I am running Centos 7 on a Google Compute Cloud host.
I have a site https://drive.nusalaska.com that I am building as a nextcloud server.
I ran certbot certonly -d drive.nusalaska.com
to get my certificate, and everything went well there.
I applied the certificate to my apache config.d file and both chrome and firefox are happy with the certificate and show the site as being secure.
However, if I try to access the site via curl (which I need to do for a plugin I’m working on) it complains and says that it does not trust the Certificate Issuer.
Here are the relevent configs etc:
# cat /etc/httpd/conf.d/drive.conf
<VirtualHost *:80>
ServerName drive.nusalaska.com
Redirect permanent / https://drive.nusalaska.com/
</VirtualHost>
<VirtualHost *:443>
ServerName drive.nusalaska.com:443
DocumentRoot /var/www/drive.nusalaska.com/public/
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/drive.nusalaska.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/drive.nusalaska.com/privkey.pem
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
<Directory /var/www/drive.nusalaska.com/public/>
Options +FollowSymlinks
AllowOverride all
setEnv HOME /var/www/drive.nusalaska.com/public/
setEnv HTTP_HOME /var/www/drive.nusalaska.com/public/
</Directory>
<Location />
AllowOverride all
Require all granted
</Location>
</VirtualHost>
# curl -vvv https://drive.nusalaska.com/ > /dev/null
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* About to connect() to drive.nusalaska.com port 443 (#0)
* Trying 35.197.51.147...
* Connected to drive.nusalaska.com (35.197.51.147) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* Server certificate:
* subject: CN=drive.nusalaska.com
* start date: Aug 24 23:29:00 2017 GMT
* expire date: Nov 22 23:29:00 2017 GMT
* common name: drive.nusalaska.com
* issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
* NSS error -8179 (SEC_ERROR_UNKNOWN_ISSUER)
* Peers Certificate issuer is not recognized.
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
* Closing connection 0
curl: (60) Peers Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html
Here is what I have already tried:
- Yum reinstall ca-certificates
- update-ca-trust
I have fiddled around with a bunch of other random stuff but all to no avail. If someone could maybe take a look at the certificate and see what is wrong that would be helpful.
I also checked the setup using this ssl config test which gives lots of information about how the SSL config is working.
Overall, I’m just really confused why curl and the above SSL testing site say that the Issuer is wrong or that the chain is out of order. Is this a bug with certbot or did I do something wrong? I honestly can’t tell at this point.