Good day, I’m setting up a speedtest server for ookla, when I do a test on the ookla page, it gives me the following error
Error: SSL certificate problem: unable to get local issuer certificate
could you help me.
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
It produced this output:
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know):
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
Thanks,
My domain is
speedtest.redeshibridas.com.gt
My web server
Is apache2 ubuntu 16.04
My hosting
Redes Hibridas S.A.
Version Cetbot
certbot 0.32.0
Hi @Edson
I don't find a problem (checked with https://check-your-website.server-daten.de/?q=speedtest.redeshibridas.com.gt ):
Your Letsencrypt - certificate is new
CN=speedtest.redeshibridas.com.gt
11.03.2019
10.06.2019
expires in 89 days speedtest.redeshibridas.com.gt - 1 entry
and your https version is ok.
| Domainname | Http-Status | redirect | Sec. | G |
|---|---|---|---|---|
| • http://speedtest.redeshibridas.com.gt/ | ||||
| 138.94.253.6 | 200 | 0.373 | H | |
| • https://speedtest.redeshibridas.com.gt/ | ||||
| 138.94.253.6 | 200 | 6.970 | B | |
| • http://speedtest.redeshibridas.com.gt/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de | ||||
| 138.94.253.6 | 404 | 0.353 | A |
Same with my browser - there is a standard Apache2 Ubuntu page.
Checked with SSLLabs, there is a Grade A, no incomplete chain:
https://www.ssllabs.com/ssltest/analyze.html?d=speedtest.redeshibridas.com.gt&hideResults=on
Do you have a screenshot?
Thanks,
attached image of the error that I get when I test my server on ookla.com
When consulting the ookla support they indicate the following, but I do not understand, since my certificate is fine.
The certificate is not signed by a trusted authority (checking against Mozilla’s root store). If you bought the certificate from a trusted authority, you probably just need to install one or more Intermediate certificates. Contact your certificate provider for assistance doing this for your server platform.
I have no idea why there is an error message.
Ok, it’s port 8080, not 443.
But checking port 8080 ( https://check-your-website.server-daten.de/?q=speedtest.redeshibridas.com.gt%3A8080 ) there is the same picture: The valid Letsencrypt certificate with the correct intermediate certificate.
Ok, played with OpenSSL: Your port 443 sends the intermediate certificate:
Certificate chain
0 s:CN = speedtest.redeshibridas.com.gt
i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
i:O = Digital Signature Trust Co., CN = DST Root CA X3
your port 8080 not:
Certificate chain
0 s:CN = speedtest.redeshibridas.com.gt
i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
So check your port 443 config and copy the two or three lines with the certificate files to your port 8080 - configuration.
1 Like
@JuergenAuer thanks for information.
I comment, when entering by https to the domain by port 8080 gives it to me safely, I do not understand what it means to place the info of 3 lines from port 443 to port 8080
I also do not know what the local failure error means
I attached the image securely
Your port 443 / standard https has the correct configuration.
Your special port 8080 / not standard has the wrong configuration.
So find your vHost / port 443 and compare that with the vHost of your port 8080.
That was a good idea.
Now I’ve found a solution to check the “real certificate chain” of a connection. In combination with the port specific check:
speedtest … has now (in the connections) a new row:
|0|s:CN = speedtest.redeshibridas.com.gt|
My own domain has two rows:
|0|s:CN = *.server-daten.de|
|1|s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3|
So it’s visible that the certificate chain is incomplete. And that works with non standard ports. Must add a new warning message 
I already added everything equal to the vhost 8080 and still I get the same error when running the test in digicert.
I attach errors and settings.
Could we see the Apache configuration? Is it possible that you used cert.pem instead of fullchain.pem somewhere?
Then share your vHost - port 443 - configuration. These are two or three lines you have to copy:
SSLCertificateFile /usr/local/ssl/crt/public.crt
SSLCertificateKeyFile /usr/local/ssl/private/private.key
SSLCertificateChainFile /usr/local/ssl/crt/intermediate.crt
Then restart your Apache and recheck your port 8080. Your incomplete chain is now visible:
Chain - incomplete 0 s:CN = speedtest.redeshibridas.com.gt
thanks for the info
I attached the images of my configuration in the Vhost 442 and Vhost 8080
tell me if it is properly configured
There are duplicated lines, remove these (ServerName, Include, SSLCertificateFile / keyfile).
And your 8080 doesn’t have a ServerName, perhaps it isn’t used.
