Fake LE Intermediate and Root X1


#1

Hi All!

Domain in question is: gallery.clubyachats.com
Server version: Apache/2.4.29 (Linux/SUSE)
OS is: openSUSE Tumbleweed (rolling release) x86_64 GNU/Linux
My hosting provider is: SELF HOSTED
I can login to a root shell on my machine… YES
I’m NOT using a control panel to manage my site, No

I have successfully installed several certificates for my domains that are now getting close to thier expiration date(s).
All certificates are rated A+ at ssllabs.com EXCEPT gallery.clubyachats.com for which I have only recently requested certificates via certbot. (I left the cert and configuration in place, but removed the automatic redirect )

https://www.ssllabs.com/ssltest/analyze.html?d=gallery.clubyachats.com&latest.

For some reason gallery’s cert has a trust issue… “Issuer: CN = Fake LE Intermediate X1”

The following information should be helpful for any one willing to help me troubleshoot whatever issue(s) exist.

I ran this command:

certbot --apache --agree-tos --hsts --staple-ocsp --must-staple -d gallery.clubyachats.com

And recieved this interactive output:

Saving debug log to 
Plugins selected: Authenticator apache, Installer apache
Cert not yet due for renewal/var/log/certbot/letsencrypt.log

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/certbot/renewal/gallery.clubyachats.com.conf)

What would you like to do?
-------------------------------------------------------------------------------
1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for gallery.clubyachats.com
Waiting for verification...
Cleaning up challenges
Deploying Certificate for gallery.clubyachats.com to VirtualHost /etc/apache2/vhosts.d/0.gallery.clubyachats.com-le-ssl.conf
Adding Strict-Transport-Security header to ssl vhost in /etc/apache2/vhosts.d/0.gallery.clubyachats.com-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
-------------------------------------------------------------------------------
1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you're confident your site works on HTTPS. You can undo this
change by editing your web server's configuration.
-------------------------------------------------------------------------------
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Redirecting vhost in /etc/apache2/vhosts.d/0.gallery.clubyachats.com.conf to ssl vhost in /etc/apache2/vhosts.d/0.gallery.clubyachats.com-le-ssl.conf
OCSP Stapling was enabled on SSL Vhost: /etc/apache2/vhosts.d/0.gallery.clubyachats.com-le-ssl.conf.

Your existing certificate has been successfully renewed, and the new certificate
has been installed.

The new certificate covers the following domains:
https://gallery.clubyachats.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=gallery.clubyachats.com

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/certbot/live/gallery.clubyachats.com/fullchain.pem
    Your key file has been saved at:
    /etc/certbot/live/gallery.clubyachats.com/privkey.pem
    Your cert will expire on 2018-06-11. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”

===============================================================================

OpenSSL gives this output:

openssl x509 -in /etc/certbot/live/gallery.clubyachats.com/cert.pem -text | grep Issuer
Issuer: CN = Fake LE Intermediate X1
CA Issuers - URI:http://cert.stg-int-x1.letsencrypt.org/
openssl x509 -in /etc/certbot/live/gallery.clubyachats.com/chain.pem -text | grep Issuer
Issuer: CN = Fake LE Root X1
CA Issuers - URI:http://cert.stg-root-x1.letsencrypt.org/

===============================================================================

This is a GREAT learning experience.
Thanks in Advance!
Rip


#2

Check if you have a /etc/certbot/cli.conf file and if it sets something like “staging = true” or “test-cert = true”.


#3

Thanks @mnordhoff !
For the record, here’s the clip from /etc/certbot/cli.ini:

#The staging/testing server
server = https://acme-staging.api.letsencrypt.org/directory

The production server.

#server = https://acme-v01.api.letsencrypt.org/directory

I’ll fix that up and try the request again…
commented out #server = https://acme-staging.api.letsencrypt.org/directory

Now The production server.

server = https://acme-v01.api.letsencrypt.org/directory
I’ll update the thread after I test the request again.


#4

The “Fake LE Intermediate and Root X1” issue is fixed.

/etc/certbot/cli.ini was pointing at the “staging server” and this created the wrong environment for recieving a production certificate.

Verify the chain with this command:

echo | openssl s_client -connect gallery.clubyachats.com:443 -servername gallery.clubyachats.com 2>/dev/null | awk '/Certificate chain/,/---/'

To get this output:

Certificate chain
 0 s:/CN=gallery.clubyachats.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---

Thanks to @mnordhoff for QUICKLY pointing me in the right direction!

Cheers
Rip


#5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.