Facebook Dev error: Curl error:60 (SSL_CACERT)

rwolken · September 20, 2018, 9:06pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: acttheatre.org,

I ran this command: Tested the URL in the Facebook Dev site

It produced this output: SSL Error: Cant Validate Cert and Curl error: 60 (SSL_CACERT)

My web server is (include version): Apache2, Wordpress

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is AWS-LightSail

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Certificate works fine for both acttheatre.org and dev.acttheatre.org sites.
BUT when checking url in Facebook Dev, it cannot validate cert and gives a Curl 60 error.
When I run : openssl s_client -connect acttheatre.org:443 -servername acttheatre.org 2>/dev/null | awk ‘/Certificate chain/,/—/’
I seem to be missing info and it lists the sub domain (dev.acttheatre.org) not the main domain acttheatre.org
RESULTS:

Certificate Chain
0 s: /CN=dev.acttheatre.org
i: /C=US, O=Let’s Encrypt /CN=Let’s Encrypt Authority X3

that’s all…

What do I need to do to get past this error? Am I missing some root certs? I am very new to this so any help you can provide would be awesome! I also will need to renew in a few weeks so concerned about that as well. THANKS! Rica

stevenzhu · September 20, 2018, 9:15pm

Hi,

You will need to use the fullchain.pem instead of the certificate.pem (to provide a full certificate that chained up to the CA cert)

That’s the reason curl is throwing the error.

Thank you

JuergenAuer · September 20, 2018, 9:22pm

Hi @rwolken

this is irrelevant. Your certificate has three domain names:

DNS-Name: acttheatre.org
DNS-Name: dev.acttheatre.org
DNS-Name: www.acttheatre.org

so you can use one certificate with these three domains.

One of these is picked as CommonName (= CN), listet first. But it's not relevant which domain name is the CommonName. Some Letsencrypt clients are using the first domain name in the list, some the alphabetical first name.

How did you create this certificate?

schoen · September 20, 2018, 9:57pm

I think @stevenzhu’s interpretation is right—the server is failing to send the intermediate CA certificate (which would, for example, be included in fullchain.pem).

rwolken · September 21, 2018, 12:40pm

Thank you all for your quick responses! It was in fact fixed with the fullchain.pem

Onward!

system · October 21, 2018, 12:46pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Facebook Dev: SSL and CURL error Help	6	923	April 10, 2021
Facebook developers tool error: Error de cURL: 60 (SSL_CACERT) Help	8	8681	July 14, 2018
Certificate verification errors when using curl Help	3	7645	December 1, 2019
Create SSL with New Domain Error Help	3	1829	April 14, 2018
Facebook debugger https://developers.facebook.com/tools/debug returns can't validate SSL certificate Help	3	1336	July 7, 2021

Facebook Dev error: Curl error:60 (SSL_CACERT)

Related topics