NET::ERR_CERT_AUTHORITY_INVALID error on my website


#1

Hello!

All of a sudden I’m receiving this error when browsing my website https://solocodigo.com

Does anyone know what might be going on?

Any help will be appreciated.

Sergio


Connection is not trusted (iOS only)
Some people don`t have errors, but Some people have an error
#2

I am facing the same issue at the moment.


#3

Hola @indomito,

Your web server is not serving the intermediate certificate:

$ echo | openssl s_client -connect solocodigo.com:443 -servername solocodigo.com 2>/dev/null | awk '/Certificate chain/,/---/'
Certificate chain
 0 s:/CN=solocodigo.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---

And the ouput of above command should be:

Certificate chain
 0 s:/CN=solocodigo.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---

I don’t know what is your web server but you should serve the fullchain.pem file as the certificate file instead of cert.pem file or you should use cert.pem and chain.pem, no idea how to configure this in your CentOS WebPanel but the problem is that you are not serving the intermediate certificate for Let’s Encrypt and you should ;).

Un saludo,
sahsanu


#4

I have the same problem. Until yesterday everything was fine. Today I am getting errors with Chrome and iPhone, Firefox is still fine.

I cannot renew the cert, because it is still valid. I am using the certbot and serving the fullchain.pem.

Thank you in advance!


#5

Hi @volkerh,

What is your domain name?.

Cheers,
sahsanu


#6

its analytics.ihubserver.de


#7

@volkerh, double check your web server config because you are not serving the intermediate cert too:

$ echo | openssl s_client -connect analytics.ihubserver.de:443 -servername analytics.ihubserver.de 2>/dev/null | awk '/Certificate chain/,/---/'
Certificate chain
 0 s:/CN=analytics.ihubserver.de
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---

#8

Thanks a lot @sahsanu

I compared the fullchain and cert.pem by diff -y fullchain.pem cert.pem resulting in the same file.

Why is that and how to correct it?


#9

I don’t know how that happened but fullchain.pem is the concatenation of cert.pem and chain.pem, so you should add the chain.pem content to your fullchain.pem.

In case you don’t have the intermediate cert you can get it here https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem.txt

But, it is really strange and you should review the process to know how fullchain.pem is not including the intermediate cert.


#10

Hola sahsanu,

I was missing the chain.crt file. For some reason my SSLCertificateChainFile was pointing to a solocodigo.com.bundle file that was empty. I reissued the certificate and I got a chain.crt file. Looks like it’s working now :slight_smile:

Muchas gracias!


#11

Buenas @indomito,

Perfecto :wink: , I’m glad you get it working now.

Un placer,
sahsanu


#12

I have the same problem also2018-03-11_180001
change this configuration,but not ok?


#13

Hi @Hgg,

Show the output of this command:

cat /home/pc_apa01/instance/https/ca/fullchain.pem

Cheers,
sahsanu


#14

cat fullchain.pem

-----BEGIN CERTIFICATE-----
MIIE+zCCA+OgAwIBAgISA75OFA2KDrg4W9HDAv8pkxHQMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODAzMTEwNzQwNTRaFw0x
ODA2MDkwNzQwNTRaMBcxFTATBgNVBAMTDHd3dy53Z2F0cy5jbjCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBALSQF//8GqHMkN7nIoV5AUrmqmRhCXXI3DTI
LhLz7KxpQv6QPIsIyS+q37X0/4eLt0jozyV13fgYWpK/0Q3d7g9Wvvodn9tBghzB
bylcFBV2u+oLZ9sp6hWTJ4kzOIRNvseJZMD82+3+vaogbMvSGEqDnVD4cGvZ2iP7
DnHAZDwQ66twctAD75bQBhu+MqghZMpiYGbcAvc6OJ8GcogH7HJcizrcT9ryVLYz
6SHX1GvU0Qwe8HlzvVYb4gSjVK+cfeNTY34tAJeU+16/3ul8tgrKxSoSqDy0l82/
sYIopTdm6lbTSh1y5vAAPSj2k+JiuNXesEPHxNzNbaJVum2Apm8CAwEAAaOCAgww
ggIIMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
AwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUiy/9F03h2Q/wdTKOtCZRsUluFg0w
HwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUHAQEEYzBh
MC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQub3Jn
MC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5cHQub3Jn
LzAXBgNVHREEEDAOggx3d3cud2dhdHMuY24wgf4GA1UdIASB9jCB8zAIBgZngQwB
AgEwgeYGCysGAQQBgt8TAQEBMIHWMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxl
dHNlbmNyeXB0Lm9yZzCBqwYIKwYBBQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRl
IG1heSBvbmx5IGJlIHJlbGllZCB1cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQg
b25seSBpbiBhY2NvcmRhbmNlIHdpdGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBm
b3VuZCBhdCBodHRwczovL2xldHNlbmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzANBgkq
hkiG9w0BAQsFAAOCAQEAltpn1N84yKaYloB5WLB2iaZUrGxV5kHmMMK2vUheJk+2
RTfxNi2k2jEsI9iVBtJjlrKGoO6xDGEtTagV72pozQSgw1DWwR+8YrXrW+ngYSiL
7rtONg3LjGItOsZLZEbNTEmklRvo6ZVQGvHCJXBf5Ai3Fa16ypJwd1FXphRmI4e6
mR4jCh5Iz8SZdg6NFMpfyX6fMkF8hK7gXSVmr8+0udHaXSbMQ2Lqywkh771qHh+W
pE+HKe6FHwotqiqncbI9Ir/uJ9h0ZKq41JeZrAwokzXCV0Wf7RJA02ca4+Q5E3C6
Wmzp9URNmKmaly1Q7MhCwDAAqYHJ3Yhl+W40Ht/wuQ==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow
SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT
GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC
AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF
q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8
SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0
Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA
a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj
/PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG
CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv
bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k
c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw
VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC
ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz
MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu
Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF
AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo
uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/
wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu
X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG
PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6
KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
-----END CERTIFICATE-----

Today The problem suddenly appeared.


#15

This is the previous configuration
2018-03-11_183615

thanks


#16

@hgg, your fullchain.pem seems correct (it contains the certificate issued today and the right intermediate cert), also, your web server is also serving the certificate issued today but not the intermediate cert.

What is the entire Apache VirtualHost conf for your domain?. Do you see any error on your Apache logs?.

I see now your last post showing you were using cert.pem, could you please restart the Apache web server again?


#17

I have restarted apache server,but this problem is still apear


#18

Then you need to figure out why Apache is not loading the fullchain.pem.

Also, show the output of these commands:

ls -la /home/pc_apa01/instance/https/ca/

namei -l /home/pc_apa01/instance/https/ca/


#19

@Hgg, I see you are making progress but now you are serving the cert and fullchain (both of them).

$ echo | openssl s_client -connect www.wgats.cn:443 -servername www.wgats.cn 2>/dev/null | awk '/Certificate chain/,/---/'
Certificate chain
 0 s:/CN=www.wgats.cn
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/CN=www.wgats.cn
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 2 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---

I don’t know what Apache version you are using, if it is 2.4.8 or above you should use this:

SSLCertificateFile /home/pc_apa01/instance/https/ca/fullchain.pem
SSLCertificateKeyFile /home/pc_apa01/instance/https/ca/privkey.pem

If you are using a version below 2.4.8 you should use this:

SSLCertificateFile /home/pc_apa01/instance/https/ca/cert.pem
SSLCertificateKeyFile /home/pc_apa01/instance/https/ca/privkey.pem
SSLCertificateChainFile /home/pc_apa01/instance/https/ca/chain.pem

#20

thanks a lot @sahsanu ,this problem is solved,we modified the web.conf

SSLEngine On
SSLCertificateFile "/home/pc_apa01/instance/https/ca/cert.pem"
SSLCertificateKeyFile "/home/pc_apa01/instance/https/ca/privkey.pem"
add the SSLCertificateChainFile “/home/pc_apa01/instance/https/ca/fullchain.pem”

and restart apache,that’s ok!
thank you very much @sahsanu
But we haven’t met this problem before,I don’t konw why this is the problem