Node/Keystone.js - Help with NET::ERR_CERT_AUTHORITY_INVALID error

I am running into a problem where my node/keystonejs app returns a NET::ERR_CERT_AUTHORITY_INVALID error. I’ve been generating my certificates with certbot standalone:

sudo certbot certonly --standalone -w ~/letsencrypt -d www.domain.com

I followed this article regarding setting up keystonejs and letsencrypt and have tried debugging with the commands as outlined in the template below. I’m really lost in terms of how to go about fixing this problem, any help would be so greatly appreciated:

I ran this command:

echo | openssl s_client -connect www.domain.com:3001 -servername www.domain.com 2>/dev/null | awk '/Certificate chain/,/---/'

It produced this output:

Certificate chain
 0 s:/CN=www.domain.com
   i:/CN=Fake LE Intermediate X1
 1 s:/CN=Fake LE Intermediate X1
   i:/CN=Fake LE Root X1
---

My web server is (include version): Node - Keystone.js 4.0.0-beta.5

The operating system my web server runs on is (include version): 4.4.0-116-generic #140-Ubuntu SMP

My hosting provider, if applicable, is: Digital Ocean

I can login to a root shell on my machine (yes or no, or I don’t know): yes

That is the staging server.

Ok interesting. I’ve set my node environment to production which I’ve confirmed inside node, and when I requested the certificate, I didn’t use the --staging flag.

Sorry, but most threads I’ve seen have recommended simply completely purging letsencrypt, but I’m wondering if there’s a few more debugging steps I can try first?

edit: I’ve completely purged and reinstalled letsencrypt from my system, and am running into the same problem, where it always returns the Fake LE Intermediate

Consider:

https://github.com/keystonejs/keystone/blob/cc7c591570f497e5d679c7e1f21e0297a0e46e8e/server/initLetsEncrypt.js#L27

Are you running your server with NODE_ENV=production ?

Are you sure that Keystone/Greenlock has not saved the old certificate on disk? Can you do some printf debugging inside that file in your node_modules/ to see what values are being passed?

Based on my reading of the actual module, you should be able to do:

letsencrypt: {
  production: true,
  // the rest
}

which doesn’t agree with the [2 year old] blog post, but does seem to be the actual API.

2 Likes

Oh my goodness, YES. Thank you. I do not understand why this isn’t documented anywhere - I will send a note to the keystone team. This is the issue, which is odd as my NODE_ENV is definitely set to production. I also didn’t need to be issuing manual certificates as it was handled automatically.

So having wiped everything then making this adjustment, everything is finally working.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.