Verify error:num=20:unable to get local issuer certificate

You meant nginx.conf <== I got it and WOW! you caught that fifth dash - it really fixed the whole thing! You are the man!


2 Likes

@Osiris You rock!

2 Likes

Everything looks good now, indeed!

Don't forget to set up a systemd timer or cronjob if that hasn't already been done (depending on how you installed certbot, some times a timer or cronjob is installed too).

And after a renewal (in about 60 days), don't forget to reload nginx!

2 Likes

Sure will ! Thanks a lot for your help! check
certbot renew --dry-run worked too! You made not my day - but the whole week!

3 Likes

Glad to be of assistance :slight_smile:

2 Likes

Darn it! Now I am getting a new error from onlyoffice and bad ssl in the browser too. I do get in of course with an exception though. Error when trying to connect (cURL error 60: SSL: no alternative certificate subject name matches target host name '192.168.50.7' (see libcurl - Error Codes) for https://192.168.50.7/healthcheck). That's when I connect locally to Nextcloud page

You need to connect by hostname, or find a way to override certificate verification--the cert is valid only for your FQDN, not for your IP address.

4 Likes

Right - now once you mentioned it I remember that in previous version of Nextcloud it won't connect at all as soon as you get the hostname running. Thanks a lot! It really does not matter locally anyway...

1 Like

@danb35 I still get the same error with domain name as well and I guess that's what does not let me connect onlyoffice to Nextcloud

Please show the picture off the URL and error message.

There is no DNS entry for: office.vadim.com.ru
There has also not been a cert issued for: office.vadim.com.ru
So, https://office.vadim.com.ru/ must result in an invalid cert (at best).

1 Like

It was auto-populated and I figured it out, Since I was helped with my certs shall we try and fix the OCSP Stapling again? I can uncomment those lines and reproduce the error.

I'm too busy to help workout any OSCP problems - sorry.

I suggest you simply try setting

ssl_stapling on;
ssl_stapling_verify on;

in the same block where ssl_certificate and ssl_certificate_key are set. Do not set any ssl_trusted_certificate directive anywhere, nginx can usually auto-load them from the default CA store. If this is not the case, you will get a different error message.

2 Likes

I did that and restart nginx - no errors but on the test it shows no stapling?

"OCSP Must Staple" is a property of the certificate and does not signal if your server actually send a stapled OCSP reply.

Try connecting to your site with OpenSSLs s_client and add the -status option: at the top it'll show you an OCSP reply if stapled. If not stapled, it won't return an OCSP reply.

FYI: I see the stapled OCSP reply :slight_smile:

2 Likes

Right - it's right here

2 Likes

Thanks everybody for your help! Now I completely resolved my cert install problem and just need to get the cron job on it for 70 days or so. Back to fighting with onlyoffice integration with Nextcloud. Another pain in the neck.

3 Likes

What is a better option you think? @weekly or @monthly for a cronjob? When I installed it last Thursday it said is good until December 27th or something