Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g.
crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
My domain is:
I ran this command:
openssl s_client -connect vadim.com.ru:443 -servername vadim.com.ru
It produced this output:
root@ul18ipv46:/var/tmp/trash# openssl s_client -connect vadim.com.ru:443 -servername vadim.com.ru
depth=0 O = TrueNAS (Nextcloud), CN = localhost
verify error:num=20:unable to get local issuer certificate
depth=0 O = TrueNAS (Nextcloud), CN = localhost
verify error:num=21:unable to verify the first certificate
0 s:O = TrueNAS (Nextcloud), CN = localhost
i:O = TrueNAS (Nextcloud), CN = TrueNAS (Nextcloud) local Root CA
subject=O = TrueNAS (Nextcloud), CN = localhost
My web server is (include version): nginx 1.20.1
The operating system my web server runs on is (include version):TrueNAS-12.0-U5.1
My hosting provider, if applicable, is: self
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
The version of my client is (e.g. output of
certbot --version or
certbot-auto --version if you're using Certbot):1.18.0
Maybe I've missed it, but do you have a specific question for the Community?
My bad - I am trying to figure out what's wrong with this certificate and how I can fix it? It also impacts my onlyoffice install in Nextcloud with a similar error. Pretty sure it has to do with this error too: Error when trying to connect (cURL error 60: SSL certificate problem: unable to get local issuer certificate (see
libcurl - Error Codes)
It's a self signed certificate, probably generated by your NAS itself.
how I can fix it?
What do you want?
I'm guessing a Let's Encrypt certificate, but you're not explicitely stating/asking that.
Where does that error come from?
This is a cert from Let's encrypt generated by certbot, I obviously want to fix the issue and get rid of this error so I will have working ssl connection and last error comes from onlyoffice in Nextcloud install. I've read a few similar topics with the same error but they are not much relevant to my case.
No, it's not:
It maybe wasn't a self-signed certificate, but it surely isn't a Let's Encrypt certificate!
I can see you've issued a LE cert fairly recently:
crt.sh | vadim.com.ru
However, for some reason your Nexcloud softeware isn't using it. How did you aquire the LE certificate last Thursday? You said certbot, but what exact command did you use? Including all the command line options please.
certbot --nginx -d
vadim.com.ru - then I entered my e-mails - went through some screens with questions , it failed a few times but then finally worked.
certbot renew --dry-run - came back error
Well it must be a Nextcloud cert then
Ok, so let's check a few things. First, let's check if certbot still has the certificate laying around with the following command:
sudo certbot certificates
It should output your certificate.
Next, let's see the nginx configuration with the command:
sudo nginx -T
Could you please post the contents of
/usr/local/etc/letsencrypt/live/truenas/fullchain.pem ? It should not contain any private key, just certificates.
Well, that's weird.. That's the TrueNAS Nextcloud certificate.
It seems that darn piece of #)*$()# software just overwrote the certbot certificate? Assuming you didn't do that
Could you perhaps also post the
chain.pem from that same directory? Let's check if those files were kept unharmed.
No I didn't . There is no cert.pem file in truenas folder but there is one in /vadim.com.ru though. I will post it just in case
cert.pem.txt (1.8 KB)
chain.pem (1.2 KB)
Ooohh, wait, I didn't see that just now! My bad.
Ah yes, that's your Let's Encrypt certificate! That's good.
chain.pems are from Nextcloud, they're probably from the truenas folder (which I didn't notice, so sorry about that).
Can you also post
chain.pem from the
/vadim.com.ru/ folder? Just to make sure everything is OK there.. And for in case those files are all fine, could you also post the contents of
/usr/local/etc/letsencrypt/renewal/vadim.com.ru.conf ? Because we need to fix two things: your Nextcloud
and your certbot for renewal.
Sure - here you go
chain.pem (3.7 KB)
renew_before_expiry = 30 days
version = 1.18.0
archive_dir = /usr/local/etc/letsencrypt/archive/vadim.com.ru
cert = /usr/local/etc/letsencrypt/live/vadim.com.ru/cert.pem
privkey = /usr/local/etc/letsencrypt/live/vadim.com.ru/privkey.pem
chain = /usr/local/etc/letsencrypt/live/vadim.com.ru/chain.pem
fullchain = /usr/local/etc/letsencrypt/live/vadim.com.ru/fullchain.pem
Options used in the renewal process
account = 41e216181510ed12c1199f2c3d63b7e4
authenticator = nginx
installer = nginx
server = https://acme-v02.api.letsencrypt.org/directory fullchain.pem (5.5 KB)
chain.pem is looking good. However, the upload of
fullchain.pem for some reason didn't work properly. And
Your renewal configuration looks sane, let's upload cert.pem and fullchain.pem again just to make sure.
Hmm, nevermind fullchain.pem, you can download the not-working "figure": it's fullchain.pem
Hm, curious.. Your
fullchain.pem seems to be broken. The
FINAL line with:
seems to be missing a single dash:
Maybe it'll fix your
certbot certificates problem!
And for your nextcloud: change the following lines:
And reload nginx.