Error 20 at 1 depth lookup


#1

Hi,

Please help !!, I have CLOUDLINUX 6.7 x86_64 WHM 56.0 (build 5). Server Version: Apache/2.4.18 (Unix) OpenSSL/1.0.1e-fips mod_bwlimited/1.4 mod_fcgid/2.3.9
Server MPM: prefork.

Error:

There was a problem processing your request

Error issuing certificate
Installing ssl certificate
The certificate could not be installed on the domain “xxxx.com”. Certificate verification failed! Certificate verified: stdin: C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3 error 20 at 1 depth lookup:unable to get local issuer certificate

and…

Automatic Let’s Encrypt renewal for xxxx.com was attempted and failed.
This certificate expires on 2016-05-20 09:28:00 -0400 EDT.

Failed to install renewed certificate:The certificate could not be installed on the domain “xxxx.com”.
Certificate verification failed!
Certificate verified:
stdin: C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
error 20 at 1 depth lookup:unable to get local issuer certificate


#2

Did you use cert.pem or fullchain.pem in your Apache configuration?


#3

I dont know. the certificate is automatically generated by the module let’script for cpanel . He had two months running, and when he made the renewal of the certf, this damage.


#4

root@server [~]# grep -i -r “SSLCertificateFile” /etc/httpd/
/etc/httpd/conf/extra/httpd-ssl.conf:# Point SSLCertificateFile at a PEM encoded certificate. If
/etc/httpd/conf/extra/httpd-ssl.conf:SSLCertificateFile “/usr/local/apache/conf/server.crt”
/etc/httpd/conf/extra/httpd-ssl.conf:#SSLCertificateFile “/usr/local/apache/conf/server-dsa.crt”
/etc/httpd/conf/extra/httpd-ssl.conf:# the referenced file can be the same as SSLCertificateFile
/etc/httpd/conf/httpd.conf.work.MFGuGw5xD3i42Rz9: SSLCertificateFile /var/cpanel/ssl/installed/certs/koryfi_com_e8a2b_31099_1463705160_a641508882d9f80a39fb56c7fbd2d986.crt
/etc/httpd/conf/httpd.conf.work.MFGuGw5xD3i42Rz9: SSLCertificateFile /var/cpanel/ssl/installed/certs/caribbeancontainer_com_efa77_f0187_1464647580_8e17c44e9118a66dd98326cfa93f2b01.crt
/etc/httpd/conf/httpd.conf.work.MFGuGw5xD3i42Rz9: SSLCertificateFile /var/cpanel/ssl/installed/certs/elreposodemauro_com_c1b8f_dfeeb_1464666360_4f557f7eb736ecc3081cb6ffd9430513.crt
/etc/httpd/conf/httpd.conf.work.MFGuGw5xD3i42Rz9: SSLCertificateFile /var/cpanel/ssl/installed/certs/cerioips_com_c9136_10801_1464793620_03f44377a5454120976395df6ff5ec7d.crt
/etc/httpd/conf/httpd.conf.work.MFGuGw5xD3i42Rz9: SSLCertificateFile /var/cpanel/ssl/installed/certs/oportunidadforever_com_aaced_c14c1_1463759460_f7bbe202cc30da93f7bf00b544484bff.crt
/etc/httpd/conf/httpd.conf.work.MFGuGw5xD3i42Rz9: SSLCertificateFile /var/cpanel/ssl/installed/certs/aguamardisenos_com_cc304_227b7_1464373080_4a907b1e072ba87b1f93d3436169ee57.crt
/etc/httpd/conf/httpd.conf.work.MFGuGw5xD3i42Rz9: SSLCertificateFile /var/cpanel/ssl/installed/certs/servitelas_com_dcfe2_92001_1464019620_4a5e183672c6edacc481eee411cf00dd.crt
/etc/httpd/conf/httpd.conf.work.MFGuGw5xD3i42Rz9: SSLCertificateFile /var/cpanel/ssl/installed/certs/eliorcymbler_com_a278b_1353d_1463904660_7b56a38c169fd3e332bb76a052bdc441.crt
/etc/httpd/conf/httpd.conf.work.MFGuGw5xD3i42Rz9: SSLCertificateFile /var/cpanel/ssl/installed/certs/porqueunosomostodos_com_cd3a1_18ed1_1463750340_a46d028f76824dfd0653b6d82973b82b.crt
/etc/httpd/conf/httpd.conf.work.MFGuGw5xD3i42Rz9: SSLCertificateFile /var/cpanel/ssl/installed/certs/vpsgratis_org_d5625_8a465_1464362640_371e55cc06c59e158225c56b20618fb3.crt
/etc/httpd/conf/httpd.conf.work.MFGuGw5xD3i42Rz9: SSLCertificateFile /var/cpanel/ssl/installed/certs/portafoliofinanciero_com_c836e_a73c7_1463750700_686f003dccc9bffb8be8b10082c418ff.crt
/etc/httpd/conf/httpd.conf.work.MFGuGw5xD3i42Rz9: SSLCertificateFile /var/cpanel/ssl/installed/certs/quieroconocer_com_a5ce1_fdf69_1463750640_923b801899fba3bb723c3e2d1cf62b70.crt
/etc/httpd/conf/httpd.conf.work.MFGuGw5xD3i42Rz9: SSLCertificateFile /var/cpanel/ssl/installed/certs/eduardogc_com_d20a1_da6dd_1463750880_74625bae4d8dce88e0d0475165851b14.crt
/etc/httpd/conf/httpd.conf.work.MFGuGw5xD3i42Rz9: SSLCertificateFile /var/cpanel/ssl/installed/certs/aprengo_com_c91b4_db253_1463750940_eee986786a5c7750ea64f8f64dd32d56.crt
/etc/httpd/conf/httpd.conf.work.055sDgaS39NPu34V: SSLCertificateFile /var/cpanel/ssl/installed/certs/koryfi_com_e8a2b_31099_1463705160_a641508882d9f80a39fb56c7fbd2d986.crt
/etc/httpd/conf/httpd.conf.work.055sDgaS39NPu34V: SSLCertificateFile /var/cpanel/ssl/installed/certs/caribbeancontainer_com_efa77_f0187_1464647580_8e17c44e9118a66dd98326cfa93f2b01.crt
/etc/httpd/conf/httpd.conf.work.055sDgaS39NPu34V: SSLCertificateFile /var/cpanel/ssl/installed/certs/elreposodemauro_com_c1b8f_dfeeb_1464666360_4f557f7eb736ecc3081cb6ffd9430513.crt
/etc/httpd/conf/httpd.conf.work.055sDgaS39NPu34V: SSLCertificateFile /var/cpanel/ssl/installed/certs/cerioips_com_c9136_10801_1464793620_03f44377a5454120976395df6ff5ec7d.crt
/etc/httpd/conf/httpd.conf.work.055sDgaS39NPu34V: SSLCertificateFile /var/cpanel/ssl/installed/certs/oportunidadforever_com_aaced_c14c1_1463759460_f7bbe202cc30da93f7bf00b544484bff.crt
/etc/httpd/conf/httpd.conf.work.055sDgaS39NPu34V: SSLCertificateFile /var/cpanel/ssl/installed/certs/aguamardisenos_com_cc304_227b7_1464373080_4a907b1e072ba87b1f93d3436169ee57.crt
/etc/httpd/conf/httpd.conf.work.055sDgaS39NPu34V: SSLCertificateFile /var/cpanel/ssl/installed/certs/servitelas_com_dcfe2_92001_1464019620_4a5e183672c6edacc481eee411cf00dd.crt
/etc/httpd/conf/httpd.conf.work.055sDgaS39NPu34V: SSLCertificateFile /var/cpanel/ssl/installed/certs/eliorcymbler_com_a278b_1353d_1463904660_7b56a38c169fd3e332bb76a052bdc441.crt
/etc/httpd/conf/httpd.conf.work.055sDgaS39NPu34V: SSLCertificateFile /var/cpanel/ssl/installed/certs/porqueunosomostodos_com_cd3a1_18ed1_1463750340_a46d028f76824dfd0653b6d82973b82b.crt
/etc/httpd/conf/httpd.conf.work.055sDgaS39NPu34V: SSLCertificateFile /var/cpanel/ssl/installed/certs/vpsgratis_org_d5625_8a465_1464362640_371e55cc06c59e158225c56b20618fb3.crt
/etc/httpd/conf/httpd.conf.work.055sDgaS39NPu34V: SSLCertificateFile /var/cpanel/ssl/installed/certs/portafoliofinanciero_com_c836e_a73c7_1463750700_686f003dccc9bffb8be8b10082c418ff.crt
/etc/httpd/conf/httpd.conf.work.055sDgaS39NPu34V: SSLCertificateFile /var/cpanel/ssl/installed/certs/quieroconocer_com_a5ce1_fdf69_1463750640_923b801899fba3bb723c3e2d1cf62b70.crt
/etc/httpd/conf/httpd.conf.work.055sDgaS39NPu34V: SSLCertificateFile /var/cpanel/ssl/installed/certs/eduardogc_com_d20a1_da6dd_1463750880_74625bae4d8dce88e0d0475165851b14.crt
/etc/httpd/conf/httpd.conf.work.055sDgaS39NPu34V: SSLCertificateFile /var/cpanel/ssl/installed/certs/aprengo_com_c91b4_db253_1463750940_eee986786a5c7750ea64f8f64dd32d56.crt
/etc/httpd/conf/httpd.conf.copy: SSLCertificateFile /var/cpanel/ssl/installed/certs/koryfi_com_e8a2b_31099_1463705160_a641508882d9f80a39fb56c7fbd2d986.crt
/etc/httpd/conf/httpd.conf.copy: SSLCertificateFile /var/cpanel/ssl/installed/certs/caribbeancontainer_com_efa77_f0187_1464647580_8e17c44e9118a66dd98326cfa93f2b01.crt
/etc/httpd/conf/httpd.conf.copy: SSLCertificateFile /var/cpanel/ssl/installed/certs/elreposodemauro_com_c1b8f_dfeeb_1464666360_4f557f7eb736ecc3081cb6ffd9430513.crt
/etc/httpd/conf/httpd.conf.copy: SSLCertificateFile /var/cpanel/ssl/installed/certs/cerioips_com_c9136_10801_1464793620_03f44377a5454120976395df6ff5ec7d.crt
/etc/httpd/conf/httpd.conf.copy: SSLCertificateFile /var/cpanel/ssl/installed/certs/oportunidadforever_com_aaced_c14c1_1463759460_f7bbe202cc30da93f7bf00b544484bff.crt
/etc/httpd/conf/httpd.conf.copy: SSLCertificateFile /var/cpanel/ssl/installed/certs/aguamardisenos_com_cc304_227b7_1464373080_4a907b1e072ba87b1f93d3436169ee57.crt
/etc/httpd/conf/httpd.conf.copy: SSLCertificateFile /var/cpanel/ssl/installed/certs/servitelas_com_dcfe2_92001_1464019620_4a5e183672c6edacc481eee411cf00dd.crt
/etc/httpd/conf/httpd.conf.copy: SSLCertificateFile /var/cpanel/ssl/installed/certs/eliorcymbler_com_a278b_1353d_1463904660_7b56a38c169fd3e332bb76a052bdc441.crt
/etc/httpd/conf/httpd.conf.copy: SSLCertificateFile /var/cpanel/ssl/installed/certs/porqueunosomostodos_com_cd3a1_18ed1_1463750340_a46d028f76824dfd0653b6d82973b82b.crt
/etc/httpd/conf/httpd.conf.copy: SSLCertificateFile /var/cpanel/ssl/installed/certs/vpsgratis_org_d5625_8a465_1464362640_371e55cc06c59e158225c56b20618fb3.crt
/etc/httpd/conf/httpd.conf.copy: SSLCertificateFile /var/cpanel/ssl/installed/certs/portafoliofinanciero_com_c836e_a73c7_1463750700_686f003dccc9bffb8be8b10082c418ff.crt
/etc/httpd/conf/httpd.conf.copy: SSLCertificateFile /var/cpanel/ssl/installed/certs/quieroconocer_com_a5ce1_fdf69_1463750640_923b801899fba3bb723c3e2d1cf62b70.crt
/etc/httpd/conf/httpd.conf.copy: SSLCertificateFile /var/cpanel/ssl/installed/certs/eduardogc_com_d20a1_da6dd_1463750880_74625bae4d8dce88e0d0475165851b14.crt
/etc/httpd/conf/httpd.conf.copy: SSLCertificateFile /var/cpanel/ssl/installed/certs/aprengo_com_c91b4_db253_1463750940_eee986786a5c7750ea64f8f64dd32d56.crt
/etc/httpd/conf/httpd.conf.1460564239: SSLCertificateFile /var/cpanel/ssl/installed/certs/koryfi_com_e8a2b_31099_1463705160_a641508882d9f80a39fb56c7fbd2d986.crt


#5

Is it possible that the module has hard-coded the old Let’s Encrypt Authority X1 intermediate certificate and is not aware of the new Let’s Encrypt Authority X3 certificate?

This issue is described in the 5th paragraph of @jsha’s post at

If the module author did not take account of this, that could produce the kind of problem that you describe.


#6

Module author here.

The nature of the mistake is correct, but not quite hardcoding the X1 intermediate. We were relying on the /issuer-cert resource in the directory, which I suspect was not switched over to X3 at the time this certificate was issued. (At least, it is the only explanation we can think of at the moment).

We will amend to be closer to spec (using Link header).


#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.