Unable to use my cert in the terminal

So to begin, I am self hosting an instance of pihole.

I have a domain name which I shall call pi.example.com

And I made my cert by running the command sudo certbot --manual certonly --preferred-challenges dns which all went fine.

I then merged the privkey.pem and cert.pem from the /etc/letsencrypt/live/pi.example.com/ directory to make a combined.pem

then added to my lighttpd.conf file

#Loading openssl
server.modules += ( "mod_openssl" )

setenv.add-environment = ("fqdn" => "true")
$SERVER["socket"] == ":443" {
	ssl.engine  = "enable"
	ssl.pemfile = "/etc/lighttpd/combined.pem"
	ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.3", "Options" => "-ServerPreference")
}

Now this is where my issue arrives, I have an application which relies on the website and when its run using curl
I get this output when running with -v

* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

I have tried to install lets encrypt rootCA which seemed to do nothing most likely since it was already installed and various other things which have all given me the same result

I'm very new to SSL and certs and don't really know what I am doing but trying to learn, trying to fix this issue for a while to no luck.

Hope you can provide me some help or some suggestions to lead me in the right direction.

Thanks.

Hello @MyCertisnotworking, welcome to the Let's Encrypt community.

You can find a comparison of various Free ACME CA Comparison - Posh-ACME

You can find Lighttpd forum and Wiki here

• Forums - Lighttpd - lighty labs
• Start - Lighttpd2 - lighty labs

I'd try accessing the site with OpenSSL.
If that works, then curl might not be using the latest ca-certificates file.
If that also fails, then we should have a look at that output as well and make sure the Pi has been fully updated.

You'll want to use fullchain.pem instead of cert.pem for this step.

I generally do not like this type of configuration; although some (embedded more often) web servers seem to needed it.

I'm not certain the error produced by such a difference would match the one shown.
Ideally, that would just cause additional client lookups, but should not fail in this way.
[it might just be wishful thinking on my part... What year is this again? Don't we have "smart things" yet?]

When connecting with the openssl command with pi.example.com:443 I get a whole cert but this error message through out

verify error:num=20:unable to get local issuer certificate

The computer is fully updated and I have tried on multiple PCs

So merge privkey and fullchain?

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Thank you for assisting us in helping YOU!

Just for a little more info I was following this guide Enabling HTTPS for your Pi-hole Web Interface - Community How-to's - Pi-hole Userspace

lighttpd; 1.4.59
OS: Raspberry Pi OS Bullseye 64bit arm64
I can root shell
No control panel other than Pihole but everything I have been doing in terminal
certbot 1.12.0

I do NOT like merging the privatekey with anything else!
I consider it bad practice.

"unable to get local issuer certificate" is the expected error from OpenSSL when an intermediate is missing. Curl/OpenSSL does not download intermediates on the fly as browsers sometimes do.

Yes. Ideally you'd want to keep both separated, but some stupid services like lighttpd require this unfortunately. By using fullchain.pem instead of cert.pem you'll instruct lighttpd to also serve the intermediate certs.
Scratch that, lighttpd can also use a separate file:

    ssl.pemfile = "/path/to/fullchain.pem"  # public cert and intermediate cert chain, if any
    ssl.privkey = "/path/to/privkey.pem" 

Please use the above with the existing files instead of combining them See Docs SSL - Lighttpd - lighty labs for more info.

And what about

This seems to have fixed the entire issue, I guess that guide which seems to be the most popular is faulty in some way.

By not combining them, it seems to have resolved it.

curl https://pi.example.com/admin/api.php?status -v

My command which I wanted to run is now working and it shows all the TLS that went through.

Thanks everyone for the help and really quick replies!

To be clear:
Did you NOT combine them AND change cert.pem to fullchain.pem?

I had combined them originally but following the suggestion to not, and keep them separate, the configuration in lighttpd

    ssl.pemfile = "/path/to/fullchain.pem"  # public cert and intermediate cert chain, if any
    ssl.privkey = "/path/to/privkey.pem" 

Has fixed my issue

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.