stapling failure in nginx"? Maybe someone who knows more about that would notice and be willing to help you with that.

I fix it :star_struck: thanks to you. Many thanks @schoen !!! The issue is very basic : I have a dynamic IP and I discover this point (I got the same IP during 1 year…)

Have a nice day.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.