Error: SSL certificate problem: unable to get local issuer certificate


#1

Good day, I’m setting up a speedtest server for ookla, when I do a test on the ookla page, it gives me the following error

Error: SSL certificate problem: unable to get local issuer certificate

could you help me.


How to enable HTTPS / TLS support on my server speedtest on ubuntu 18-04LTS
#2

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know):

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):


#3

Thanks,

My domain is

speedtest.redeshibridas.com.gt

My web server
Is apache2 ubuntu 16.04

My hosting

Redes Hibridas S.A.

Version Cetbot

certbot 0.32.0


#4

Hi @Edson

I don’t find a problem (checked with https://check-your-website.server-daten.de/?q=speedtest.redeshibridas.com.gt ):

Your Letsencrypt - certificate is new

CN=speedtest.redeshibridas.com.gt
	11.03.2019
	10.06.2019
expires in 89 days	speedtest.redeshibridas.com.gt - 1 entry

and your https version is ok.

Domainname Http-Status redirect Sec. G
http://speedtest.redeshibridas.com.gt/
138.94.253.6 200 0.373 H
https://speedtest.redeshibridas.com.gt/
138.94.253.6 200 6.970 B
http://speedtest.redeshibridas.com.gt/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
138.94.253.6 404 0.353 A

Same with my browser - there is a standard Apache2 Ubuntu page.

Checked with SSLLabs, there is a Grade A, no incomplete chain:

https://www.ssllabs.com/ssltest/analyze.html?d=speedtest.redeshibridas.com.gt&hideResults=on

Do you have a screenshot?


#5

Thanks,

attached image of the error that I get when I test my server on ookla.com

image

When consulting the ookla support they indicate the following, but I do not understand, since my certificate is fine.

The certificate is not signed by a trusted authority (checking against Mozilla’s root store). If you bought the certificate from a trusted authority, you probably just need to install one or more Intermediate certificates. Contact your certificate provider for assistance doing this for your server platform.


#6

@JuergenAuer

help please


#7

I have no idea why there is an error message.

Ok, it’s port 8080, not 443.

But checking port 8080 ( https://check-your-website.server-daten.de/?q=speedtest.redeshibridas.com.gt%3A8080 ) there is the same picture: The valid Letsencrypt certificate with the correct intermediate certificate.


Ok, played with OpenSSL: Your port 443 sends the intermediate certificate:

Certificate chain
 0 s:CN = speedtest.redeshibridas.com.gt
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
 1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3

your port 8080 not:

Certificate chain
 0 s:CN = speedtest.redeshibridas.com.gt
   i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

So check your port 443 config and copy the two or three lines with the certificate files to your port 8080 - configuration.


#8

@JuergenAuer thanks for information.

I comment, when entering by https to the domain by port 8080 gives it to me safely, I do not understand what it means to place the info of 3 lines from port 443 to port 8080

I also do not know what the local failure error means

I attached the image securely

ooka


#9

Your port 443 / standard https has the correct configuration.

Your special port 8080 / not standard has the wrong configuration.

So find your vHost / port 443 and compare that with the vHost of your port 8080.


#10

That was a good idea.

Now I’ve found a solution to check the “real certificate chain” of a connection. In combination with the port specific check:

speedtest … has now (in the connections) a new row:

|0|s:CN = speedtest.redeshibridas.com.gt|

My own domain has two rows:

|0|s:CN = *.server-daten.de|
|1|s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3|

So it’s visible that the certificate chain is incomplete. And that works with non standard ports. Must add a new warning message :wink:


#11

@JuergenAuer

I already added everything equal to the vhost 8080 and still I get the same error when running the test in digicert.

I attach errors and settings.

Captura


#12

@JuergenAuer

I do not know what else I could do to solve this error


#13

Could we see the Apache configuration? Is it possible that you used cert.pem instead of fullchain.pem somewhere?


#14

Then share your vHost - port 443 - configuration. These are two or three lines you have to copy:

    SSLCertificateFile /usr/local/ssl/crt/public.crt
    SSLCertificateKeyFile /usr/local/ssl/private/private.key
    SSLCertificateChainFile /usr/local/ssl/crt/intermediate.crt

Then restart your Apache and recheck your port 8080. Your incomplete chain is now visible:

Chain - incomplete 0 s:CN = speedtest.redeshibridas.com.gt


#15

@JuergenAuer @schoen

thanks for the info

I attached the images of my configuration in the Vhost 442 and Vhost 8080

tell me if it is properly configured


#16


#17


#18

There are duplicated lines, remove these (ServerName, Include, SSLCertificateFile / keyfile).

And your 8080 doesn’t have a ServerName, perhaps it isn’t used.


#19

I attach images with the updated configuration


#20