SEC_ERROR_UNKNOWN_ISSUER using lightttpd

thumbone · September 14, 2017, 7:22am

Seems SEC_ERROR_UNKNOWN_ISSUER issues are fairly common, and I’ve read a lot of threads here but still not nailed my problem. So let me share it and see if anyone here has clues. Essentially I’m using lightttpd and certbot and here’s what I got:

certbot certonly --standalone --preferred-challenges http -d leaderboard.space

Which ran fine and produced:

weaver@Arachne:/etc/letsencrypt/live/leaderboard.space $ ll
total 7
-rw-r--r-- 1 weaver www-data  543 Sep 14 05:11 README
lrwxrwxrwx 1 weaver www-data   41 Sep 14 05:11 cert.pem -> ../../archive/leaderboard.space/cert1.pem
lrwxrwxrwx 1 weaver www-data   42 Sep 14 05:11 chain.pem -> ../../archive/leaderboard.space/chain1.pem
lrwxrwxrwx 1 weaver www-data   46 Sep 14 05:11 fullchain.pem -> ../../archive/leaderboard.space/fullchain1.pem
lrwxrwxrwx 1 weaver www-data   44 Sep 14 05:11 privkey.pem -> ../../archive/leaderboard.space/privkey1.pem

then I’ve combined the privkey and cert:

cat privkey.pem cert.pem > combined.pem

then I’ve configured lighttd:

$HTTP["host"] =~ "(leaderboard.space|arachne.lan)" {
	server.name             = "leaderboard.space"
	server.document-root    = "/var/www/html/leaderboard.space"

	$SERVER["socket"] == ":443" {
		ssl.engine              = "enable"
		ssl.ca-file             = "/etc/letsencrypt/live/leaderboard.space/chain.pem"
		ssl.pemfile             = "/etc/letsencrypt/live/leaderboard.space/combined.pem"
		ssl.honor-cipher-order  = "enable"
		ssl.use-sslv2           = "disable"
		ssl.use-sslv3           = "disable"
	}

	url.rewrite-once = ( "^/favicon\.ico$" => "/static/favicon.ico" )

	$HTTP["url"] !~ "^/static/" {
		scgi.protocol = "uwsgi"
		scgi.server = ( "/" => (( "socket" => "/var/run/lighttpd/uwsgi.socket-0", "check-local" => "disable")), )
	}
}

And what this now produces on a web browser is the SEC_ERROR_UNKNOWN_ISSUER error and this extra info:

https://leaderboard.space/

Peer’s Certificate issuer is not recognized.

HTTP Strict Transport Security: false
HTTP Public Key Pinning: false

Certificate chain:

I can see that others agree the issuer is self:

https://decoder.link/sslchecker/leaderboard.space/443

and yet tested locally:

$ openssl x509 -in /etc/letsencrypt/live/leaderboard.space/cert.pem -issuer -noout
issuer=C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

I can see the issuer clearly identified!

So what is going wrong? Why do they think I’m self-signed and not trust letsencrypt?

:-(. All pointers here appreciated.

Thanks kindly in advance.

tialaramex · September 14, 2017, 7:58am

This will be either a problem with how you’ve configured lighttpd or some other device on your network that steps in the way between the Internet and your lighttpd server.

The bogus certificate says “Turris” on it, and I see that Turris is the name of some sort of home network “defence” project. Is it possible you have installed something to “protect” your network and it is having this undesirable effect?

thumbone · September 14, 2017, 8:31am

Spot on! Thanks for the quick reply. There is a Turris Omnia between the web server and the WAN. And it has a firewall running and lighttpd that is forwarding to the webserver. Alas I am momentarily clueless as to where to look on that router for what is going on. But what you are suggesting is there’s an intervention of sorts in the certificate delivery., I’ll move this over to the Omnia forums now and see what I can turn up!

system · October 14, 2017, 8:32am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certbot sec_error_unknown_issuer and wrong "--test-cert" Help	7	3362	November 1, 2016
Firefox 42 sec_error_unknown_issuer \| lighttpd Server	8	8366	December 5, 2015
SEC_ERROR_UNKNOWN_ISSUER on Ubuntu server and Apache 2.4 Server	10	7881	May 4, 2016
Error code: SEC_ERROR_UNKNOWN_ISSUER Server	8	12746	April 24, 2016
Error code: SEC_ERROR_UNKNOWN_ISSUER Help	2	1273	May 7, 2020

SEC_ERROR_UNKNOWN_ISSUER using lightttpd

Related topics