Wget problem on valid certificate

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: cantracer.ru

I ran this command:wget -v -O - https://cantracer.ru

It produced this output:--2021-05-22 23:46:38-- https://cantracer.ru/
Resolving cantracer.ru (cantracer.ru)... 78.24.217.80
Connecting to cantracer.ru (cantracer.ru)|78.24.217.80|:443... connected.
ERROR: cannot verify cantracer.ru's certificate, issued by 'CN=R3,O=Let's Encrypt,C=US':
Unable to locally verify the issuer's authority.
To connect to cantracer.ru insecurely, use `--no-check-certificate'.

My web server is (include version): Apache/2.4.10

The operating system my web server runs on is (include version): SMP Debian 3.16.43

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): isp manager

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): no certbot

Problem is when I use wget - I get error for Issuer. Other sites located on my server, and also Let's Encrypt certificates holders, does not get this problem.

I re-issued certificate, but the problem stays.

Browser says cert is ok.

Your server is serving a botched certificate chain:

Certificate chain
 0 s:CN = cantracer.ru
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3

The "i:" of the first ("0") certificate should match the "s:" of the second one ("1"). This is clearly not the case. I.e.: you're sending the incorrect chain.

Browsers can build their own chain based upon a few mechanisms such as cached intermediates from other sites or active downloads. But you shouldn't count on that and fix your chain.

All certificates were created via Let's Encrypt plugin for ISP manger panel. No problems on other 10 www sites.
How can that chain be provided without any additional steps from me? I can't understand.

That's a very good question!

Let's Encrypt recently changed their issuance chain. Since 4th of May the default chain is:

End-entity certificate ← R3 ← ISRG Root X1 ← DST Root CA X3

It seems your webserver is missing one of the intermediate certificates: it's sending the ISRG Root X1 signed by DST Root CA X3, but it's lacking the intermediate R3 signed by ISRG Root X1.

Maybe you should contact the support of your ISP manager panel?

oh, you mean one certificate is missing there?

I can do all by hands, but I can't install certbot into server - errors, old OS.

Jup, the chain is missing the R3 signed by ISRG Root X1 intermediate.

This is idealy something which should be handled by the actual system in place to get the certificate in the first place. I.e., ISP Manager.

Many thanks! I fixed that.

This is actually a buf in ISP Manager.
There are 4 files created locally: ca, crt, crtca and key.
ca must be replaced to crtca in host apache2 configuration!

I can confirm you're sending the correct chain now:

Certificate chain
 0 s:CN = cantracer.ru
   i:C = US, O = Let's Encrypt, CN = R3
 1 s:CN = cantracer.ru
   i:C = US, O = Let's Encrypt, CN = R3
 2 s:C = US, O = Let's Encrypt, CN = R3
   i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
 3 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
   i:O = Digital Signature Trust Co., CN = DST Root CA X3

Note that this should have been taken care of by your ACME client (probably build into ISP Manager).. Hopefully a next certificate and/or renewal doesn't break anything.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.