Curl refuses to accept my cert, saying the certificate issuer is not recognized

I am running Centos 7 on a Google Compute Cloud host.

I have a site that I am building as a nextcloud server.

I ran certbot certonly -d to get my certificate, and everything went well there.

I applied the certificate to my apache config.d file and both chrome and firefox are happy with the certificate and show the site as being secure.

However, if I try to access the site via curl (which I need to do for a plugin I’m working on) it complains and says that it does not trust the Certificate Issuer.

Here are the relevent configs etc:

# cat /etc/httpd/conf.d/drive.conf
<VirtualHost *:80>
  Redirect permanent /

<VirtualHost *:443>
  DocumentRoot /var/www/

  SSLEngine on

  SSLCertificateFile /etc/letsencrypt/live/
  SSLCertificateKeyFile /etc/letsencrypt/live/


  SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
  SSLHonorCipherOrder On

  <Directory /var/www/>
    Options +FollowSymlinks
    AllowOverride all
    setEnv HOME /var/www/
    setEnv HTTP_HOME /var/www/
  <Location />
    AllowOverride all
    Require all granted
# curl -vvv > /dev/null
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0* About to connect() to port 443 (#0)
*   Trying
* Connected to ( port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Server certificate:
* 	subject:
* 	start date: Aug 24 23:29:00 2017 GMT
* 	expire date: Nov 22 23:29:00 2017 GMT
* 	common name:
* 	issuer: CN=Let's Encrypt Authority X3,O=Let's Encrypt,C=US
* Peers Certificate issuer is not recognized.
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
curl: (60) Peers Certificate issuer is not recognized.
More details here:

Here is what I have already tried:

  • Yum reinstall ca-certificates
  • update-ca-trust

I have fiddled around with a bunch of other random stuff but all to no avail. If someone could maybe take a look at the certificate and see what is wrong that would be helpful.

I also checked the setup using this ssl config test which gives lots of information about how the SSL config is working.

Overall, I’m just really confused why curl and the above SSL testing site say that the Issuer is wrong or that the chain is out of order. Is this a bug with certbot or did I do something wrong? I honestly can’t tell at this point.

The certificate chain is incomplete. (Chrome and Firefox only accept it because they've cached the Let's Encrypt intermediate from visits to other websites.)

That only works in Apache 2.4.8 or newer. According to the site's Server header, it's using 2.4.6. :slightly_frowning_face: You need:

SSLCertificateFile /etc/letsencrypt/live/
SSLCertificateChainFile /etc/letsencrypt/live/
SSLCertificateKeyFile /etc/letsencrypt/live/

Hi @KroniK907,

Your site is sending an incomplete chain. It’s not sending the let’s Encrypt Authority X3 intermediate CA cert.

I don’t know why this is so, because you seem to have correctly specified fullchain.pem in your Apache configuration, and you’re using Apache 2.4, which recognizes a combined certificate and chain file like this. Usually this error is due to mistakenly specifying cert.pem instead of fullchain.pem.

Can you do grep -r SSLCertificate /etc/apache2 to see if there are any other references to your Let’s Encrypt certificate in your Apache configuration that use cert.pem instead of fullchain.pem?

Did you use any other tools or scripts to modify the files in /etc/letsencrypt after your obtained your ceritficate? Did you ever write an Apache configuration on this system that referred to cert.pem instead of fullchain.pem, even if you changed it afterward?

1 Like

Huh, @mnordhoff may have caught a distinction about Apache versions that I didn’t know about. I thought all versions of Apache 2.4 supported the combined chain in a single file.

This was the solution. I, like @schoen, thought that all versions of 2.4 supported combined chain files.

Thank you all! I was tearing my hair out for like 3 hours.

Also, I went back and re-ran certbot --apache to see if the apache plugin correctly setup for this version of apache, and it did seem to work correctly.

However, some kind of mention on the advanced tab of the page would be nice, since basically all the generic documentation for certbot uses the fullchain.pem in the examples. Partially its my fault for not RTFM, but it would have been nice to see something that mentions that CentOS 7 cant use the fullchain.pem file about 3 hours ago :stuck_out_tongue:

@SwartzCr, any interest in making this documentation update?

I’ve opened an issue for it here:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.