"unable to get local issuer certificate" with curl

Hi!

I fetched new certificates using ACMEfetch, which worked pretty well the last years.

My domain is: lenim.myown-it.com

Firefox is fine (the page is intentionally empty), curl gives an error:

$ curl -Lo - https://lenim.myown-it.com
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

My web server is (include version): Apache 2.4.6

The operating system my web server runs on is (include version): CentOS 7

I can login to a root shell on my machine (yes or no, or I don't know): yes

This is the relevant part of the Apache vhost config:

ServerName lenim.myown-it.com

ErrorLog /var/log/httpd/lenim.myown-it.com/error.log
CustomLog /var/log/httpd/lenim.myown-it.com/access.log combined

RewriteEngine On

SSLEngine On
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-   AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128- GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-   AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:     AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:!DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder     on
SSLCompression          off

Header add Strict-Transport-Security "max-age=31536000"

SSLCertificateFile /etc/letsencrypt/lenim.myown-it.com.crt
SSLCertificateKeyFile /etc/letsencrypt/lenim.myown-it.com.key

Any help is highly appreciated.

Cheers

Dirk

1 Like

You're not sending the intermediate certificate. While clients can build a chain up to a valid root without an intermediate (with aid of cached intermediates from other sites for example), it's recommended to configure your webserver to send the correct intermediate.

See the chain info from openssl s_client -connect lenim.myown-it.com:443:

CONNECTED(00000003)
depth=0 CN = lenim.myown-it.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = lenim.myown-it.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:CN = lenim.myown-it.com
   i:C = US, O = Let's Encrypt, CN = R3
---
(...)

Please consult the documentation of ACMEfetch on how to handle intermediate certificates.

2 Likes

Thank you for the heads up.
It seems strange but the following works for me:

SSLCertificateFile /etc/letsencrypt/lenim.myown-it.com.crt
SSLCertificateKeyFile /etc/letsencrypt/lenim.myown-it.com.key
SSLCertificateChainFile /etc/letsencrypt/lenim.myown-it.com.crt
2 Likes

You're running Apache 2.4.6 which requires SSLCertificateChainFile (2.4.8 and higher can load the intermediate from a file with a concatenation of the cert and intermediate with a single SSLCertificateFile directive). Perhaps your lenim.myown-it.com.crt contains the cert and intermediate in one file and perhaps Apache 2.4.6 is smart enough to extract the intermediate with SSLCertificateChainFile? I don't know.

In any case you're sending the intermediate now indeed, which was the goal :slight_smile:

1 Like

I think you are right. The Apache version is too old to deliver all in one go.

Nevertheless it works now.

Thanks a lot for your support.

2 Likes