Error code: SEC_ERROR_UNKNOWN_ISSUER


#1

Hi.

i am newer user of letsencrypt services.
i do this in may server :

./letsencrypt-auto certonly --standalone -d upale.net -d www.upale.net

this genered 4 files in /etc/letsencrypt/live/upale.net/

cert.pem chain.pem fullchain.pem privkey.pem

And i modify the apache confg
<VirtualHost *:80>
DocumentRoot /var/www/html/upale/
ServerName mango.upale.net
ServerAlias www.upale.net upale.net
ServerAdmin soporte@upale.net
ProxyPreserveHost On
UseCanonicalName Off

Se adiciona para activar los https

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/upale.net/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/upale.net/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/upale.net/chain.pem

    ErrorLog /var/log/httpd/upaleError.log
    CustomLog /var/log/httpd/upaleAccess.log common

When I try to access from the Web browser says:

upale.net uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is only valid for mango.upale.net Error code: SEC_ERROR_UNKNOWN_ISSUER

mango is a name for my server. any idea of my error???


Ubuntu 14.04 invalid security certificate
#2

Your site is using a self-signed certificate issued in February.

Did you restart your apache instance after changing the VHost configuration?

Do you have any other VHosts that might have different values for SSLCertificateFile?

What does the following command return?

openssl x509 -in /etc/letsencrypt/live/upale.net/cert.pem -issuer -noout

(By the way, if you want to be able to access https://mango.upale.net as well without any SSL warnings, you’ll have to add that as a -d argument to letsencrypt-auto.)


#3

Your server isn’t sending the correct certificate. Did you remember to restart or reload apache after changing the config?


#4

Thanks for the help, helped me to detect that the certificate that
possibly is sent is that is generated for the mail. I have installed in
past zimbra suite. I will carefully review the settings and I will
update


#5

i find this in the configuration

Server Certificate:

Point SSLCertificateFile at a PEM encoded certificate. If

the certificate is encrypted, then you will be prompted for a

pass phrase. Note that a kill -HUP will prompt again. A new

certificate can be generated using the genkey(1) command.

SSLCertificateFile /etc/pki/tls/certs/localhost.crt

Server Private Key:

If the key is not combined with the certificate, use this

directive to point at the key file. Keep in mind that if

you’ve both a RSA and a DSA private key you can configure

both in parallel (to also allow the use of DSA ciphers, etc.)

SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

do you now, what change are require?


#6

command
openssl x509 -in /etc/letsencrypt/live/upale.net/cert.pem -issuer -noout

issuer= /C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X1


#7

Change it to SSLCertificateFile /etc/letsencrypt/live/your-domain.com/fullchain.pem and SSLCertificateKeyFile /etc/letsencrypt/live/your-domain.com/privkey.pem.

If you’re using Apache 2.2 instead of 2.4, you have to use cert.pem for SSLCertificateFile and pass the chain.pem to the chain file setting instead.


#8

The problem was solved when solving.

[warn] default VirtualHost overlap on port 443, the first has precedence centos

Thanks For your help


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.