Facebook Dev error: Curl error:60 (SSL_CACERT)


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: acttheatre.org,

I ran this command: Tested the URL in the Facebook Dev site

It produced this output: SSL Error: Cant Validate Cert and Curl error: 60 (SSL_CACERT)

My web server is (include version): Apache2, Wordpress

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is AWS-LightSail

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): no

Certificate works fine for both acttheatre.org and dev.acttheatre.org sites.
BUT when checking url in Facebook Dev, it cannot validate cert and gives a Curl 60 error.
When I run : openssl s_client -connect acttheatre.org:443 -servername acttheatre.org 2>/dev/null | awk ‘/Certificate chain/,/—/’
I seem to be missing info and it lists the sub domain (dev.acttheatre.org) not the main domain acttheatre.org
RESULTS:

Certificate Chain
0 s: /CN=dev.acttheatre.org
i: /C=US, O=Let’s Encrypt /CN=Let’s Encrypt Authority X3

that’s all…

What do I need to do to get past this error? Am I missing some root certs? I am very new to this so any help you can provide would be awesome! I also will need to renew in a few weeks so concerned about that as well. THANKS! Rica


#2

Hi,

You will need to use the fullchain.pem instead of the certificate.pem (to provide a full certificate that chained up to the CA cert)

That’s the reason curl is throwing the error.

Thank you


#3

Hi @rwolken

this is irrelevant. Your certificate has three domain names:

DNS-Name: acttheatre.org
DNS-Name: dev.acttheatre.org
DNS-Name: www.acttheatre.org

so you can use one certificate with these three domains.

One of these is picked as CommonName (= CN), listet first. But it’s not relevant which domain name is the CommonName. Some Letsencrypt clients are using the first domain name in the list, some the alphabetical first name.

How did you create this certificate?


#4

I think @stevenzhu’s interpretation is right—the server is failing to send the intermediate CA certificate (which would, for example, be included in fullchain.pem).


#5

Thank you all for your quick responses! It was in fact fixed with the fullchain.pem

Onward!


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.