I ran this command:
openssl verify cert.pem
It produced this output:
error 20 at 0 depth lookup: unable to get local issuer certificate
error cert.pem: verification failed
My web server is: nginx/1.12.1
The operating system my web server runs on is (include version): Ubuntu 17.10
I can login to a root shell on my machine: yes
I'm using a control panel to manage my site: no
Help me, please
Hi,
Usually we use the fullchain.pem instead of cert.pem to verify the cert.
Thank you
I might suggest
openssl verify chain.pem
openssl verify -CAfile chain.pem cert.pem
chain.pem: OK
cert.pem: OK
I can not use a CURL in PHP.
Fatal error: Curl failed with error #60: SSL certificate problem: unable to get local issuer certificateInteresting! Could you tell us an example URL that you’re trying to access that gives this error?
Do you get a similar error if you try to access the URL on the command line with curl -v?
I can not send my request to my site, but it turned out to google
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
HTTPS-proxy has similar options --proxy-cacert and --proxy-insecure.
Do you have a complete, working root certificate bundle in /etc/ssl/certs?
Could you also try connecting with openssl s_client -connect worldmin.ru:443 -servername worldmin.ru? This will output the certificates themselves when connecting, so you can see whether they’re the expected ones.
When I connected to your site with curl, I didn’t have any problems!
Posted by
openssl s_client -connect site.ru:443 -servername site.ru
I got a lot of information…
It’s very strange that I can spar my site from another ip, but I can not do it from my own
The certificates should be at the top. Before the certificate PEM data, you should see
Certificate chain
0 s:/CN=worldmin.ru
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
Certificate chain
0 s:/C=US/ST=State/L=Locality/O=pfSense webConfigurator Self-Signed Certificate/emailAddress=admin@pfSense.localdomain/CN=pfSense-5a84df801e163
i:/C=US/ST=State/L=Locality/O=pfSense webConfigurator Self-Signed Certificate/emailAddress=admin@pfSense.localdomain/CN=pfSense-5a84df801e163
Well, that’s definitely the source of the problem! Any idea why you’re connecting to a pfSense firewall here rather than directly to the server?
The pfSense firewall here is proxying your connection to the server and not allowing a direct TLS session to be established.
Thanks! And what do you recommend to do?
Figure out who runs the firewall and why connections from that machine are being routed through it. (If it’s running on that machine, then it might be something about the machine’s own network configuration.)
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.