[Solved]Beta, No trusted certificate


#1

I have install the Certificate on my Debian Root, with Apache 2, but get the Message that the certificate isn’t trusted:

http://imageshack.com/i/panuZAcEp
http://imageshack.com/i/p7O1mfyBp


#2

Hi, you have installed the wrong Root CA in your chain. You need the cross signed root.
Use https://letsencrypt.org/certs/isrgrootx1.pem


#3

i have use the auto install, what I need to do with this file?


#4

Did you use the --server https://acme-v01.api.letsencrypt.org/directory option?


#5

I have use this command (the mail say i should use “–server https://acme-v01.api.letsencrypt.org/directory”):

./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory auth -d www.anzahcloud.de -d anzahcloud.de -t

#6

any ideas? Please help me :slight_smile:


#7

Maybe you should only state one domain (-d anzahcloud.de; and it will return a cert for domain both with and w/o www). If this doesn’t work, you can try manually generating CSR with SAN.
Also, could you post a letsencrypt run with --debug?


#8

I have use now "./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory auth -d anzahcloud.de -t"
https://www.ssllabs.com/ssltest/analyze.html?d=anzahcloud.de&latest still say me that i have only a cert for anzahcloud.de not for www.anzahcloud.de
the cert looks like the screens in my first post

with --debug
the .log: http://pastebin.com/a891Wm1h

The virtualhost.conf
http://pastebin.com/DtCs8rRc


#9

what does -t do?
->extra characters for 20 chat limit<-


#10

(Not an answer to your problem, just a general remark)
An easier way to get cert info: openssl x509 -in $MY_CERT -noout -text (essentially, if you don’t see a domain in either CN or SAN blocks, the cert is not for that domain).


#11

Couldn’t find better docs than the actual code:
https://github.com/letsencrypt/letsencrypt/blob/master/letsencrypt/cli.py#L807


#12

Err, your pastebin links seem to have expired.


#13

what is the curses UI? I never seen this thing cusing at me, or is that this pseudo-gui?


#14

Yes. Another example of it is alsamixer.


#15

or the termial version of yast in opensuse. but there’s a problem in curses, there’s no space betwee the window border which seems to conist of letters and the text you write
I think the border should be made using lines anyway


#16

That sounds more like an implementation problem than a general curses one.
Anyway, this is getting offtopic-y.


#17
openssl x509 -in /etc/letsencrypt/live/anzahcloud.de/cert.pem -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:41:9e:cf:d8:17:8d:ba:df:60:87:28:a4:96:ae:04:cc:90
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X1
        Validity
            Not Before: Nov  9 12:01:00 2015 GMT
            Not After : Feb  7 12:01:00 2016 GMT
        Subject: CN=anzahcloud.de
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a2:f5:7c:a1:97:4f:40:61:35:a8:44:79:45:f6:
                    69:6a:d7:1d:4e:7b:5e:7e:c2:06:87:6b:bd:c0:de:
                    e4:c4:69:e6:85:a6:c5:a9:89:0b:ba:dd:b3:02:57:
                    06:2e:8d:92:77:af:7b:0d:98:cb:13:bb:8e:37:47:
                    56:20:b8:67:56:73:52:5b:89:b4:17:08:00:ee:e0:
                    76:60:ca:3f:6f:89:8d:93:4d:9e:f1:d9:ab:f7:25:
                    2e:63:a8:eb:e4:84:bd:66:61:f3:57:a7:68:f6:e7:
                    08:e2:e4:56:fd:9b:94:5f:68:53:51:0e:a3:f1:77:
                    92:b6:11:95:d3:9a:a3:6a:8e:5e:34:0e:e1:46:de:
                    30:80:74:e8:12:97:65:3a:79:85:da:16:d5:37:c9:
                    45:82:ad:60:7c:a5:d9:2f:89:d3:00:49:cf:00:64:
                    c7:a5:f0:95:b9:a1:4e:28:9b:01:f9:c3:0e:31:17:
                    ff:26:7d:cd:cb:18:7b:69:cc:45:09:8f:c0:b2:7f:
                    70:40:e6:58:9f:6e:40:0b:e8:47:a3:72:f2:30:15:
                    67:35:0b:cc:95:c2:2b:47:6f:a6:ef:af:db:da:6f:
                    eb:e0:e4:f0:5b:8e:26:c3:f6:dd:2e:7f:bf:7c:2b:
                    3d:d8:2c:0a:45:95:72:08:f0:38:af:03:17:37:0a:
                    89:35
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                B6:60:39:63:C5:AE:33:14:76:2A:9B:BE:84:40:C8:97:FC:13:B6:1E
            X509v3 Authority Key Identifier:
                keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

            Authority Information Access:
                OCSP - URI:http://ocsp.int-x1.letsencrypt.org/
                CA Issuers - URI:http://cert.int-x1.letsencrypt.org/

            X509v3 Subject Alternative Name:
                DNS:anzahcloud.de
            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1
                Policy: 1.3.6.1.4.1.44947.1.1.1
                  CPS: http://cps.letsencrypt.org
                  User Notice:
                    Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/

    Signature Algorithm: sha256WithRSAEncryption
         8a:a9:82:db:fc:18:fe:b3:d6:ac:97:c4:8e:0a:7a:8d:7e:51:
         48:82:33:1d:4b:5d:54:af:a3:a4:19:0f:62:12:2c:5e:4a:3c:
         4b:89:cc:d7:76:7f:06:cd:28:5b:ca:ec:3a:a5:15:3e:26:e0:
         ed:40:01:4b:e5:9a:7f:85:9d:a7:1a:1b:d0:b1:d8:63:72:6f:
         aa:85:f4:33:d0:44:17:56:7d:4d:96:45:bb:d0:67:d1:73:8f:
         33:fd:b0:b8:14:a3:9f:3d:d8:1b:38:ee:8b:60:27:88:80:eb:
         07:ae:bf:b8:2c:70:06:42:67:43:8b:7f:b9:41:4f:c3:db:38:
         88:f7:5a:63:5a:9a:a7:59:fe:ce:05:b2:88:49:68:cc:29:cf:
         b6:59:00:2c:7b:9d:ba:c0:bf:52:3e:47:77:c9:73:ca:03:df:
         d1:47:20:83:f6:f9:69:0d:7f:aa:e4:8f:e5:80:57:b9:18:9b:
         a2:8b:19:7b:03:ff:57:23:28:3d:f8:1d:85:b8:2b:6f:dd:d4:
         38:20:95:8f:6c:a2:b3:b3:1c:70:4e:3a:5e:63:88:85:86:6c:
         f4:84:5b:b0:75:a4:02:bb:af:4b:c8:8c:0a:80:bc:dd:fe:fa:
         5e:f2:e6:23:6f:6e:22:87:da:dd:23:dd:e9:19:0e:56:f5:2b:
         3a:a7:be:80

#18

And another thing to check the chain:

  1. Download Let’s Encrypt Authority X1 (IdenTrust cross-signed)
  2. openssl verify -CAfile /tmp/lets-encrypt-x1-cross-signed.pem $MY_CERT

Should either yield OK (for OK) or error 20 (for problems with chain @tlussnig says about).

P.S. Don’t forget to update your pastebin links.


#19

have update the links and set a expires of 2 weeks again

openssl verify -CAfile /tmp/lets-encrypt-x1-cross-signed.pem /etc/letsencrypt/live/anzahcloud.de/cert.pem
/etc/letsencrypt/live/anzahcloud.de/cert.pem: OK


#20

That seems related to your issue. cat /tmp/lets-encrypt-x1-cross-signed.pem >> $YOUR_CERT should have the same effect.