Verify error:num=20:unable to get local issuer certificate

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: vadim.com.ru

I ran this command: openssl s_client -connect vadim.com.ru:443 -servername vadim.com.ru

It produced this output:

root@ul18ipv46:/var/tmp/trash#  openssl s_client -connect vadim.com.ru:443 -servername vadim.com.ru
CONNECTED(00000005)
depth=0 O = TrueNAS (Nextcloud), CN = localhost
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 O = TrueNAS (Nextcloud), CN = localhost
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:O = TrueNAS (Nextcloud), CN = localhost
   i:O = TrueNAS (Nextcloud), CN = TrueNAS (Nextcloud) local Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDGTCCAgGgAwIBAgIRAKCe93atrZ0ZZO3+868gTF4wDQYJKoZIhvcNAQELBQAw
SjEcMBoGA1UEChMTVHJ1ZU5BUyAoTmV4dGNsb3VkKTEqMCgGA1UEAxMhVHJ1ZU5B
UyAoTmV4dGNsb3VkKSBsb2NhbCBSb290IENBMB4XDTIxMDkyMzEwMzc1NloXDTIz
MDkyMzEwMzc1NlowMjEcMBoGA1UEChMTVHJ1ZU5BUyAoTmV4dGNsb3VkKTESMBAG
A1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
n3AWOJGacRGE5B71EfxZSDc6gJ4fxN8sKgncTpgetEV1ZFj8ltr8kbgJhkLgxaUf
dEM+N6M0E0G00IN28aBpIM6nn5s5eeQKOcXqn+yETPN8BAWBh7k3M+gIGX3f6Y2k
b4oykyVJmLS7ygCsy21VMB90STrgH2kmtU3S00DbAj/DDZ7GqS4jVeUUw8nqTlwl
TIEIW+MN2pZqND1i+08VgcOAOwwqJLcXlJnY7XZ6rD1tMLhcV7CBzJHCJSg0dwu8
kyVZaFYm7JP7J8qEw0OqUi5s6AQUanepX0tn75Zh0E8Fn+bKj6ul26DpC074VzOS
VGjfDXc3JJNG5W2J5E9hKwIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCA4gwDQYJKoZI
hvcNAQELBQADggEBAFTn0wThG6/vlCeeT2krI9LkBnv8b24XH/14HIkU1kz1eydd
WElxnZE1GD9g9/34d2Py0lVbzDIKB203T6wabYwKjDwAt8W0lhM5f6e5ZvaEoY6g
B/NMrkZRXLOiJcm/1+E5/L42ljEtMgDfYiRgc0YtyxCCwhissI975mfaU+MyBQRZ
OalXRH9mkH7NYChrnyUwhqp9Z2xvNpTV0UOElQXHrrY4AOPMK66fJGbGh43QZHmU
xA3t8k08P4MPmZTTHDbt+II+7VtDVgArQZ3Aa5Jo78G2ZCsJ0ghOJfRYgV3QRXPs
QE9ZRUKllZ38WlNE/D2SD0+tZ6F7pJa1D28Hhg8=
-----END CERTIFICATE-----
subject=O = TrueNAS (Nextcloud), CN = localhost

My web server is (include version): nginx 1.20.1

The operating system my web server runs on is (include version):TrueNAS-12.0-U5.1

My hosting provider, if applicable, is: self

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):1.18.0

2

Maybe I've missed it, but do you have a specific question for the Community?

1 Like
3

My bad - I am trying to figure out what's wrong with this certificate and how I can fix it? It also impacts my onlyoffice install in Nextcloud with a similar error. Pretty sure it has to do with this error too: Error when trying to connect (cURL error 60: SSL certificate problem: unable to get local issuer certificate (see libcurl - Error Codes)

4

It's a self signed certificate, probably generated by your NAS itself.

What do you want?

I'm guessing a Let's Encrypt certificate, but you're not explicitely stating/asking that.

Where does that error come from?

1 Like
5

This is a cert from Let's encrypt generated by certbot, I obviously want to fix the issue and get rid of this error so I will have working ssl connection and last error comes from onlyoffice in Nextcloud install. I've read a few similar topics with the same error but they are not much relevant to my case.

6

onlyoffice
onlyoffice1714×745 72.7 KB

7

No, it's not:

It maybe wasn't a self-signed certificate, but it surely isn't a Let's Encrypt certificate!

I can see you've issued a LE cert fairly recently: crt.sh | vadim.com.ru

However, for some reason your Nexcloud softeware isn't using it. How did you aquire the LE certificate last Thursday? You said certbot, but what exact command did you use? Including all the command line options please.

1 Like
8

certbot --nginx -d vadim.com.ru - then I entered my e-mails - went through some screens with questions , it failed a few times but then finally worked. certbot renew --dry-run - came back error

9

Well it must be a Nextcloud cert then

10

Ok, so let's check a few things. First, let's check if certbot still has the certificate laying around with the following command:

sudo certbot certificates

It should output your certificate.

Next, let's see the nginx configuration with the command:

sudo nginx -T

1 Like
11

certbot
certbot718×235 21 KB

nginx -t.txt (16.0 KB)

12

Could you please post the contents of /usr/local/etc/letsencrypt/live/truenas/fullchain.pem ? It should not contain any private key, just certificates.

1 Like
13

fullchain_truenas.txt (1.1 KB)

14

Well, that's weird.. That's the TrueNAS Nextcloud certificate.

It seems that darn piece of #)*$()# software just overwrote the certbot certificate? Assuming you didn't do that :stuck_out_tongue:

Could you perhaps also post the cert.pem and chain.pem from that same directory? Let's check if those files were kept unharmed.

1 Like
15

No I didn't . There is no cert.pem file in truenas folder but there is one in /vadim.com.ru though. I will post it just in case
cert.pem.txt (1.8 KB)
chain.pem (1.2 KB)

16

Ooohh, wait, I didn't see that just now! My bad.

Ah yes, that's your Let's Encrypt certificate! That's good.

The chain.pems are from Nextcloud, they're probably from the truenas folder (which I didn't notice, so sorry about that).

Can you also post fullchain.pem and chain.pem from the /vadim.com.ru/ folder? Just to make sure everything is OK there.. And for in case those files are all fine, could you also post the contents of /usr/local/etc/letsencrypt/renewal/vadim.com.ru.conf ? Because we need to fix two things: your Nextcloud and your certbot for renewal.

1 Like
17

Sure - here you gofullchain.pem|attachment (5.5 KB)
chain.pem (3.7 KB)

renew_before_expiry = 30 days

version = 1.18.0
archive_dir = /usr/local/etc/letsencrypt/archive/vadim.com.ru
cert = /usr/local/etc/letsencrypt/live/vadim.com.ru/cert.pem
privkey = /usr/local/etc/letsencrypt/live/vadim.com.ru/privkey.pem
chain = /usr/local/etc/letsencrypt/live/vadim.com.ru/chain.pem
fullchain = /usr/local/etc/letsencrypt/live/vadim.com.ru/fullchain.pem

Options used in the renewal process

[renewalparams]
account = 41e216181510ed12c1199f2c3d63b7e4
authenticator = nginx
installer = nginx
server = https://acme-v02.api.letsencrypt.org/directory[fullchain.pem|attachment](upload://sO4DztMJy3AYiNUMZ05mG2Xgen3.pem) (5.5 KB)

18

chain.pem is looking good. However, the upload of fullchain.pem for some reason didn't work properly. And cert.pem neither.

Your renewal configuration looks sane, let's upload cert.pem and fullchain.pem again just to make sure.

Hmm, nevermind fullchain.pem, you can download the not-working "figure": it's fullchain.pem :rofl:

1 Like
19

How do I do that?

20

Hm, curious.. Your fullchain.pem seems to be broken. The FINAL line with:

-----END CERTIFICATE----

seems to be missing a single dash: -

It should be:

-----END CERTIFICATE-----

Maybe it'll fix your certbot certificates problem!

And for your nextcloud: change the following lines:

  ssl_certificate /usr/local/etc/letsencrypt/live/truenas/fullchain.pem;
  ssl_certificate_key /usr/local/etc/letsencrypt/live/truenas/privkey.pem;

to:

  ssl_certificate /usr/local/etc/letsencrypt/live/vadim.com.ru/fullchain.pem;
  ssl_certificate_key /usr/local/etc/letsencrypt/live/vadim.com.ru/privkey.pem;

And reload nginx.

3 Likes