Hi,
Since my latest certificate renewal I'm getting issues with intermediate certificates.
I first noticed it when fetchmail started complaining of :
fetchmail: webbox.itbox.co.za key fingerprint: 32:EE:04:9A:99:7E:E5:A9:22:BB:F6:24:1D:7F:18:D1
fetchmail: webbox.itbox.co.za fingerprints match.
fetchmail: Server certificate verification error: unable to get local issuer certificate
fetchmail: Broken certification chain at: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
Trying to verify the certificates on the server says:
root@webbox:~# openssl verify /etc/letsencrypt/live/www.analize.co.za/cert.pem
CN = www.analize.co.za
error 20 at 0 depth lookup: unable to get local issuer certificate
error /etc/letsencrypt/live/www.analize.co.za/cert.pem: verification failed
root@webbox:~# openssl verify /etc/letsencrypt/live/www.analize.co.za/fullchain.pem
CN = www.analize.co.za
error 20 at 0 depth lookup: unable to get local issuer certificate
error /etc/letsencrypt/live/www.analize.co.za/fullchain.pem: verification failed
My domain is: www.analize.co.za
I ran this command:
openssl verify /etc/letsencrypt/live/www.analize.co.za/fullchain.pem
It produced this output:
CN = www.analize.co.za
error 20 at 0 depth lookup: unable to get local issuer certificate
error /etc/letsencrypt/live/www.analize.co.za/fullchain.pem: verification failed
Browsing the web sites on the server seems fine.
My web server is (include version): Apache 2.4.25-3+deb9u9
The operating system my web server runs on is (include version): Debian 9
My hosting provider, if applicable, is: n/a
I can login to a root shell on my machine (yes or no, or I don't know): Yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot): certbot 1.9.0