Nginx with preferred-chain "ISRG Root X1" - still showing "DST Root CA X3"

Help
1

Hi i am using centos server and upgrading ssl in nginx with --preferred-chain "ISRG Root X1"
Still i am facing DST Root CA X3 issues in my urls,please help and suggest something effective asap!!

1 Like
2

Hi @Gagan welcome to the LE community forum :slight_smile:

Please provide the FQDN having this issue so we may better understand the problem first hand and give you our best advice.
Also show the nginx HTTPS vhost config that covers that FQDN.

1 Like
3

url - old-nginx.capuchin.co

renewal conf

# renew_before_expiry = 30 days
version = 1.11.0
archive_dir = /etc/letsencrypt/archive/old-nginx.capuchin.co
cert = /etc/letsencrypt/live/old-nginx.capuchin.co/cert.pem
privkey = /etc/letsencrypt/live/old-nginx.capuchin.co/privkey.pem
chain = /etc/letsencrypt/live/old-nginx.capuchin.co/chain.pem
fullchain = /etc/letsencrypt/live/old-nginx.capuchin.co/fullchain.pem

# Options used in the renewal process
[renewalparams]
authenticator = nginx
installer = nginx
account = bc07c7a5519ba2192f3af98c141
manual_public_ip_logging_ok = None
server = https://acme-v02.api.letsencrypt.org/directory
preferred_chain = ISRG Root X1


nginx conf 
server_name old-nginx.capuchin.co; rewrite ^ [https://$http_host$request_uri](https://%24http_host%24request_uri/)? permanent; } server{ listen 443 ssl http2; server_name old-nginx.capuchin.co; root /var/www/html/index.html; ## ssl on; ssl_certificate /etc/letsencrypt/live/old-nginx.capuchin.co/fullchain.pem; #ssl_client_certificate /etc/letsencrypt/live/old-nginx.capuchin.co/chain.pem; ssl_certificate_key /etc/letsencrypt/live/old-nginx.capuchin.co/privkey.pem; }

@rg305 please find the above information and suggest with. solution,thanks!!

4

@Gagan
That is the certbot renewal.conf file.

1 Like
5 
server {
listen 80;
server_name old-nginx.capuchin.co;
rewrite ^ [https://$http_host$request_uri](https://$http_host$request_uri/)? permanent;
}
server{
listen 443 ssl http2;
server_name old-nginx.capuchin.co;
root /var/www/html/index.html;
## ssl on;
ssl_certificate /etc/letsencrypt/live/old-nginx.capuchin.co/fullchain.pem;
#ssl_client_certificate /etc/letsencrypt/live/old-nginx.capuchin.co/chain.pem;
ssl_certificate_key /etc/letsencrypt/live/old-nginx.capuchin.co/privkey.pem;
}
6

That doesn't seem to have taken effect:

openssl s_client -connect old-nginx.capuchin.co:443 -servername old-nginx.capuchin.co
CONNECTED(00000005)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = old-nginx.capuchin.co
verify return:1
---
Certificate chain
 0 s:CN = old-nginx.capuchin.co
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---

You may have to reissue the cert using "--preferred-chain "ISRG Root X1" "

2 Likes
7

2 posts were split to a new topic: Nginx - certbot - chain not updating

8

@rg305 please look into this

9

@Gagan
Look into what?
Please use more words

1 Like
10

That certbot is too old to have the preferred-chain option.

Please update it to 1.12.0 or newer.

7 Likes
11

They seem to be using CentOS, this may be relevant regarding the outdated certbot version: RHEL/CentOS 7 OpenSSL client compatibility after new chain - #37 by FelixSchwarz

2 Likes
12

Hi team, --preferred-chain "ISRG Root X1 is working fine with nginx, url not working when renewing it on apache.please suggest something asap , this is a production issue.

13

@Gagan
Does Apache use the same cert files as nginx?
[is it in the same server?]

1 Like
14

no we are using centos 6 apache vershion 2.2 to generate ssl. We are facing issue on apache.
On another server nginx is installed and ssls are working fine.

15

@rg305 please look into above thread asap, client will kill me otherwise!!

16

@Gagan
What do you want me to see?
I still see the same thing:

openssl s_client -connect old-nginx.capuchin.co:443 -servername old-nginx.capuchin.co
CONNECTED(00000005)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = old-nginx.capuchin.co
verify return:1
---
Certificate chain
 0 s:CN = old-nginx.capuchin.co
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---

Did you?:

17

check this

openssl s_client -connect gagantest.tookan.in:443 -servername umeform.tookan.in
CONNECTED(00000003)
depth=0 CN = umeform.tookan.in
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = umeform.tookan.in
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=umeform.tookan.in
i:/C=US/O=Let's Encrypt/CN=R3
---
Server certificate
-----BEGIN CERTIFICATE-----
18

Certificate chain

0 s:/CN=umeform.tookan.in

i:/C=US/O=Let's Encrypt/CN=R3

19

There is no chain being served:

Only the leaf cert is served.

Edit the webserver to server fullchain instead of cert.

20

/usr/local/bin/certbot certonly --apache -d umeform.tookan.in --no-bootstrap -n --expand

is this the right command?