Including intermediate certificates from Letsencrypt in Nginx SSL setup

Help
1

My domain is: api.quickchat.ai

I ran this command: SSL test via: https://www.ssllabs.com/ssltest/analyze.html?d=api.quickchat.ai&hideResults=on

It produced this output: Chain issue: incomplete

My web server is (include version): nginx/1.18.0 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 20.04.1 LTS

I can login to a root shell on my machine (yes or no, or I don't know): yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.40.0

I'm running a daphne server using the following command : daphne -u /run/daphne/daphne%(process_num)d.sock -e ssl:443:privateKey=/etc/letsencrypt/live/api.quickchat.ai/privkey.pem:certKey=/etc/letsencrypt/live/api.quickchat.ai/fullchain.pem --access-log - xxx:application

According to this webhook guide (core.telegram.org/bots/webhooks), incomplete chain indicates that there are some missing intermediate certificates in fullchain.pem and that I need to provide them in the correct order.

I've tried including some from letsencrypt.org/certificates but no luck so far. Could you please provide some guidance on what the problem could be?

Another piece of evidence is when I hit my server with a POST request using the Python requests package, it says: certificate verify failed: unable to get local issuer certificate

Thanks!

2

Hello @piotrgrudzien,

As you are using certbot and nginx you should point ssl_certificate directive in nginx to fullchain.pem (this file includes your cert and the intermediate cert).

ssl_certificate /etc/letsencrypt/live/yourdomain.tld/fullchain.pem;

Remember to reload nginx after the change.

Cheers,
sahsanu

3

Thanks for the quick reply!

That was the first thing I'd tried and now I think it's possible there's something wrong in my Nginx config. Do you happen to have an example Nginx config where that's set up correctly?

4

Better show your conf because you are serving https also in port 80.

5

Hi @piotrgrudzien

your configuration is buggy - but curious buggy.

Your port 443 doesn't send the intermediate certificate (included in fullchain.pem, so that should work):

> G:\OpenSSL-Win64\bin>openssl s_client -connect api.quickchat.ai:443 -servername api.quickchat.ai
> CONNECTED(000001AC)
> depth=0 CN = api.quickchat.ai
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 CN = api.quickchat.ai
> verify error:num=21:unable to verify the first certificate
> verify return:1
> ---
> Certificate chain
>  0 s:CN = api.quickchat.ai
>    i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
> ---
> Server certificate

But your port 80 is a https port too:

http://api.quickchat.ai/

400 Bad Request

The plain HTTP request was sent to HTTPS port

https://api.quickchat.ai:80/ works.

And checking that port

> G:\OpenSSL-Win64\bin>openssl s_client -connect api.quickchat.ai:80 -servername api.quickchat.ai
> CONNECTED(000001AC)
> depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
> verify error:num=20:unable to get local issuer certificate
> ---
> Certificate chain
>  0 s:CN = api.quickchat.ai
>    i:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
>  1 s:C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
>    i:O = Digital Signature Trust Co., CN = DST Root CA X3
> ---
> Server certificate

the intermediate certificate is sent.

So your port 80 has the correct ssl configuration.

PS: Why is that output bold?

PPS: Removed the bold via `

6

Yes, you're right, that solves my problem! Thanks a lot!