Gives the error: TLS handshake error: error:1414D172:SSL routines:tls12_check_peer_sigalg:wrong signature type
My web server is (include version):
Apache 2.4 MacOS 10.11.6 (ElCapitan) with Server 5.2
I can login to a root shell: Yes
The version of my client: certbot 1.7.0
I am baffled. After renewing the certificates, and running the same exact commands as previous renewals, the sites all exhibit this error "invalid certificate"... When checking my chain, I get a collection of different responses, with the above error regarding handshake being both the most cryptic ro me, and also where I suspect the actual issue lies.
Everything seemed to be fine until this week.
Any thoughts are welcome at this point, Thank you.
The thing that stands out to me is that your certificate chain seems to be misconfigured: Your webserver is serving a legitimate leaf certificate for myndex.com, but instead of serving the Let's Encrypt R3 intermediate along with it, there's a self-signed certificate for MyndexServer.myn
Your apache config should have something like this in it:
The "WhatsMyChain..." website will not generate a chain with that error present. However, that error is NOT present in the default site (???) (handshake is separate issue I need to track down).
After generating the cert chain including root, and after deleting all the related certs including the intermediate and root, I installed the newly generated/corrected chain file into the system keychain.
Then restarted the HTTPD and viola, it works with no "invalid cert" error.
SEPARATE: there is still the handshake error, but at least, sites are now working again.
TAKEAWAY: I have reason to believe the problem here relates to how MacOS handles the keychain(s) and that earlier attempts to solve this resulted in an ISRG X1 root being installed that was causing a conflict. This was (I believe) due to an ISRG root with an expiration of 2025 existing in the keychain. The ISRG root now installed expires 2035.
"Legacy" OSX, through I think 10.14, have an issue with the Long chain because the expired ISRG Root X1 is in their Trust Store. For most platform versions affected by this, the easiest fix is to just remove the X1 certificate from the Keychain Access and OpenSSL trust stores.