After struggling for a while, I finally got LE to issue the certificates I wanted, but they don’t seem to validate. That is if I run “openssl s_client -connect dw.cameron.edu” I get a the following.
depth=1 /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
verify error:num=20:unable to get local issuer certificate
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
I’m working with an Apache 2.2.3 server. When the certs were generated, I received four files cert1.pem, chain1.pem, fullchain1.pem, and privkey1.pem. The private key was easy to install. My server has ca.pem file that holds the certificate chain and a localhost.crt file that holds the certificate. I have tried installing the cert two different ways (well, actually as many ways as I can think of, but these are the main ones). I copied the fullchain1.pem file over to the ca.cert file and removed the bottom cert and moved it into the localhost.crt file. That didn’t work. I also tried copying the chain1.crt into ca.pem and cert1.pem into localhost.crt. The Apache setting are below.
Why can’t my server validate these certs?
OpenSSL’s s_client doesn’t use a root bundle for verification by default. If you’re verifying with the tool, make sure to include the “-CAfile” parameter and point it to the location of the root bundle on your system. The location can vary by distribution, but it’s usually under /etc/ssl, /etc/tls, or /etc/pki somewhere. In CentOS, it’s under /etc/pki/tls/certs/ca-bundle.crt, for example.
Altenrately, gnutls-cli works well and automatically uses the system root store to verify certificate chains. Likewise, ncat (included as part of nmap) also supports verifying certificate chains.
Your server is correctly configured. You can also use an online scanner to verify this. https://www.ssllabs.com/ssltest/analyze.html?d=dw.cameron.edu&hideResults=on&latest
So others can benefit below are some screenshots.
A) Download the Mozilla CA Root Cert bundle from here: https://curl.haxx.se/ca/cacert.pem
B) Place it in a folder (I have used a folder called LE_TRAINING)
C) run as you have
openssl s_client -connect dw.cameron.edu:443
D) Run with the CA Root Cert Bundle
openssl s_client -connect dw.cameron.edu:443 -CAfile .\MOZILLA_ROOT_BUNDLE.pem
E) There is one other test I recommend you do with OpenSSL and that is to check SNI behaviour
openssl s_client -connect dw.cameron.edu:443 -CAfile .\MOZILLA_ROOT_BUNDLE.pem -servername dw.cameron.edu
Hope this helps. I would also suggest that you review Mozillas TLS Server Guidelines as you have some weak ciphers on your server.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.