Nginxproxy/acme-companion v.2.5.2 not creating correct certificate chain with verified DNS-01 challenge

heavenly · February 6, 2025, 8:27pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

heavenly.cl

I ran this command:

Run the acme-companion container with the proper environment variables such that a DNS challenge is used (via acme.sh and its dns_*.sh API providers), can force renew:

docker exec acme-companion /app/force_renew

Then trying to connect to my server locally:

curl -v -H 'Host: www.heavenly.cl' https://localhost

It produced this output:

Info: DNS challenge using  DNS API with the following keys: DO_API_KEY (default config)
Creating/renewal www.heavenly.cl certificates... (www.heavenly.cl)
[<time>] Using CA: https://acme-v02.api.letsencrypt.org/directory
[<time>] Using pre-generated key: /etc/acme.sh/admin@heavenly.cl/www.heavenly.cl/www.heavenly.cl.key.next
[<time>] Generating next pre-generate key.
[<time>] Single domain='www.heavenly.cl'
[<time>] Getting webroot for domain='www.heavenly.cl'
[<time>] www.heavenly.cl is already verified, skipping dns-01.
[<time>] Verification finished, beginning signing.
[<time>] Let's finalize the order.
[<time>] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/2197043925/351846440985'
[<time>] Downloading cert.
[<time>] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/041b13d91c5c8ec671d45c61f5805850cb46'
[<time>] Cert success.
<certificate>
[<time>] Installing cert to: /etc/nginx/certs/www.heavenly.cl/cert.pem
[<time>] Installing CA to: /etc/nginx/certs/www.heavenly.cl/chain.pem
[<time>] Installing key to: /etc/nginx/certs/www.heavenly.cl/key.pem
[<time>] Installing full chain to: /etc/nginx/certs/www.heavenly.cl/fullchain.pem
Reloading nginx proxy (nginx-proxy)...
<time> Generated '/etc/nginx/conf.d/default.conf' from 3 containers
<time> [notice] 52#52: signal process started
Reloading nginx proxy (nginx-proxy)...
<time> Contents of /etc/nginx/conf.d/default.conf did not change. Skipping notification ''
<time> [notice] 68#68: signal process started

So this has generated a certificate and the server started using it, then through curl, the response is:

*   Trying 127.0.0.1:443...
* Connected to localhost (127.0.0.1) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /usr/lib/ssl/certs
* TLSv1.3 (IN), TLS alert, unrecognized name (624):
* OpenSSL/3.0.15: error:0A000458:SSL routines::tlsv1 unrecognized name
* Closing connection 0
curl: (35) OpenSSL/3.0.15: error:0A000458:SSL routines::tlsv1 unrecognized name

My web server is (include version):

nginxproxy v1.7, nginx 1.27.3

The operating system my web server runs on is (include version):

Linux 6.6.62+rpt-rpi-v8 Debian aarch64

My hosting provider, if applicable, is:

n/a, domain on nic.cl, nameservers on digital ocean, dynamic dns with noip

I can login to a root shell on my machine (yes or no, or I don't know):

yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

acme.sh v.3.1.0

In addition, checking the fullchain against letsencrypt-r3, letsencrypt-e1, and ISRG_X1 and ISRG_X2 there seems to be no sign of those there (am I checking wrong?)

MikeMcQ · February 6, 2025, 10:29pm

Try a curl like this:

curl https://www.heavenly.cl --resolve 'www.heavenly.cl:443:127.0.0.1'

MikeMcQ · February 6, 2025, 11:14pm

Sorry, missed that question ...

Yes, you are checking wrong The Intermediate that is the current second cert in fullchain.pem would not be any of those. And, you will never see the actual root certs (X1 and X2) in the chain returned by the Let's Encrypt server. For the current Intermediates and chains see: Chains of Trust - Let's Encrypt

R3 and E1 have not been used in some time. I am not sure what you are trying to validate but this should at least show cert details from your server

echo | openssl s_client -connect 127.0.0.1:443 --servername www.heavenly.cl | head -20

heavenly · February 7, 2025, 3:55pm

With your curl line, I got an error, but I corrected it to:

curl -v **https://**www.heavenly.cl --resolve 'www.heavenly.cl:443:127.0.0.1'

and got my site (output below)! So now I can discard certificate problems with my setup... onwards, I would think nginx is misconfigured somehow

* Added www.heavenly.cl:443:127.0.0.1 to DNS cache
* Hostname www.heavenly.cl was found in DNS cache
*   Trying 127.0.0.1:443...
* Connected to www.heavenly.cl (127.0.0.1) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /usr/lib/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=www.heavenly.cl
*  start date: Feb  6 19:09:22 2025 GMT
*  expire date: May  7 19:09:21 2025 GMT
*  subjectAltName: host "www.heavenly.cl" matched cert's "www.heavenly.cl"
*  issuer: C=US; O=Let's Encrypt; CN=R11
*  SSL certificate verify ok.
* using HTTP/2
* h2h3 [:method: GET]
* h2h3 [:path: /]
* h2h3 [:scheme: https]
* h2h3 [:authority: www.heavenly.cl]
* h2h3 [user-agent: curl/7.88.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x55ac5c87c0)
> GET / HTTP/2
> Host: www.heavenly.cl
> user-agent: curl/7.88.1
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/2 200 
< server: nginx/1.27.3
< date: Fri, 07 Feb 2025 15:51:05 GMT
< content-type: text/html
< content-length: 9030
< last-modified: Thu, 06 Feb 2025 15:43:15 GMT
< etag: "67a4d893-2346"
< accept-ranges: bytes
< strict-transport-security: max-age=31536000
< 
<!DOCTYPE html>
<site content>
</html>
* Connection #0 to host www.heavenly.cl left intact

And about the certificates, I asked the AI chat as you do, and it suggested that my issued certificates would point to one of the source certificates in the chain, if it were correct, so I wanted to check that that was the case to determine if the certificate was correct after all.

MikeMcQ · February 7, 2025, 4:09pm

Sadly, AI chats are trained on stale data. A common problem when used for tech questions

system · March 10, 2025, 5:40am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Acme-dns.service - Limited DNS server with RESTful HTTP API to handle ACME DNS challenges easily and securely Help	6	1552	December 18, 2021
Some challenges have failed Help	2	601	May 17, 2023
Certificate renewal is failing with DNS Challenge Help	20	2093	March 17, 2022
Issue failure after successful _acme-challenge Help	8	746	June 25, 2022
DNS Challenge Timeout Despite Text Record Correctly Lodging Help	3	630	October 19, 2023

Nginxproxy/acme-companion v.2.5.2 not creating correct certificate chain with verified DNS-01 challenge

Related topics