Error: SSL certificate problem, verify that the CA cert is OK

urwpguy · December 6, 2015, 5:01pm

I’m getting this error, when try to authorize an external app to work with my WordPress page.

Error: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

serverco · December 6, 2015, 5:10pm

Typically that’s because not all 3 certs were uploaded in the correct place. Test things with https://www.ssllabs.com/ssltest/ should give you some clues ( or tell us the domain name )

urwpguy · December 6, 2015, 5:26pm

Perhaps this is the reason?

DST Root CA X3 Self-signed
Fingerprint SHA1: dac9024f54d8f6df94935fb1732638ca6ad77c13
Pin SHA256: Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys=
RSA 2048 bits (e 65537) / SHA1withRSA
Weak or insecure signature, but no impact on root certificate

serverco · December 6, 2015, 5:28pm

Perhaps. Without knowing all the other details I don’t know.

tlussnig · December 6, 2015, 5:31pm

Root CA is never required on the chain for the server.
Because either client know and trust them or it makes no benefit.

urwpguy · December 6, 2015, 5:33pm

This is the domain name: https://vm.yourwpguy.com/

Zoddo · December 6, 2015, 5:35pm

Use fullchain.pem instead of cert.pem

urwpguy · December 6, 2015, 5:50pm

ssllabs does not tell me that for the domain vm.yourwpguy.com . There is no problem with chain.

Zoddo · December 6, 2015, 5:53pm

I see this error here ...

urwpguy · December 6, 2015, 5:55pm

I am on the same page. “Chain issues: None” Rating A.

Zoddo · December 6, 2015, 5:57pm

Sorry, caching issue

Osiris · December 6, 2015, 6:00pm

Well, without knowing what this “”“an external app”"" is, we can’t say anything about it, now can we

Although the IdenTrust DST Root CA X3 certificate is quite accepted generally, there are some instances not recognising it as a trusted CA root certificate. Blackberry for instance I believe, among others.

urwpguy · December 6, 2015, 6:16pm

It’s under API Authentication Endpoint: “Our authentication endpoint allows easy integration between WooCommerce and Apps…” like here: https://woocommerce.wordpress.com/2015/08/07/api-settings-and-the-api-authentication-endpoint-in-2-4/

urwpguy · December 6, 2015, 8:31pm

I will try to contact my hosting provider.

“Some web servers have outdated root CA certificates and will cause this curl error: “SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed’”. The fix is to contact your hosting provider or server administrator and request a root CA cert update.”

urwpguy · December 6, 2015, 9:09pm

Whichone is the CA cert (as a PEM file) exactly?

txalamar · December 6, 2015, 9:52pm

I’m also looking for the typical ca certificate to deploy certificates in Zimbra. I get an error pointing to invalid provider:

~$ /opt/zimbra/bin/zmcertmgr deploycrt comm /tmp/commercial.crt /tmp/ca_chain.crt
** Verifying /tmp/commercial.crt against /opt/zimbra/ssl/zimbra/commercial/commercial.key
Certificate (/tmp/commercial.crt) and private key (/opt/zimbra/ssl/zimbra/commercial/commercial.key) match.
XXXXX ERROR: Invalid Certificate: /tmp/commercial.crt: C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X1
error 2 at 1 depth lookup:unable to get issuer certificate
XXXXX ERROR: provided cert isn’t valid.

/tmp/ca_chain.crt is fullchain.pem
/tmp/commercial.crt is cert.pem
/opt/zimbra/ssl/zimbra/commercial/commercial.key is privkey.pem

I just wanted to try adding ca cert to the full chain.

motoko · December 7, 2015, 1:52am

You may need to include the root CA. You can find the root certificates at https://letsencrypt.org/certificates/. For right now, you’ll want the root linked under the “Cross Signing” section, not the one at the very top.