Multiple sources confirm that the certificate chain for my domain co2avatar.org
is seen as incomplete.
I cannot understand why and how to debug this, also I am not an admin and did not work much with certificates yet.
Error messages
for
openssl s_client -connect co2avatar.org:443 -servername co2avatar.org -showcerts
CONNECTED(00000003)
depth=0 CN = sustainable-data-platform.org
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = sustainable-data-platform.org
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:CN = sustainable-data-platform.org
i:C = US, O = Let's Encrypt, CN = R3
# [... SNIP ...]
Server certificate
subject=CN = sustainable-data-platform.org
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2581 bytes and written 431 bytes
Verification error: unable to verify the first certificate
for
curl -v co2avatar.org
* Connected to co2avatar.org (85.214.38.88) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: unable to get local issuer certificate
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
SSLLabs show similar results:
Chain issues incomplete
One guess was, that my Apache configuration is broken. But I have verified that I am using this in all <VirtualHost :443>
:
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/co2-avatar.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/co2-avatar.com/privkey.pem
All, but /etc/letsencrypt/options-ssl-apache.conf
, which should not be changed AFAIK
Now I am lost: the fullchain.pem
file exists, it contains three certificates. How can I check that the chain there is right? And the server seems to deliver it, but how can I check whether Apache is delivering the right file?
The .pem files have been created by certbot renew
and latest command was certbot certonly --cert-name co2-avatar.com -d sustainable-data-platform.org,co2avatar.org{,some-more.domains}
Do you need to see some certbot configuration?