Unable to get local issuer certificate

Hello!

Verifying a certificate gives an error:
openssl s_client -CApath /etc/ssl/certs/ -connect amimanera.de:443
unable to get local issuer certificate

In apache specified
SSLCertificateFile /etc/letsencrypt/live/amimanera.de/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/amimanera.de/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/amimanera.de/chain.pem

Verifying the cert of another server with similar apache-settings the output is fine.
I don’t understand what’s the reason the verfying fails.

Both servers drive Centos7.

Andreas

Hi @porrier

checking your domain you see the problem - https://check-your-website.server-daten.de/?q=amimanera.de

Your ipv4 has the complete chain - your certificate and the Letsencrypt intermediate certificate.

Your ipv6 has only your certificate, the Letsencrypt certificate is missing.

So you have different configurations ipv4 and ipv6. Use your ipv4 as template to fix your ipv6.

2 Likes

And not only for your chain issue: your whole TLS configuration differs a lot. The cipher suits enabled for IPv6 isn’t very good for example. See https://www.ssllabs.com/ssltest/analyze.html?d=amimanera.de for more info.

1 Like

You should also pass -servername amimanera.de to send the SNI extension like modern clients do, or else you’ll get the default certificate.

1 Like

They fixed this in OpenSSL 1.1.1 so it’s set automatically.

(But OP will need to do it anyway since CentOS 7 is stuck on 1.0.2).

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.