Problem with R3 expired

TuXFire · October 4, 2021, 9:55am

rg305 · October 4, 2021, 9:55am

@TuXFire
Something has gone terribly wrong:

openssl s_client -connect tuxfire.ddns.net:443 -servername tuxfire.ddns.net
CONNECTED(00000005)
depth=1 C = US, O = Let's Encrypt, CN = R3
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:CN = tuxfire.ddns.net
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Let's Encrypt, CN = R3
   i:O = Digital Signature Trust Co., CN = DST Root CA X3
---

That path hasn't been provided since May 2021.
I suspect that your renewal process, or web service, may have hard-coded chain information in it.
[hard-coding anything of this nature is destined for failure]

Let's have a look at the web servers' HTTPS vhost config for the FQDNs having this problem.

TuXFire · October 4, 2021, 10:06am

So what should I do exactly?

locate emby | grep ssl

/opt/emby-server/etc/ssl
/opt/emby-server/etc/ssl/certs
/opt/emby-server/etc/ssl/certs/ca-certificates.crt
/opt/emby-server/lib/libssl.so
/opt/emby-server/lib/libssl.so.1.1
/var/lib/emby/ssl
/var/lib/emby/ssl/cert_54522e99effc77b8a5bc7ed2e196033b.pfx
/var/lib/emby/ssl/cert_8c4736fa62700595c6e767fc7588ce1c.pfx
/var/lib/emby/ssl/cert_9c31b7884ea5475c8687970fc5996297.pfx
/var/lib/emby/ssl/cert_af27e90a8b0c648430c4ca720bcb60cf.pfx
/var/lib/emby/ssl/emby.pfx

rg305 · October 4, 2021, 10:12am

This seems up-to-date

This might not be:

Either look for an update/verify it is up-to-date OR maybe you can upload this file and we can check on how to manually alter it.

TuXFire · October 4, 2021, 10:17am

ca-certificates.crt.txt (196.9 KB)

rg305 · October 4, 2021, 10:19am

That was quick!
Did you even look for an update?

TuXFire · October 4, 2021, 10:24am

How can I do that?
I did the command:

update-ca-certificates

Updating certificates in /etc/ssl/certs...
0 added, 0 removed; done.
Running hooks in /etc/ca-certificates/update.d...
Updating Mono key store
/etc/ca-certificates/update.d/mono-keystore: 10: /usr/bin/cert-sync: not found
Done
done.

rg305 · October 4, 2021, 10:25am

It seems up-to-date:

## Certificate data from Mozilla as of: Tue May 25 03:12:05 2021 GMT

ISRG Root X1
============
-----BEGIN CERTIFICATE-----

TuXFire · October 4, 2021, 10:26am

So if it's up to date what could be the cause of the problem?

rg305 · October 4, 2021, 10:28am

rg305 · October 4, 2021, 10:29am

What is Kestrel?

curl -Iki https://tuxfire.ddns.net
HTTP/2 302
date: Mon, 04 Oct 2021 10:28:58 GMT
location: web/index.html
server: Kestrel

TuXFire · October 4, 2021, 10:34am

netstat -pant | grep -Ei 'nginx|apache|httpd|:80|:443'
tcp 0 0 0.0.0.0:8096 0.0.0.0:* LISTEN 93725/EmbyServer
tcp 0 0 192.168.1.100:8096 192.168.1.10:47044 ESTABLISHED 93725/EmbyServer
tcp 0 0 192.168.1.100:8096 192.168.1.10:47030 ESTABLISHED 93725/EmbyServer
tcp 0 0 192.168.1.100:8096 192.168.1.10:46272 ESTABLISHED 93725/EmbyServer

By default Emby uses port 8096 for http and port 8920 for https
netstat -pant | grep -Ei 'nginx|apache|httpd|:8920|:443'
tcp 0 0 0.0.0.0:8920 0.0.0.0:* LISTEN 93725/EmbyServer
tcp 0 0 192.168.1.100:8920 37.165.7.84:25754 TIME_WAIT -
tcp 0 0 192.168.1.100:8920 192.241.198.231:48090 SYN_RECV -
tcp 0 0 192.168.1.100:8920 37.165.7.84:25757 ESTABLISHED 93725/EmbyServer

TuXFire · October 4, 2021, 10:35am

I don't know. Absolutly no idea

rg305 · October 4, 2021, 10:45am

Well that makes two of us.
I know where the problem is: Kestrel/EmbyServer
But I have no further information for you on how to proceed.

TuXFire · October 4, 2021, 10:47am

locate Kestrel
/opt/dotnet/shared/Microsoft.AspNetCore.App/3.1.0/Microsoft.AspNetCore.Server.Kestrel.Core.dll
/opt/dotnet/shared/Microsoft.AspNetCore.App/3.1.0/Microsoft.AspNetCore.Server.Kestrel.Transport.Sockets.dll
/opt/dotnet/shared/Microsoft.AspNetCore.App/3.1.0/Microsoft.AspNetCore.Server.Kestrel.dll
/opt/emby-server/system/Microsoft.AspNetCore.Server.Kestrel.Core.dll
/opt/emby-server/system/Microsoft.AspNetCore.Server.Kestrel.Transport.Sockets.dll
/opt/emby-server/system/Microsoft.AspNetCore.Server.Kestrel.dll

kestrel is the web server it seems

rg305 · October 4, 2021, 11:01am

Yes; as shown by the signature:

curl -Iki https://tuxfire.ddns.net
HTTP/2 302
date: Mon, 04 Oct 2021 11:01:12 GMT
location: web/index.html
server: Kestrel

TuXFire · October 4, 2021, 11:06am

What infos do you need to help me?

rg305 · October 4, 2021, 11:18am

@TuXFire
I can't help you any further.
This is not an LE problem.
You need to find some support with Kestrel.
Their configuration files need to be checked/updated.

TuXFire · October 4, 2021, 11:25am

What exactly do I need to search in the config files ?

rg305 · October 4, 2021, 11:31am

@tux
There will likely be some lines with either "cert" or "ssl" in them.
Or "pfx".

Topic		Replies	Views
R3 certificate is expired on some Macs Help	4	1161	October 31, 2021
All my Google Cloud sites are down due to expired R3 certificate Help	9	1662	November 5, 2021
R3 certificate expired — macOS Help	8	9243	October 30, 2021
R3 Intermediate certificate has expired - How to fix this on Debian with Certbot? Help	24	14957	November 19, 2021
Expired R3 connected to DNS challenge? Help	8	832	October 30, 2021

Problem with R3 expired

locate emby | grep ssl

update-ca-certificates

Related topics