Unable to verify the first certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:
sandbox.torawallet.gr

I ran this command:
openssl s_client -connect api.sandbox.torawallet.gr:443 -servern ame api.sandbox.torawallet.gr

It produced this output:
CONNECTED(00000003)
depth=0 CN = sandbox.torawallet.gr
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = sandbox.torawallet.gr
verify error:num=21:unable to verify the first certificate
verify return:1

Certificate chain
0 s:CN = sandbox.torawallet.gr
i:C = US, O = Let's Encrypt, CN = R3

Server certificate
-----BEGIN CERTIFICATE-----
MIIFSjCCBDKgAwIBAgISBGUZ7xAonRlcDg/s7hOhtiIBMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMDEyMTcwOTQ4MTdaFw0yMTAzMTcwOTQ4MTdaMCAxHjAcBgNVBAMT
FXNhbmRib3gudG9yYXdhbGxldC5ncjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBANT4upFshOMoIpLMQKHnhXsX5lykD5B5Skb5RspJUFwL3Tj1ULskWX8G
GrQ+g2lQg0uvUfKspHt21jh0D017Nh1w3R0qfIQ6fz5H5+1nwcbL4kY5JNu0GotB
/4n357EFSZOLsVU9Bath+kIHKGbPNTj0AMZb+E5cAesjkuW5gYk1npcbHwr06Xej
tWTZd/5EwjuA9xgmdqH1UwBH/wFI1df8EqTKe3dOef9C3IyFOXr8hwN/IGzP198M
+wSSDlUtBckLJu/J+i7489+85yHj+4cAOI+H5EvJJmHhKBgons57tanmFLu/Yhpa
PPLUt/8D1MtwET4xQohTeH6uu5ZdHVUCAwEAAaOCAmowggJmMA4GA1UdDwEB/wQE
AwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIw
ADAdBgNVHQ4EFgQU0fmEsGrlcwj7qEXOJApPOTnKG2swHwYDVR0jBBgwFoAUFC6z
F7dYVsuuUAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVo
dHRwOi8vcjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxl
bmNyLm9yZy8wOQYDVR0RBDIwMIIXKi5zYW5kYm94LnRvcmF3YWxsZXQuZ3KCFXNh
bmRib3gudG9yYXdhbGxldC5ncjBMBgNVHSAERTBDMAgGBmeBDAECATA3BgsrBgEE
AYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9y
ZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2AESUZS6w7s6vxEAH2Kj+KMDa5oK+
2MsxtT/TM5a1toGoAAABdnBQlBkAAAQDAEcwRQIhAJo7130t4gRlQn2beV6GS19S
+JUvXqTT3TGLJ+rLd5xTAiBe+i4YWlQ17vxuG/hqnaYEe8mgOR5GP5alNAyosuR6
swB3APZclC/RdzAiFFQYCDCUVo7jTRMZM7/fDC8gC8xO8WTjAAABdnBQlAsAAAQD
AEgwRgIhAOhBwp5gPe3ZWzhh7V2er5MjiQFIlYKXRhr+fGj1NAn/AiEAwUx07TYA
aOAqk1fuFbdR2+QvQr+bUXdUTkp7HituU6YwDQYJKoZIhvcNAQELBQADggEBAFi4
lejtlwAjJ5nExpExOAb2YDZkEyxrxIcqrkasiPfmJIXPaMMXXWvMq51OPlQA2s07
FhKMJq+P2/RLaA8BPdqyHD39mtNpTfI43dAj2SSMAmPrgv8BTL8X9d2Fl/QNgdcv
OPNCHuYqvSnFm52djXCjFnPFhtTNWyKYnzl9Dvwv0DMztn0wMu4xxLb+WWwEgS94
MROuSl/swSH9nCASPA1IplshoL5Wi3pPl4/CsTxEF3az9BsFj/RAo4PbxYdpm24J
dAgnok8mLhskVHSEWnrQtF+czR9sWjJov4H/70QBrYHJwkFO2wJUzlUcGSFWbQRg
v1vcRNUJ7RaUKeDOOqU=
-----END CERTIFICATE-----
subject=CN = sandbox.torawallet.gr

issuer=C = US, O = Let's Encrypt, CN = R3


No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits

SSL handshake has read 1918 bytes and written 403 bytes
Verification error: unable to verify the first certificate

New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 21 (unable to verify the first certificate)

closed

My web server is (include version):
nginx/1.10.3

The operating system my web server runs on is (include version):
Distributor ID: Debian
Description: Debian GNU/Linux 9.1 (stretch)
Release: 9.1
Codename: stretch

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):
yes

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):


v2.8.7
3 Likes

Hi @Eledrin

your server doesn't send the intermediate certificate.

If you have used cert.pem, use fullchain.pem instead.

4 Likes

Hi @JuergenAuer,

Thank for the immediate reply!

I changed the conf file to use the fullchain and it works!

Just a few quick questions:

  1. Is there a reason it has recently stopped working? Up until now it was working fine with the "cert" one.
  2. Will the acme renewal have problems with this configuration? It does renew the fullchain as well but just wondering.
  3. Shouldn't the dpkg-reconfigure ca-certificates command deal with the ca.cert? If I explicitly set it in my command it works fine. If not...

Again, thanks for the immediate reply.

2 Likes

The intermediate certificate has changed. So your system may have sent the wrong certificate.

No idea, I don't use acme.sh.

1 Like

As with any ACME client, each renewal will obtain the latest chain.

That package should also contain the latest trusted roots.
If the OpenSSL running in your system must be prompted with the latest file, then it doesn't know where to get that file.
[and that problem has nothing to do with anything any of your clients would normally experience]

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.