I have install the Certificate on my Debian Root, with Apache 2, but get the Message that the certificate isn’t trusted:
http://imageshack.com/i/panuZAcEp
http://imageshack.com/i/p7O1mfyBp
Hi, you have installed the wrong Root CA in your chain. You need the cross signed root.
Use https://letsencrypt.org/certs/isrgrootx1.pem
i have use the auto install, what I need to do with this file?
Did you use the --server https://acme-v01.api.letsencrypt.org/directory option?
I have use this command (the mail say i should use “–server https://acme-v01.api.letsencrypt.org/directory”):
./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory auth -d www.anzahcloud.de -d anzahcloud.de -tany ideas? Please help me 
Maybe you should only state one domain (-d anzahcloud.de; and it will return a cert for domain both with and w/o www). If this doesn’t work, you can try manually generating CSR with SAN.
Also, could you post a letsencrypt run with --debug?
I have use now "./letsencrypt-auto --agree-dev-preview --server https://acme-v01.api.letsencrypt.org/directory auth -d anzahcloud.de -t"
https://www.ssllabs.com/ssltest/analyze.html?d=anzahcloud.de&latest still say me that i have only a cert for anzahcloud.de not for www.anzahcloud.de
the cert looks like the screens in my first post
with --debug
the .log: http://pastebin.com/a891Wm1h
The virtualhost.conf
http://pastebin.com/DtCs8rRc
what does -t do?
->extra characters for 20 chat limit<-
(Not an answer to your problem, just a general remark)
An easier way to get cert info: openssl x509 -in $MY_CERT -noout -text (essentially, if you don’t see a domain in either CN or SAN blocks, the cert is not for that domain).
Couldn’t find better docs than the actual code:
https://github.com/letsencrypt/letsencrypt/blob/master/letsencrypt/cli.py#L807
Err, your pastebin links seem to have expired.
what is the curses UI? I never seen this thing cusing at me, or is that this pseudo-gui?
Yes. Another example of it is alsamixer.
or the termial version of yast in opensuse. but there’s a problem in curses, there’s no space betwee the window border which seems to conist of letters and the text you write
I think the border should be made using lines anyway
That sounds more like an implementation problem than a general curses one.
Anyway, this is getting offtopic-y.
openssl x509 -in /etc/letsencrypt/live/anzahcloud.de/cert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
01:41:9e:cf:d8:17:8d:ba:df:60:87:28:a4:96:ae:04:cc:90
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X1
Validity
Not Before: Nov 9 12:01:00 2015 GMT
Not After : Feb 7 12:01:00 2016 GMT
Subject: CN=anzahcloud.de
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:a2:f5:7c:a1:97:4f:40:61:35:a8:44:79:45:f6:
69:6a:d7:1d:4e:7b:5e:7e:c2:06:87:6b:bd:c0:de:
e4:c4:69:e6:85:a6:c5:a9:89:0b:ba:dd:b3:02:57:
06:2e:8d:92:77:af:7b:0d:98:cb:13:bb:8e:37:47:
56:20:b8:67:56:73:52:5b:89:b4:17:08:00:ee:e0:
76:60:ca:3f:6f:89:8d:93:4d:9e:f1:d9:ab:f7:25:
2e:63:a8:eb:e4:84:bd:66:61:f3:57:a7:68:f6:e7:
08:e2:e4:56:fd:9b:94:5f:68:53:51:0e:a3:f1:77:
92:b6:11:95:d3:9a:a3:6a:8e:5e:34:0e:e1:46:de:
30:80:74:e8:12:97:65:3a:79:85:da:16:d5:37:c9:
45:82:ad:60:7c:a5:d9:2f:89:d3:00:49:cf:00:64:
c7:a5:f0:95:b9:a1:4e:28:9b:01:f9:c3:0e:31:17:
ff:26:7d:cd:cb:18:7b:69:cc:45:09:8f:c0:b2:7f:
70:40:e6:58:9f:6e:40:0b:e8:47:a3:72:f2:30:15:
67:35:0b:cc:95:c2:2b:47:6f:a6:ef:af:db:da:6f:
eb:e0:e4:f0:5b:8e:26:c3:f6:dd:2e:7f:bf:7c:2b:
3d:d8:2c:0a:45:95:72:08:f0:38:af:03:17:37:0a:
89:35
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
B6:60:39:63:C5:AE:33:14:76:2A:9B:BE:84:40:C8:97:FC:13:B6:1E
X509v3 Authority Key Identifier:
keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1
Authority Information Access:
OCSP - URI:http://ocsp.int-x1.letsencrypt.org/
CA Issuers - URI:http://cert.int-x1.letsencrypt.org/
X509v3 Subject Alternative Name:
DNS:anzahcloud.de
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
Policy: 1.3.6.1.4.1.44947.1.1.1
CPS: http://cps.letsencrypt.org
User Notice:
Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/
Signature Algorithm: sha256WithRSAEncryption
8a:a9:82:db:fc:18:fe:b3:d6:ac:97:c4:8e:0a:7a:8d:7e:51:
48:82:33:1d:4b:5d:54:af:a3:a4:19:0f:62:12:2c:5e:4a:3c:
4b:89:cc:d7:76:7f:06:cd:28:5b:ca:ec:3a:a5:15:3e:26:e0:
ed:40:01:4b:e5:9a:7f:85:9d:a7:1a:1b:d0:b1:d8:63:72:6f:
aa:85:f4:33:d0:44:17:56:7d:4d:96:45:bb:d0:67:d1:73:8f:
33:fd:b0:b8:14:a3:9f:3d:d8:1b:38:ee:8b:60:27:88:80:eb:
07:ae:bf:b8:2c:70:06:42:67:43:8b:7f:b9:41:4f:c3:db:38:
88:f7:5a:63:5a:9a:a7:59:fe:ce:05:b2:88:49:68:cc:29:cf:
b6:59:00:2c:7b:9d:ba:c0:bf:52:3e:47:77:c9:73:ca:03:df:
d1:47:20:83:f6:f9:69:0d:7f:aa:e4:8f:e5:80:57:b9:18:9b:
a2:8b:19:7b:03:ff:57:23:28:3d:f8:1d:85:b8:2b:6f:dd:d4:
38:20:95:8f:6c:a2:b3:b3:1c:70:4e:3a:5e:63:88:85:86:6c:
f4:84:5b:b0:75:a4:02:bb:af:4b:c8:8c:0a:80:bc:dd:fe:fa:
5e:f2:e6:23:6f:6e:22:87:da:dd:23:dd:e9:19:0e:56:f5:2b:
3a:a7:be:80And another thing to check the chain:
- Download Let’s Encrypt Authority X1 (IdenTrust cross-signed)
openssl verify -CAfile /tmp/lets-encrypt-x1-cross-signed.pem $MY_CERT
Should either yield OK (for OK) or error 20 (for problems with chain @tlussnig says about).
P.S. Don’t forget to update your pastebin links.
1 Like
have update the links and set a expires of 2 weeks again
openssl verify -CAfile /tmp/lets-encrypt-x1-cross-signed.pem /etc/letsencrypt/live/anzahcloud.de/cert.pem
/etc/letsencrypt/live/anzahcloud.de/cert.pem: OK
That seems related to your issue. cat /tmp/lets-encrypt-x1-cross-signed.pem >> $YOUR_CERT should have the same effect.