Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: portof.yokohama
I ran this command:
OAuth2 via Discord. Error happens during authentication where discord redirects back to our site @ the url portof.yokohama/auth/discord/callback.
It produced this output:
aiohttp.client_exceptions.ClientConnectorCertificateError: Cannot connect to host discord.com:443 ssl:True [SSLCertVerificationError: (1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl:997)')]
My web server is (include version):
nginx/1.22.1
The operating system my web server runs on is (include version):
Debian 12
My hosting provider, if applicable, is:
n/a
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
certbot 2.8.0
OTHER INFORMATION
the configuration works fine when users or the main site the API is for makes requests to it, just discord has thrown this error so far (you can look at portof.yokohama/auth/discord/callback and see a normal error is thrown due to not sending the expected model). Certbot was setup using the guide provided on the certbot site and nothing seems wrong with the nginx config from what I can tell & by looking at other questions from the past asking similar questions. The project is running a different version of python from the OS' version but both have ran certifi.
This doesn't look like anything wrong with your Let's Encrypt cert at your domain.
It looks like a problem in your callback app that uses aiohttp. It tries to connect to discord but cannot validate the cert it sees from discord.com. That cert happens to be issued by Cloudflare.
I don't have any experience with aiohttp but this doesn't look like a Let's Encrypt related problem. Someone else here may have some suggestions.
I would only suggest making sure your app is using a proper and current CA root store. You may need to ask at an aiohttp forum for help.
The cert at discord.com
subject=C = US, ST = California, L = San Francisco, O = "Cloudflare, Inc.", CN = discord.com
issuer=C = US, O = "Cloudflare, Inc.", CN = Cloudflare Inc ECC CA-3
I agree with @MikeMcQ here. This specific issue doesn't seem to be related with your TLS setup. You might find more help at communities with more knowledge about aiohttp and how you're using it.
@rgundal2 Without more info it is hard to say what the cause is. I don't even see anything related to Let's Encrypt in that error message. Please start a new thread in the Help section and answer as much of the questionnaire as you can. Thanks
Just to provide some closure on this issue, I needed to set up an additional ssl context client in my fastapi instance to ensure that the project was using certifi correctly. edit: sorry this did not mean to be a reply post