Error code: SEC_ERROR_UNKNOWN_ISSUER

ein · March 25, 2016, 3:28pm

Hi.

i am newer user of letsencrypt services.
i do this in may server :

./letsencrypt-auto certonly --standalone -d upale.net -d www.upale.net

this genered 4 files in /etc/letsencrypt/live/upale.net/

cert.pem chain.pem fullchain.pem privkey.pem

And i modify the apache confg
<VirtualHost *:80>
DocumentRoot /var/www/html/upale/
ServerName mango.upale.net
ServerAlias www.upale.net upale.net
ServerAdmin soporte@upale.net
ProxyPreserveHost On
UseCanonicalName Off

Se adiciona para activar los https

    SSLEngine on
    SSLCertificateFile /etc/letsencrypt/live/upale.net/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/upale.net/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/upale.net/chain.pem

    ErrorLog /var/log/httpd/upaleError.log
    CustomLog /var/log/httpd/upaleAccess.log common

When I try to access from the Web browser says:

upale.net uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is only valid for mango.upale.net Error code: SEC_ERROR_UNKNOWN_ISSUER

mango is a name for my server. any idea of my error???

pfg · March 25, 2016, 3:38pm

Your site is using a self-signed certificate issued in February.

Did you restart your apache instance after changing the VHost configuration?

Do you have any other VHosts that might have different values for SSLCertificateFile?

What does the following command return?

openssl x509 -in /etc/letsencrypt/live/upale.net/cert.pem -issuer -noout

(By the way, if you want to be able to access https://mango.upale.net as well without any SSL warnings, you’ll have to add that as a -d argument to letsencrypt-auto.)

cool110 · March 25, 2016, 3:40pm

Your server isn’t sending the correct certificate. Did you remember to restart or reload apache after changing the config?

ein · March 25, 2016, 3:50pm

Thanks for the help, helped me to detect that the certificate that
possibly is sent is that is generated for the mail. I have installed in
past zimbra suite. I will carefully review the settings and I will
update

ein · March 25, 2016, 4:03pm

i find this in the configuration

Server Certificate:

Point SSLCertificateFile at a PEM encoded certificate. If

the certificate is encrypted, then you will be prompted for a

pass phrase. Note that a kill -HUP will prompt again. A new

certificate can be generated using the genkey(1) command.

SSLCertificateFile /etc/pki/tls/certs/localhost.crt

Server Private Key:

If the key is not combined with the certificate, use this

directive to point at the key file. Keep in mind that if

you’ve both a RSA and a DSA private key you can configure

both in parallel (to also allow the use of DSA ciphers, etc.)

SSLCertificateKeyFile /etc/pki/tls/private/localhost.key

do you now, what change are require?

ein · March 25, 2016, 4:05pm

command
openssl x509 -in /etc/letsencrypt/live/upale.net/cert.pem -issuer -noout

issuer= /C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X1

kelunik · March 25, 2016, 4:06pm

Change it to SSLCertificateFile /etc/letsencrypt/live/your-domain.com/fullchain.pem and SSLCertificateKeyFile /etc/letsencrypt/live/your-domain.com/privkey.pem.

If you’re using Apache 2.2 instead of 2.4, you have to use cert.pem for SSLCertificateFile and pass the chain.pem to the chain file setting instead.

ein · March 25, 2016, 8:13pm

The problem was solved when solving.

[warn] default VirtualHost overlap on port 443, the first has precedence centos

Thanks For your help

system · April 24, 2016, 8:13pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.