mlr
November 18, 2019, 7:05pm
1
Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com ), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is: access.paradigm4.com
I ran this command:access.paradigm4.com
It produced this output:
Congratulations! Your certificate and chain have been saved at:
THEN I RAN
openssl verify -CAfile fullchain.pem cert.pem
cert.pem: C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
My web server is (include version):
The operating system my web server runs on is (include version):
My hosting provider, if applicable, is:
I can login to a root shell on my machine (yes or no, or I don’t know):
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
rg305
November 18, 2019, 7:57pm
2
This should have worked.ls -l /etc/letsencrypt/archive/<certname>/
mlr
November 19, 2019, 12:06am
3
The actual files are:access.paradigm4.com ]# ls -l *2.pem
rg305
November 19, 2019, 12:10am
4
try it in that folder:openssl verify -CAfile fullchain2.pem cert2.pem
mlr
November 19, 2019, 12:41am
5
root@access access.paradigm4.com ]# openssl verify -CAfile fullchain2.pem cert2.
mlr
November 19, 2019, 1:19am
6
I’m wondering if there is some ssl or crypt that needs updating?
rg305
November 19, 2019, 1:22am
7
Try:
yum install -y ca-certificates
Also:
update-ca-trust
update-ca-certificates
1 Like
schoen
November 19, 2019, 1:23am
8
If you have or can install strace, you might try
strace -e open openssl verify -CAfile fullchain2.pem cert2.pem
to see whether openssl is successfully checking a local trusted CA bundle (and, if so, which one).
(@rg305 ’s suggestion may help fix things if, for some reason, this OS doesn’t have such a trusted CA bundle installed.)
1 Like
rg305
November 19, 2019, 1:26am
9
I get:
yum install -y ca-certificates
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirror.mojohost.com
* epel: d2lzkl7pfhq30w.cloudfront.net
* extras: mirror.mojohost.com
* updates: mirror.mojohost.com
Package ca-certificates-2018.2.22-70.0.el7_5.noarch already installed and latest version
Nothing to do
mlr
November 19, 2019, 2:11pm
10
I don’t see what CA bundle its checking:
[root@vpn-server access.paradigm4.com ]# strace -e open openssl verify -CAfile fullchain2.pem cert2.pem
rg305
November 19, 2019, 4:33pm
11
You may have to include -CApath
You can also try:-show_chain
mlr
November 20, 2019, 12:39am
12
So I copied the cert and fullchain to a computer outside our fire wall and there it checks out OK.
Thank you all for your help. Its taught me several tricks.
rg305
November 20, 2019, 12:52am
13
But you did.
mlr
November 20, 2019, 1:18am
14
So lets close this thread.
Yes they validate but the darn openvpn server won’t install them because it can not validate them.
mlr
November 20, 2019, 1:25am
16
If you mean update on forcing openvpn to take the certs…I’m still working on it.
openvpn doesn’t use public cert. it checks validate against CA section of .ovpn(vpn profile)file.
rg305
November 20, 2019, 1:26am
18
I meant: Are you running the latest patch?
mlr
November 20, 2019, 2:19am
19
This is openvpn_as and there is no .ovpn file
mlr
November 20, 2019, 2:21am
20
Yes thanks. 2.7.4
I went in and hand edited the config.db and put in the newer certs.
Again thanks for your time and for looking.
1 Like