ERROR: The certificate of `dl.eff.org' is not trusted

Hi all,

Having a problem installing certbot using the following guide https://certbot.eff.org/all-instructions/#debian-7-wheezy-apache

This is what I get below and dont want to go further without properly understanding the issue and apply correct steps.

wget https://dl.eff.org/certbot-auto
–2017-10-23 10:30:13-- https://dl.eff.org/certbot-auto
Resolving dl.eff.org (dl.eff.org)… 151.101.112.201, 2a04:4e42:1b::201
Connecting to dl.eff.org (dl.eff.org)|151.101.112.201|:443… connected.
ERROR: The certificate of dl.eff.org' is not trusted. ERROR: The certificate ofdl.eff.org’ hasn’t got a known issuer.

Get nothing back when doing which certbot-auto as well.

You may use the option --no-check-certificate when invoking wget to omit the warning.

By turning off security...

1 Like

It’s weird, dl.eff.org's certificate chains to Comodo, I would have guessed it was trusted on pretty much literally everything. And it serves the same certificate with or without SNI. I haven’t checked Debian 7, but I’d be shocked if the applicable roots weren’t included.

Maybe the connection actually is being MITMed. :face_with_raised_eyebrow:

@aleon, can wget download from other HTTPS sites? Does, say, curl work? Is the ca-certificates package installed? Could you have disabled the Comodo roots after one of their security incidents, maybe around 2008? Is there some corporate/enterprise/government MITM/proxy device on the network intercepting connections? Can you get more information about what certificate is being served?

E.g. with “openssl s_client -connect dl.eff.org:443 -servername dl.eff.org </dev/null | openssl x509 -noout -text”. Or something less clumsy if possible.

1 Like

@bytecamp thanks for the tip.

Thats works :slight_smile:

@mnordhoff

Thanks for input, I am not sure why certificate is not trusted if that the case here for me, but as I am testing the install am not too concerned.
To answer you question about wget download, i was able to download nano editor form https: url fine.

I will check some more on your other points when finished with what I have todo, but thank you for input.

Not sure if I am allowed to continue with this post or open another, using the option --no-check-certificate allows me to download and then install certbot…

but I am not able to get certbot to verify the domain even though port 80/443 are open and the domain record pings/resolves ok from different locations.

This is my VH conf file for the domain I am trying to create an ssl cert using certbot

<VirtualHost *>
        ServerAdmin hostmaster@my-domain---something.com
        ServerName my-domain---something.com
        DocumentRoot /home/webmaster/my-domain---something.com
        <Directory /home/webmaster/my-domain---something.com>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
        </Directory>

        ErrorLog /var/log/apache2/my-domain---something.com.error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/my-domain---something.com.access.log combined
        ServerSignature Off

</VirtualHost>

And the error I am getting:

Type:   connection
Detail: Error getting validation data


To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
Cleaning up challenges

FailedChallenges: Failed authorization procedure. my-domain---something.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Error getting validation data

Do i need to have a separate virtualhost entry for port 80 and port 443 to server to my new domain in apache?

I have multiple domains pointing to this host server as well.

At this point, I would make a new topic with this, and complete the suggested form information on the “Help” topic. You’ll get more traction there, and the form information helps save everyone’s time.

It’s difficult to debug this issue without knowing the domain name in question. The validation server is unable to contact your server at all, so it’s unlikely your virtual host setup is the problem.

Thanks to everyone for posting here.

I decided to try this again on another similar webserver and certbot is now applying LE SSL certificates to the sites I have setup. All http sites now redirect to https fine!

I just need to look at the .conf files for each site and ensure they are correct, have also found out from testing I need to ensure my default-ssl.conf file exist and properly configured.

The firewall is correct, so everyone is aware, this was not the problem.

The other thing to highlight here is original server was on Deb 7/Apache & test webserver is Deb9/Apache, so not a true like for like but the folder structure i have kept the same on test server for comparison.

I think this post can now be closed, as I just wanted help in getting certbot working, understanding the issues, troubleshooting and getting working setup, before starting roll out of ssl to production sites soon.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.