Nginx +acme+letsencrypt Unable to get local issuer certificate

Help
1

Hello.

dom.ru domain was indicated for the purpose of an example.

My system FreeBSD 13.1
Soft versions:
nginx/1.22.0
acme.sh v3.0.4

I will get a certificate.
acme.sh --issue -d dom.ru -d www.dom.ru -w /usr/local/www/cert --server letsencrypt

Certificates are created.

-----END CERTIFICATE-----
[Wed Oct 12 16:54:54 +03 2022] Your cert is in: /var/db/acme/certs/dom.ru/dom.ru.cer
[Wed Oct 12 16:54:54 +03 2022] Your cert key is in: /var/db/acme/certs/dom.ru/dom.ru.key
[Wed Oct 12 16:54:54 +03 2022] The intermediate CA cert is in: /var/db/acme/certs/dom.ru/ca.cer
[Wed Oct 12 16:54:54 +03 2022] And the full chain certs is there: /var/db/acme/certs/dom.ru/fullchain.cer

I install certificates in nginx.

acme.sh --install-cert -d dom.ru --cert-file /etc/nginx/acme.sh/dom.ru/dom.ru.pem --key-file /etc/nginx/acme.sh/dom.ru/key.pem --fullchain-file /etc/nginx/acme.sh/dom.ru/fullchain.pem
[Wed Oct 12 17:03:46 +03 2022] Installing cert to: /etc/nginx/acme.sh/dom.ru/dom.ru.pem
[Wed Oct 12 17:03:46 +03 2022] Installing key to: /etc/nginx/acme.sh/dom.ru/key.pem
[Wed Oct 12 17:03:46 +03 2022] Installing full chain to: /etc/nginx/acme.sh/dom.ru/fullchain.pem

nginx vitrhost dom.ru.

ssl_certificate /etc/nginx/acme.sh/dom.ru/dom.ru.pem;
ssl_certificate_key /etc/nginx/acme.sh/dom.ru/key.pem;
ssl_trusted_certificate /etc/nginx/acme.sh/dom.ru/fullchain.pem;
ssl_dhparam /usr/local/etc/nginx/dhparam.pem;

I check the certificate and see an error.
Unable to get local issuer certificate. The site certificate or intermediate certificates may not have been installed correctly.

How to fix?

2

How did you do that exactly? Which command et cetera?

3 Likes
3

https://www.leaderssl.com/tools/ssl_checker
Checked here.

1 Like
4

#### Unable to get local issuer certificate. Most likely, the certificate or certificate chain is not installed correctly.

Here is more detailed information on verification.

5

It says there's a GlobalSign certificate installed for dom.ru.

3 Likes
6

dom.ru indicated just as an example, I don’t want to show my domain.

7

That directive doesn't do what you think it does.

You can keep the dhparams if you want them, but the other three lines should become these two:

ssl_certificate /etc/nginx/acme.sh/dom.ru/fullchain.pem;
ssl_certificate_key /etc/nginx/acme.sh/dom.ru/key.pem;
4 Likes
8

Not understood.
do I need to use this option with acme issued certificates?
ssl_trusted_certificate /etc/nginx/acme.sh/dom.ru/fullchain.pem;
Why?

9

No.

You should use

  • ssl_certificate
  • ssl_certificate_key

Where ssl_certificate points to fullchain.pem and ssl_certificate_key points to the private key.

You should not use ssl_trusted_certificate unless you have a very good reason to. And even then, it's not used to send your certificate, it's to tell nginx what to trust when validating ocsp responses.

As for ssl_dhparam you can pretty much do whatever you want.

4 Likes
10

Without your actual domain name, it's nearly impossible to help you quickly and accurate to an extend that it's actually mandatory to provide it to get help to begin with, as stated in the initial questionnaire of the Help section.

2 Likes
11

you need to configure the cert/key files in your side conf of nginx.

1 Like
12

side conf of nginx?

13

maybe "site" ?

1 Like
14

Almost certainly "site config". acme.sh does not have webserver installers like Certbot does, so the user needs to manually add the certificate/key to the webservers configuration.

2 Likes
15

you're right.
Works.

ssl_certificate /etc/nginx/acme.sh/dom.ru/fullchain.pem;
ssl_certificate_key /etc/nginx/acme.sh/dom.ru/key.pem;

It remains to understand how to properly renew certificates.

16

sorry, typo: site

1 Like
17 

acme.sh --install-cert -d dom.ru --cert-file /etc/nginx/acme.sh/dom.ru/dom.ru.pem --key-file /etc/nginx/acme.sh/dom.ru/key.pem --fullchain-file /etc/nginx/acme.sh/dom.ru/fullchain.pem \
--reload-cmd  "service nginx reload"
2 Likes
19

acme.sh should have automated the renewals on install.
Check the cron jobs:
crontab -l

There should be a line with times and:
"/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null

2 Likes
20

I thought, is it right?
I am using ssl_stapling.

ssl_certificate /etc/nginx/acme.sh/dom.ru/fullchain.pem;
ssl_certificate_key /etc/nginx/acme.sh/dom.ru/key.pem;
#ssl_trusted_certificate /etc/nginx/acme.sh/dom.ru/fullchain.pem;
ssl_dhparam /usr/local/etc/nginx/dhparam.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
resolver 127.0.0.1;
resolver_timeout 3s;

Do me need to validate the chains of trust of the OCSP response using the root CA and intermediate certificates?
ssl_trusted_certificate

21

No, you don't need to use ssl_trusted_certificate.

2 Likes