Verify return code: 21 (unable to verify the first certificate)

Hi all.

I’ve begun to get error indications on my website. ssllabs ves my site a B rating. But Firefox won’t let me connect to the server. The details are below. Any advise would be appreciated.

Mike.

My domain is: www.diehlnet.com

I ran this command:
openssl s_client -connect www.diehlnet.com:443

It produced this output:
CONNECTED(00000005)
depth=0 CN = www.diehlnet.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = www.diehlnet.com
verify error:num=21:unable to verify the first certificate
verify return:1

Certificate chain
0 s:CN = www.diehlnet.com Verify return code: 21 (unable to verify the first certificate)
i:C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3

Server certificate
-----BEGIN CERTIFICATE-----
MIIFWTC Verify return code: 21 (unable to verify the first certificate)
CBEGgAwIBAgISBEWP8P52DgL/iBYYtBKD2iO/MA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0yMDA3MzEyMjAwMzVaFw0y
MDEwMjkyMjAwMzVaMBsxGTAXBgNVBAMTEHd3dy5kaWVobG5ldC5jb20wggEiMA0G
CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDiLuYt9n2xOUubvUDY2mb+fUD7CuDz
/qwc1jMgCu/V9GpNHEy/pH89dfThZu463RAY10vpgoMOEiKtM41fRgzt1tgr5WhB
3e1G999mtfImeRO/R6jkyGrEb0e2L2BHsIP7aUEvrOGioQlH6bWInVw+V5dB/aGQ
IkX0SQvRXUwj5QuSef+SxgDH4mm7hBtbELwuGzkIjDr41h6idRVMoRhyRR2A7eHO
A+UFTiNV/TSwdJ1NURHyKqtRpTLQ3LVX8CwtwA8ePNF5fHJf073B0uiU08BEcFDd
OyBCSiV/XsOeFQTPECmYzsTEzjE9J9KFKP4MCd4p75g4vldm8ItBjc6lAgMBAAGj
ggJmMIICYjAOBgNVHQ8BAf8 Verify return code: 21 (unable to verify the first certificate)EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsG
AQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYDVR0OBBYEFIq1iHbSwocyeKV/OI40F++s
TBIaMB8GA1UdIwQYMBaAFKhKamMEfd265tE5t6ZFZe/zqOyhMG8GCCsGAQUFBwEB
BGMwYTAuBggrBgEFBQcwAYYiaHR0cDovL29jc3AuaW50LXgzLmxldHNlbmNyeXB0
Lm9yZzAv Verify return code: 21 (unable to verify the first certificate)
BggrBgEFBQcwAoYjaHR0cDovL2NlcnQuaW50LXgzLmxldHNlbmNyeXB0
Lm9yZy8wGwYDVR0RBBQwEoIQd3d3LmRpZWhsbmV0LmNvbTBMBgNVHSAERTBDMAgG
BmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRwOi8vY3Bz
LmxldHNlbmNyeXB0Lm9yZzCCAQUGCisGAQQB1nkCBAIEgfYEgfMA8QB2ALIeBcyL
os2KIE6HZvkruYolIGdr2vpw57JJUy3vi5BeAAABc6cbEFcAAAQDAEcwRQIgfYQn
06PqHxC2JvI6vr0e/k2efi2Z+VlXnMSBa+shL/4CIQCUOFeJb7wIqiXFvFW+IEf+
1kIUivk8Ke79tbxrmdnCzgB3AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgia
N9kTAAABc6cbEQQAAAQDAEgwRgIhAOLYxwmwhbzXIocNi1ty4Md//wAyDq/rCfF/
thnyc37nAiEA1nLSp55hy4OmOqIjaGZB6NLUW+rEoWmMtp4h3Jwv1FIwDQYJKoZI
hvcNAQELBQADggEBAJlCN6 Verify return code: 21 (unable to verify the first certificate)NrthjKLkN26IXSI/rirEeQSRutcbFpWogQdPzun//p
kk2d4BVPdfv+gec2UBhw+fWJr5ocbUGNNrmQee0FQreGVB+TKBP6BGlSFw1nS/ad
lTZpmniCOcM7WrdjLaUYJHrvAyG+7CeMm0uwwuOAaUy29Mt43pNMdxlajL+6Vx5U
G5FAqB0GrnNrdHgN6xfuVj6SO0PEQ36TX6f0XhelH8Qs+tsy4GlfFLH+tYCjYNn2
kE8FNFnh/MCz136P+jm91CULy8gDyZQlTHXj3uSRavyUbV5p1fJH1R8BqwtTqYkj
mDrSbsW0ELCL7bzrKnPOKnVUCzf9hy4gjYiumKI=
-----END CERTIFICATE-----
subject=CN = www.diehlnet.com

issuer=C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3


No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, P-25 Verify return code: 21 (unable to verify the first certificate)6, 256 bits

SSL handshake has read 2079 bytes and written 444 bytes
Verification error: unable to verify the first certificate

New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 79CA61D594086ABF17D1AE0 Verify return code: 21 (unable to verify the first certificate)49F17CE96FABF79EE2370842CBAC408ED983E1346
Session-ID-ctx:
Master-Key: CDA20F222635B360F9589B3C3CA9B5D2746FD84737CentOS Linux release 7.8.2003 (Core)
D692DC3F093F5ED59B2FC98736653CD3B9AD94AA39BC94BCB484DE
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 47 23 c4 49 fe 21 13 ca-13 a2 01 31 5d 53 2b ca G#.I.!..1]S+.
0010 - ae e3 ff 38 3a 33 19 21-09 3a cd 2e cb 47 1a ab …8:3.!.:…G…
0020 - 17 4d e8 a6 d7 ae 40 cc-45 29 23 96 43 57 66 e0 .M…@.E)#.CWf.
0030 - 8c 1d 41 23 c3 32 3b e8-ce 0a de 9b 3a b8 90 77 …A#.2;…:…w
0040 - 2c aa 81 13 16 d3 f1 b5-ca 17 f9 a8 4d cd 13 fc ,…M…
0050 - 03 b4 0c 1f ca 34 f5 0e-ae d8 46 64 3a a3 2f d9 …4…Fd:./.
0060 - b4 58 37 45 58 e6 9d 99-03 4e 0b 9d 41 b7 ce 6e .X7EX…N…A…n
0070 - 2e 90 ed aa be db 16 41-94 f7 ef cf da 4f c2 b1 …A…O…
0080 - f8 54 a9 53 fc 2c 50 20-c6 74 4c 8a 54 0d d0 0a .T.S.,P .tL.T…
0090 - 5e bb 8b 95 58 16 3c 77-59 50 b1 69 dc 9d d4 e7 ^…X.<wYP.i…
00a0 - b1 a9 a6 cc 39 90 9f 3b-2b 78 4e 41 f6 54 4f 9c …9…;+xNA.TO.
00b0 - 38 e6 f7 b2 48 bc f0 c5-0a d4 b5 31 5b c5 ba 26 8…H…1[…&
00c0 - 4a 85 e0 ab 27 65 86 ab-ad bf 48 f6 c8 10 fe b5 J…'e…H…

Start Time: 1597098859
Timeout   : 7200 (sec)
Verify return code: 21 (unable to verify the first certificate)
Extended master secret: no

My web server is (include version):
Apache/2.4.6 (CentOS)

The operating system my web server runs on is (include version):

CentOS Linux release 7.8.2003 (Core)

My hosting provider, if applicable, is: Digital Ocean vps.

I can login to a root shell on my machine (yes or no, or I don’t know): YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):

certbot-auto 1.6.0

You need to send both the leaf and the intermediate certificate.

In Certbot, you should be using fullchain.pem instead of cert.pem.

1 Like

Hi @mdiehl

“check-your-website” has an older check of your domain (hidden, use the search option). Your non-www has a wrong certificate with www.mikediehl.tech. So if a browser connects the non-www version, it’s not possible to open your page.

First step: Create one certificate with both domain names (non-www and www).

Second step: Install it correct. Your older check - all chains are incomplete.

2 Likes

Well, I should have listened to ssllabs, which gave me a B rating. My certs were installed correctly. I was using openssl incorrectly to test them.

Seems to be working now.

Thanks,

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.