Warning: no valid certs found cafile stream: `/etc/letsencrypt/live/ ...etc

You should not be terrified of updating CA certificates. That is a routine thing that should be current.

What does this say:

trust list | grep -E 'ISRG Root|DST Root'

Hopefully that works on Centos7 - not sure. There is different way if it does not.

Could your problem have started after Sept 30? On Sept 30 one of the root certificates for Let's Encrypt expired. You use the "long chain" of certificates that gives maximum support for older Android but at the expense of losing support for some others (older openssl and others notably). This is a complex topic and many many posts on this site for that. If you do not care about older Android clients (<7.1) then you could switch to using the 'short chain' but you will need to update your Certbot version. Or, you could use Certbot with a different CA (not Let's Encrypt). This article explains this in far more details than you will probably care to read.

Perhaps I or someone will suggest something for your php config to work. I can sympathize with frustration but in software things always change and you must adapt. It is a constant learning effort. It is not always fun but always necessary.

2 Likes

I see you are replying but I need to be away for a bit. In the meantime can you try:

$url = 'https://acme-v02.api.letsencrypt.org';
$html = file_get_contents($url);
echo $html;

Will help isolate issue. Thanks

3 Likes

[ken@alpha ~]$ trust list | grep -E 'ISRG Root|DST Root'
label: DST Root CA X3
label: ISRG Root X1

I believe the problem started after Sept 30. Funny thing, if there is humor here, I just checked my Linode backups. In addition to the automatic ones, from time to time I do a complete server snapshot, when I feel I've arrived at a particularly safe place, stuff working nicely, etc. I did the last one on Sept 30. No kidding. And if I had done one more recently, it would have wiped out that one.

If I have to resort to it -- and I don't know if that's a good idea, I'd have to proceed very very very carefully as there's a lot customer data there as well as code changes I've made. Naturally, I'm reluctant to take that step, especially if what I would do next is update the server to bring out current ... and perhaps reintroduce the problems.

I just have to believe there's a way to get the php config to work, and that it will be of extreme interest to Letsencrypt to solve this problem, something if left unfixed would do harm to their business plans.

FYI, FWIW, I boil down my situation to this:
-- Enfeedia works great for publishing RSS feeds.
-- Enfeedia's syndication feature is fully broken.
-- If I could solve that problem in any way at all that provides a way for my customers to syndicate Enfeedia-published feeds, I'd grab it.
-- Enfeedia used php file commands to read back and parse the xml files located in those public folders (i.e, a built-in Feed Reader).
-- I can "cheat" by grabbing database table entries that Enfeedia customers create by filling out forms, thereby not needing to use those file commands. In fact, I did this in a couple of critical cases for websites I design. It's incomplete (doesn't support images, but could if I want to do that work).

Putting that all together, I need to php file operations to work for me without getting bogged down in SSL.

(PS: I was in the process of giving Enfeedia a much-needed facelift which I set aside to deal with this serious problem. That facelift is all cosmetic, and includes dropping jQuery-mobile in favor of W3.CSS library for GUI.)

1 Like

Ok, another thing. Try:

echo | openssl s_client -connect enfeedia.com:443 -servername enfeedia.com | head

and

openssl version

NB: My php config works fine :slight_smile: But I have an updated CA root store even with an older openssl. Still not certain why yours fails. But, appearance of DST Root CA X3 in your cert store means it could be an issue. That cert has expired and would be removed by updating your cert store as already instructed.

3 Likes

Uh, Houston, we have a problem:

Boulder
The Let's Encrypt CA

This is an ACME Certificate Authority running Boulder.

This is a programmatic endpoint, an API for a computer to talk to. You should probably be using a specialized client to utilize the service, and not your web browser. See https://letsencrypt.org/ for help.

If you're trying to use this service, note that the starting point, the directory , is available at this URL: https://acme-v02.api.letsencrypt.org/directory.

Service Status (letsencrypt.status.io)

Check with us on Twitter

No, that is good and what I was hoping. That URL uses the "short chain" and helps identify what is going wrong. Please do the openssl commands I showed.

3 Likes

[ken@alpha /]$ openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017

1 Like

And that one?

2 Likes

I don't know what to make of this. Create a php file with that content and execute it?

echo | openssl s_client -connect enfeedia.com:443 -servername enfeedia.com | head

1 Like

No, just type on your Centos command prompt just like that, Copy/paste even

3 Likes

[ken@alpha /]$ echo | openssl s_client -connect enfeedia.com:443 -servername enfeedia.com | head
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
CONNECTED(00000003)

Certificate chain
0 s:/CN=enfeedia.com
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3

[ken@alpha /]$

1 Like

(I have to break for awhile for lunch with wife. :slight_smile:

1 Like

Yep, you need to update your CA Root store as I showed earlier. Your php is failing as it relies on an old version of openssl (the same one I have by the way). It does not well handle the "long chain" I referred to earlier.

Here are details from openssl group if you care to understand it
https://www.openssl.org/blog/blog/2021/09/13/LetsEncryptRootCertExpire/

3 Likes

To be very careful, you mean run: sudo yum install -y ca-certificates
RIght?

1 Like

Yes, just like that.

3 Likes

after lunch :grimacing:

1 Like

That 2017 version could do with an update too.

3 Likes

Agreed but I read Centos might be fussy about that so was hesitant to recommend. Do you know if that updates easy?

2 Likes

It has for me.

3 Likes

WHEW! That seems to have done the trick!

Test cases run. Now I'm going back to websites where feeds were syndicated but displayed stuff that would frighten my customers. To avoid nervous breakdowns out there, I had code to hide/bypass things and/or embed alternate temporary solutions, so to speak (like grabbing feed tags from the database and doing a poor man's version of syndication).

I COULD NEVER EVER HAVE SOLVED THIS MYSELF. THANK YOU SO MUCH!

Seems like Letsencrypt shoulda sent unmistakable warning email to all users of the service ... or maybe they did and I missed it?

2 Likes