Let's Encrypt cert not recognized for cronjob

ronearl · January 19, 2021, 4:53pm

Hi All,

On Jan 6th, the certificate updated and seems to work in browser, but a cron job we had running to update data on the website stopped running. The error (listed below) indicated it failed because it could not authenticate the certificate. I even removed the certs and created a new request, and still it fails. As a work around I'm using the command --no-check-certificate, but it would be nice for it to go back to recognizing the cert. Because the command runs on the same server as the site, I did test the wget command from external servers to confirm it wasn't an issue with the host server.

It had been running fine for a almost a year until the cert update.

Any advice or assistance would be appreciated.

-Ron

My domain is: https://www.wannagohome.com

I ran this command: wget -O /dev/null https://www.wannagohome.com/?rets_import_cron_job=1

It produced this output: WARNING: cannot verify www.wannagohome.com's certificate, issued by '/C=US/O=Let's Encrypt/CN=R3': Unable to locally verify the issuer's authority.

My web server is (include version): Apache version 2.4.6

The operating system my web server runs on is (include version): CentOS Linux 7.9.2009

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): Webmin 1.962 with Virtualmin

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): Not sure

griffin · January 19, 2021, 4:59pm

Welcome to the Let's Encrypt Community, Ron

I have a strong feeling that you have the old intermediate certificate "pinned" in the verification process somewhere rather than the new intermediate certificate.

As @JuergenAuer mentions below, you could probably resolve this by serving both your certificate and the intermediate certificate.

Certificate History

JuergenAuer · January 19, 2021, 5:00pm

Hi @ronearl

your chain is incomplete - see https://check-your-website.server-daten.de/?q=wannagohome.com#connections

The Letsencrypt intermediate certificate is missing.

Use fullchain.pem instead of cert.pem.

PS: Your server sends only one certificate, so your server doesn't send the wrong / old certificate.

griffin · January 19, 2021, 5:07pm

@JuergenAuer

While you are absolutely correct about the R3 intermediate not being served, the fact that all the previous (LEA X3 issued) certificates have worked while the new (R3 issued) certificates have not worked led me to believe that wget might have the LEA X3 intermediate pinned somewhere. Does this seem reasonable?

ronearl · January 19, 2021, 5:45pm

Hi @griffin and @JuergenAuer,

Thank you for your quick response. I was going to be squeamish and say I didn't know how to make those updates because it was a 1-click process to install the cert. I looked through the tabs under the SSL installation, and was able to change which file it linked. In this case it was ssl.combined instead of the before ssl.ca file.

After the update, the wget no longer complained about the cert.

I hope my overwriting is permanent and won't revert with the next update.

Thank you again.

-Ron

system · February 18, 2021, 5:45pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.