SEC_ERROR_UNKNOWN_ISSUER using lightttpd


#1

Seems SEC_ERROR_UNKNOWN_ISSUER issues are fairly common, and I’ve read a lot of threads here but still not nailed my problem. So let me share it and see if anyone here has clues. Essentially I’m using lightttpd and certbot and here’s what I got:

certbot certonly --standalone --preferred-challenges http -d leaderboard.space

Which ran fine and produced:

weaver@Arachne:/etc/letsencrypt/live/leaderboard.space $ ll
total 7
-rw-r--r-- 1 weaver www-data  543 Sep 14 05:11 README
lrwxrwxrwx 1 weaver www-data   41 Sep 14 05:11 cert.pem -> ../../archive/leaderboard.space/cert1.pem
lrwxrwxrwx 1 weaver www-data   42 Sep 14 05:11 chain.pem -> ../../archive/leaderboard.space/chain1.pem
lrwxrwxrwx 1 weaver www-data   46 Sep 14 05:11 fullchain.pem -> ../../archive/leaderboard.space/fullchain1.pem
lrwxrwxrwx 1 weaver www-data   44 Sep 14 05:11 privkey.pem -> ../../archive/leaderboard.space/privkey1.pem

then I’ve combined the privkey and cert:

cat privkey.pem cert.pem > combined.pem

then I’ve configured lighttd:

$HTTP["host"] =~ "(leaderboard.space|arachne.lan)" {
	server.name             = "leaderboard.space"
	server.document-root    = "/var/www/html/leaderboard.space"

	$SERVER["socket"] == ":443" {
		ssl.engine              = "enable"
		ssl.ca-file             = "/etc/letsencrypt/live/leaderboard.space/chain.pem"
		ssl.pemfile             = "/etc/letsencrypt/live/leaderboard.space/combined.pem"
		ssl.honor-cipher-order  = "enable"
		ssl.use-sslv2           = "disable"
		ssl.use-sslv3           = "disable"
	}

	url.rewrite-once = ( "^/favicon\.ico$" => "/static/favicon.ico" )

	$HTTP["url"] !~ "^/static/" {
		scgi.protocol = "uwsgi"
		scgi.server = ( "/" => (( "socket" => "/var/run/lighttpd/uwsgi.socket-0", "check-local" => "disable")), )
	}
}

And what this now produces on a web browser is the SEC_ERROR_UNKNOWN_ISSUER error and this extra info:

https://leaderboard.space/

Peer’s Certificate issuer is not recognized.

HTTP Strict Transport Security: false
HTTP Public Key Pinning: false

Certificate chain:

-----BEGIN CERTIFICATE-----
MIIDUzCCAjugAwIBAgIJAPqNA/ft7T6FMA0GCSqGSIb3DQEBCwUAMEAxCzAJBgNV
BAYTAkNaMQ8wDQYDVQQIDAZQcmFndWUxDzANBgNVBAcMBlByYWd1ZTEPMA0GA1UE
CgwGVHVycmlzMB4XDTE3MDMyODEyMzExNloXDTM3MDMyMzEyMzExNlowQDELMAkG
A1UEBhMCQ1oxDzANBgNVBAgMBlByYWd1ZTEPMA0GA1UEBwwGUHJhZ3VlMQ8wDQYD
VQQKDAZUdXJyaXMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDvbWl/
Rz04G0E+rJO4miLVVd7X3dxeqZXRtgHt1RgXWmq8LWqkM/zbE0kHkc4hi5Qnl4+K
UEXpAKGEN+iBkDsrMGCAzIqUXQaN7jTGNmoTFifWEsgOhra/iWjTWC8pW47U3P6X
0HhT/2XVbMs5FMJHaSnlUWeDxlpE01UKxfFwLqO1p9FD3oK4ExO5jaMjL34wCGxD
RKdWXR+v9a5DxTIuGrWIIIxr/S4Xo0UqrePV364cFGHoEna7gyH0YyxQxNS/l4T1
R9qoEV4KaAdGnDFB5sTINU6JLHygwsowKfBWOMgNRdlbG9o0KjoOb3rxmdF3PnCi
ztM5Hy9OertO3QhNAgMBAAGjUDBOMB0GA1UdDgQWBBRNi8Gm32uEBPX9F49vBVu1
UiWl6TAfBgNVHSMEGDAWgBRNi8Gm32uEBPX9F49vBVu1UiWl6TAMBgNVHRMEBTAD
AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCSHUX32zTfP7zywC/9u2KltyFsR88xZQM2
JJKYHbntL0f7+pC8qHAtSbR8PnjUgype4QNNPfRABY7WEuE0uPmvNhS7+WvER9XG
fUxYD9VH9d5AFLRPgDrBrhiv4Hi68kbaRDKktAnAI1nu4ScBRJTN4xLm44OQ4B+C
vdh/CDdazYMzmcxJGotoed6dx6VKvBzFsaU7xTUOKFQi6ofNKeI3mLppVWDUI7Br
FvQl0DnpWeY3vMewYsVsvtAGwZQYQbzCG/gxrXwhvL9izy+wBKEVovPTTfsggWwr
m6dKWjUPGFDUSijDtIExwHdL+soDiLqEqoVgO6h1LDXC+voRQ7h8
-----END CERTIFICATE-----

I can see that others agree the issuer is self:

https://decoder.link/sslchecker/leaderboard.space/443

and yet tested locally:

$ openssl x509 -in /etc/letsencrypt/live/leaderboard.space/cert.pem -issuer -noout
issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

I can see the issuer clearly identified!

So what is going wrong? Why do they think I’m self-signed and not trust letsencrypt?

:-(. All pointers here appreciated.

Thanks kindly in advance.


#2

This will be either a problem with how you’ve configured lighttpd or some other device on your network that steps in the way between the Internet and your lighttpd server.

The bogus certificate says “Turris” on it, and I see that Turris is the name of some sort of home network “defence” project. Is it possible you have installed something to “protect” your network and it is having this undesirable effect?


#3

Spot on! Thanks for the quick reply. There is a Turris Omnia between the web server and the WAN. And it has a firewall running and lighttpd that is forwarding to the webserver. Alas I am momentarily clueless as to where to look on that router for what is going on. But what you are suggesting is there’s an intervention of sorts in the certificate delivery., I’ll move this over to the Omnia forums now and see what I can turn up!


#4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.