SEC_ERROR_UNKNOWN_ISSUER on Centos Stream

MikeNolan · December 6, 2021, 5:56pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: gw.tssi.com

I ran this command: certbot --apache

It produced this output:
Firefox and edge both report unknown issuer on certificate (It is using the fullchain.pem)

My web server is (include version): apache 2.4.37-43

The operating system my web server runs on is (include version): centos stream 8 (current release)

My hosting provider, if applicable, is: na

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 1.21.0

griffin · December 6, 2021, 6:20pm

Welcome to the Let's Encrypt Community, Mike

The two-certificate chain I see being served for gw.tssi.com over port 443 consists of two self-signed (snake oil) certificates. It does not appear that the Let's Encrypt certificate chain issued two hours ago is actually installed in your Apache configuration.

https://decoder.link/sslchecker/gw.tssi.com/443

https://crt.sh/?q=gw.tssi.com

MikeNolan · December 6, 2021, 6:29pm

Ah, I see the problem the conf.d/ssl.conf file still had the default entries. Apparently the --apache option doesn't update that file.

I'm getting a valid certificate now.

griffin · December 6, 2021, 6:33pm

You don't need to acquire another certificate. You just need to install the one you have into Apache.

I can help you with that if you wish.

What are the outputs of:

sudo apachectl -S
sudo ls -lRa /etc/apache2

Please put 3 backticks above and below each output, like this:

```
output
```

Certbot usually expects custom Apache VirtualHosts to be in separate configuration files rather than the default configuration files.

MikeNolan · December 6, 2021, 6:36pm

Sorry, what I meant was that the browser is showing a valid certificate now.

Apparently apache uses the data in conf.d/ssl.conf over the data in conf/httpd-le-ssl.conf

griffin · December 6, 2021, 6:38pm

Apache will use the first definition for an ip:port:hostname combination. That's why it's important to check sudo apachectl -S for conflicts.

griffin · December 6, 2021, 6:39pm

Ah. That makes sense. Yep. Looks good now!

system · January 5, 2022, 6:40pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Attempt two, use certbot to install certificates Help	3	755	March 12, 2020
Error code: SEC_ERROR_UNKNOWN_ISSUER Help	2	1281	May 7, 2020
Site gets SEC_ERROR_UNKNOWN_ISSUER on Firefox, similar issue on Microsoft Edge Help	15	123	September 26, 2024
Having issues installing certbot certificates Help	16	97	August 31, 2024
Certificate Help for Apache Server Help	2	556	April 20, 2019

SEC_ERROR_UNKNOWN_ISSUER on Centos Stream

Related topics