Curl refuses to accept my cert, saying the certificate issuer is not recognized

KroniK907 · August 25, 2017, 1:28am

I am running Centos 7 on a Google Compute Cloud host.

I have a site https://drive.nusalaska.com that I am building as a nextcloud server.

I ran certbot certonly -d drive.nusalaska.com to get my certificate, and everything went well there.

I applied the certificate to my apache config.d file and both chrome and firefox are happy with the certificate and show the site as being secure.

However, if I try to access the site via curl (which I need to do for a plugin I’m working on) it complains and says that it does not trust the Certificate Issuer.

Here are the relevent configs etc:

# cat /etc/httpd/conf.d/drive.conf
<VirtualHost *:80>
  ServerName drive.nusalaska.com
  Redirect permanent / https://drive.nusalaska.com/
</VirtualHost>

<VirtualHost *:443>
  ServerName drive.nusalaska.com:443
  DocumentRoot /var/www/drive.nusalaska.com/public/

  SSLEngine on

  SSLCertificateFile /etc/letsencrypt/live/drive.nusalaska.com/fullchain.pem
  SSLCertificateKeyFile /etc/letsencrypt/live/drive.nusalaska.com/privkey.pem

  SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4

  SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
  SSLHonorCipherOrder On

  <Directory /var/www/drive.nusalaska.com/public/>
    Options +FollowSymlinks
    AllowOverride all
    setEnv HOME /var/www/drive.nusalaska.com/public/
    setEnv HTTP_HOME /var/www/drive.nusalaska.com/public/
  </Directory>
  <Location />
    AllowOverride all
    Require all granted
  </Location>
</VirtualHost>

# curl -vvv https://drive.nusalaska.com/ > /dev/null
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* About to connect() to drive.nusalaska.com port 443 (#0)
*   Trying 35.197.51.147...
* Connected to drive.nusalaska.com (35.197.51.147) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Server certificate:
* 	subject: CN=drive.nusalaska.com
* 	start date: Aug 24 23:29:00 2017 GMT
* 	expire date: Nov 22 23:29:00 2017 GMT
* 	common name: drive.nusalaska.com
* 	issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peers Certificate issuer is not recognized.
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
curl: (60) Peers Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html

Here is what I have already tried:

Yum reinstall ca-certificates
update-ca-trust

I have fiddled around with a bunch of other random stuff but all to no avail. If someone could maybe take a look at the certificate and see what is wrong that would be helpful.

I also checked the setup using this ssl config test which gives lots of information about how the SSL config is working.

Overall, I’m just really confused why curl and the above SSL testing site say that the Issuer is wrong or that the chain is out of order. Is this a bug with certbot or did I do something wrong? I honestly can’t tell at this point.

mnordhoff · August 25, 2017, 1:33am

The certificate chain is incomplete. (Chrome and Firefox only accept it because they've cached the Let's Encrypt intermediate from visits to other websites.)

https://www.ssllabs.com/ssltest/analyze.html?d=drive.nusalaska.com&hideResults=on

That only works in Apache 2.4.8 or newer. According to the site's Server header, it's using 2.4.6. You need:

SSLCertificateFile /etc/letsencrypt/live/drive.nusalaska.com/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/drive.nusalaska.com/chain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/drive.nusalaska.com/privkey.pem

schoen · August 25, 2017, 1:34am

Hi @KroniK907,

Your site is sending an incomplete chain. It’s not sending the let’s Encrypt Authority X3 intermediate CA cert.

I don’t know why this is so, because you seem to have correctly specified fullchain.pem in your Apache configuration, and you’re using Apache 2.4, which recognizes a combined certificate and chain file like this. Usually this error is due to mistakenly specifying cert.pem instead of fullchain.pem.

Can you do grep -r SSLCertificate /etc/apache2 to see if there are any other references to your Let’s Encrypt certificate in your Apache configuration that use cert.pem instead of fullchain.pem?

Did you use any other tools or scripts to modify the files in /etc/letsencrypt after your obtained your ceritficate? Did you ever write an Apache configuration on this system that referred to cert.pem instead of fullchain.pem, even if you changed it afterward?

schoen · August 25, 2017, 1:35am

Huh, @mnordhoff may have caught a distinction about Apache versions that I didn’t know about. I thought all versions of Apache 2.4 supported the combined chain in a single file.

KroniK907 · August 25, 2017, 1:35am

This was the solution. I, like @schoen, thought that all versions of 2.4 supported combined chain files.

Thank you all! I was tearing my hair out for like 3 hours.

KroniK907 · August 25, 2017, 1:49am

Also, I went back and re-ran certbot --apache to see if the apache plugin correctly setup for this version of apache, and it did seem to work correctly.

However, some kind of mention on the advanced tab of the http://certbot.eff.org/#centosrhel7-apache page would be nice, since basically all the generic documentation for certbot uses the fullchain.pem in the examples. Partially its my fault for not RTFM, but it would have been nice to see something that mentions that CentOS 7 cant use the fullchain.pem file about 3 hours ago

schoen · August 25, 2017, 3:32am

@SwartzCr, any interest in making this documentation update?

SwartzCr · August 25, 2017, 2:13pm

I’ve opened an issue for it here: https://github.com/certbot/certbot/issues/5052

system · September 24, 2017, 2:13pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.