Facebook developers tool error: Error de cURL: 60 (SSL_CACERT)


#1

Hi, I have a problem with the certificate, my blog page it’s work fine and the https it’s works correctly, but when I share a post with facebook the preview is wrong, the developers facebook tools say “Error de cURL: 60 (SSL_CACERT)”


#2

Hi,

Can you share us your domain?

Thank you


#3

blog.gallereplay.com


#4

Hi @FeloPincheira,

You are including two certificates not related to LE in your Apache conf (number 1 and 2):

$ echo | openssl s_client -connect blog.gallereplay.com:443 -servername blog.gallereplay.com 2>/dev/null | awk '/Certificate chain/,/---/'
Certificate chain
 0 s:/CN=blog.gallereplay.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA
   i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
 2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
   i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
---

and the output of above command should look like this (including only LE intermediate cert)

$ echo | openssl s_client -connect blog.gallereplay.com:443 -servername blog.gallereplay.com 2>/dev/null | awk '/Certificate chain/,/---/'
Certificate chain
 0 s:/CN=blog.gallereplay.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---

I don’t know how you issued the cert nor the Apache version you are using but if you used certbot and Apache 2.4.8 or higher you should point your SSLCertificateFile directive to /etc/letsencrypt/...../fullchain.pem instead of cert.pem or whatever file you have created adding above Comodo extra certs.

Cheers,
sahsanu


#5

Thank you @sahsanu for your answer, I used this tutorial https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/ to generate and install the certificate and then this tutorial to enable the configuration https://docs.bitnami.com/general/components/apache/#how-to-enable-https-support-with-ssl-certificates, I use apache version < 2.4.8 with bitnami (in aws server), before let’s encrypt I had other certificate, maybe for that reason I have linked two certificates not related to LE.

I will check, thank you


#6

@FeloPincheira, as you are using an Apache Server below version 2.4.8, then the certificates should be defined using 3 directives:

SSLCertificateFile    File containing your cert
SSLCertificateKeyFile File containing your private key
SSLCertificateChainFile File contain intermediate certificates to complete the chain

Checking bitnami, the intermediate cert should be included in file server-ca.crt so Apache directives should look like this:

SSLCertificateFile    "/opt/bitnami/apache2/conf/server.crt"
SSLCertificateKeyFile "/opt/bitnami/apache2/conf/server.key"
SSLCertificateChainFile "/opt/bitnami/apache2/conf/server-ca.crt"

Well, seems lego creates the file /etc/lego/certificates/domain.crt containing both, your cert and LE intermediate cert but you need to split that file. You can do it manually or using something like this:

sudo cd /etc/lego/certificates/
sudo awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "domain." c ".pem"}' < domain.crt

This will create 2 files, domain.1.pem containing your cert and domain.2.pem containing the intermediate cert so you should link bitnami files to this new ones.

sudo mv /opt/bitnami/nginx/conf/server.crt /opt/bitnami/apache2/conf/server.crt.old
sudo mv /opt/bitnami/nginx/conf/server.key /opt/bitnami/apache2/conf/server.key.old
sudo mv /opt/bitnami/nginx/conf/server-ca.crt /opt/bitnami/apache2/conf/server-ca.crt.old

sudo ln -s /etc/lego/certificates/domain.1.pem /opt/bitnami/apache2/conf/server.crt
sudo ln -s /etc/lego/certificates/domain.key /opt/bitnami/apache2/conf/server.key
sudo ln -s /etc/lego/certificates/domain.2.pem /opt/bitnami/apache2/conf/server-ca.crt

Edit: changed .crt extension to .pem in ln commands.

Keep in mind that this process should be repeated every time you renew the certs.

In the doc you linked above, they say that you should create a script like this:

#!/bin/bash

sudo /opt/bitnami/ctlscript.sh stop apache
sudo /usr/local/bin/lego --email="EMAIL-ADDRESS" --domains="DOMAIN" --path="/etc/lego" renew
sudo /opt/bitnami/ctlscript.sh start apache

As you are following that guide you should add the split step:

#!/bin/bash

sudo /opt/bitnami/ctlscript.sh stop apache
sudo /usr/local/bin/lego --email="EMAIL-ADDRESS" --domains="DOMAIN" --path="/etc/lego" renew
sudo cd /etc/lego/certificates/
sudo awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "domain." c ".pem"}' < domain.crt
sudo /opt/bitnami/ctlscript.sh start apache

Or you could upgrade to a newer Apache version :wink:

Cheers,
sahsanu


#7

Super nice use of awk!


#8

@sahsanu thank you, that works perfect.


#9

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.