Error certificat call webservice

Hello,
I installed let’s encrypt on a server for a domain.
the site works well in https.
This site has a webservice.

when I try to call the webservice from another machine I have the following error:

curl: (60) SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn’t adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you’d like to turn off curl’s verification of the certificate, use
the -k (or --insecure) option.

my virtualhost file contains the following lines:

SSLCertificateFile /etc/apache2/certs/prod/fullchain.pem
SSLCertificateKeyFile /etc/apache2/certs/prod/key.pem

what should I do

thanks

Hi @lfourny,

What’s the site’s domain name?

Hello,

The name site is https://infotec.carestreamdental.com

Thanks

Laurent

$ openssl s_client -connect infotec.carestreamdental.com:443 -servername infotec.carestreamdental.com < /dev/null | head -10

depth=1 C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
verify return:0
DONE
CONNECTED(00000003)

Certificate chain
0 s:/CN=infotec.carestreamdental.com
i:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
1 s:/CN=infotec.carestreamdental.com
i:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
2 s:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3

Your webserver somehow offers the certificate twice.
What other SSLCertificate... statements do you have in your apache configuration?

Hello,

in my virtualhost file :
SSLCertificateFile /etc/apache2/certs/prod/cert.pem
SSLCertificateChainFile /etc/apache2/certs/prod/fullchain.pem
SSLCertificateKeyFile /etc/apache2/certs/prod/key.pem

Thanks…

You have to use fullchain.pem via SSLCertificateFile and drop SSLCertificateChainFile completely or use chain.pem with SSLCertificateChainFile.
I would recommend the first.

Now in virtualhost I use the following lines:

   SSLCertificateFile /etc/apache2/certs/prod/fullchain.pem
   SSLCertificateKeyFile /etc/apache2/certs/prod/key.pem 

but by testing with openssl I have the following error:

depth=0 CN = infotec.carestreamdental.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = infotec.carestreamdental.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 CN = infotec.carestreamdental.com
verify error:num=21:unable to verify the first certificate
verify return:1
DONE
CONNECTED(00000003)
---
Certificate chain
 0 s:/CN=infotec.carestreamdental.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFGzCCBAOgAwIBAgISA0y4GELnvgGso82KyxVAkHNoMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD

What should I do…I am really lost.

thank you in advance

Now the intermediate is missing.
Please paste the contents of /etc/apache2/certs/prod/fullchain.pem.

If you created your certificates with certbot, did you copy the pem-files to that location manually?
Is there a file /etc/apache2/certs/prod/chain.pem?

here the content to the fullchain.pem

-----BEGIN CERTIFICATE-----
MIIFGzCCBAOgAwIBAgISA0y4GELnvgGso82KyxVAkHNoMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzEwMTUyMTQ1NDZaFw0x
ODAxMTMyMTQ1NDZaMCcxJTAjBgNVBAMTHGluZm90ZWMuY2FyZXN0cmVhbWRlbnRh
bC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/LQprPTdkHdSg
hv0hR9JgIA51Gnf345d90pXmKJaUGkwU6P9ZauTonzKJ4+4Qium6CjrpGePSsSrc
eC9RH8D6JRSilIMJu0mIA2mZUbRPvaxMTq/czlxGSfqUTiZmZHagm9V27Ib6iu8r
y1xl3g4ekSQc0YP+Vs0Rs2jOHamjprBftMGyEctkP7m6SghlRctLaHDlgOO7cGPi
bqMC8vwhSvYZfPpAm0M8K3ZQVaVjAF95b7uJd7LxFo5MJo2Pq5IiufG+YMXZGJqf
QsAMcsRbmwTdqqiCSJOy4kP/56MRfgOIt0X0lemfg7uc8IA1JOpzwEWwayK2/qGI
bdbwftMvAgMBAAGjggIcMIICGDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYI
KwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFDYa2vF1
/V3TsgzH/WmYpebrrZURMB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyh
MG8GCCsGAQUFBwEBBGMwYTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgz
LmxldHNlbmNyeXB0Lm9yZzAvBggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgz
LmxldHNlbmNyeXB0Lm9yZy8wJwYDVR0RBCAwHoIcaW5mb3RlYy5jYXJlc3RyZWFt
ZGVudGFsLmNvbTCB/gYDVR0gBIH2MIHzMAgGBmeBDAECATCB5gYLKwYBBAGC3xMB
AQEwgdYwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIGr
BggrBgEFBQcCAjCBngyBm1RoaXMgQ2VydGlmaWNhdGUgbWF5IG9ubHkgYmUgcmVs
aWVkIHVwb24gYnkgUmVseWluZyBQYXJ0aWVzIGFuZCBvbmx5IGluIGFjY29yZGFu
Y2Ugd2l0aCB0aGUgQ2VydGlmaWNhdGUgUG9saWN5IGZvdW5kIGF0IGh0dHBzOi8v
bGV0c2VuY3J5cHQub3JnL3JlcG9zaXRvcnkvMA0GCSqGSIb3DQEBCwUAA4IBAQBv
y4Xh74Ac4liHLIgKqiMaPNJPbEcgfiUijBS47JFGE3IfyBnpuBtTf/ZGDPrWcnBo
DR2lNjLXE6vH/6qXAwNbWhmmQiHyHuw052QUPbSGh7imNF7eQYj3B5l9IMqMuCw+
sWiBprG3di7bt1/Z48UBePBeXmKiXj5tn/OOvKfqjtZOJRi7ysDvVr8A/DbMIQ7V
ccMiQR6DMw/EJxrJCJEI7y2CRMu2MLmFPAlxaiuyoAST8OJhHkrqbXU5KyW0bMeq
bYJMz4RRJmjBe07eYpDoZJlqXkMLKVl8LvCnrCTVB2O7vdBj715gGjv8VS9K+PbB
GlnmK7zT83R1WQjjzP4j
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----

In my folder there is three file :
key.pem
fullchain.pem
cert.pem

Thank

The documentation of Apache 2.2 is not really clear about whether it accepts both certificates in SSLCertificateFile. Apache 2.4. definitely supports that.

You could try splitting the two certificates and use them separately. Just save fullchain.pem as intermediate.pem, then open intermediate.pem and delete everything from the beginning until the second -----BEGIN CERTIFICATE-----.

Then change your configuration:
SSLCertificateFile /etc/apache2/certs/prod/cert.pem
SSLCertificateChainFile /etc/apache2/certs/prod/intermediate.pem

The documentation of Apache 2.2 is not really clear about whether it accepts both certificates in SSLCertificateFile. Apache 2.4. definitely supports that.

Indeed, it is not supported before httpd 2.4.8.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.