Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: *.gedmatch.com

I ran this command: openssl verify fullchain.pem

It produced this output:
fullchain.pem: CN = *.gedmatch.com
error 20 at 0 depth lookup:unable to get local issuer certificate

My web server is (include version): pound V2.6

The operating system my web server runs on is (include version): Ubuntu 16.04.3 LTS

My hosting provider, if applicable, is: aws

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I have been successful in setting up single certificates on pound and apache - but having issues with setting up wildcard certs on pound. I was able to create the cert using dns text.

When I installed it in pound it did not work.

I then tried to verify the certificate with openssl and am getting the error about not being able to get the local issuer.

In doing search on web I found that there may be an issue with the CA certificate in /etc/ssl/certs - related to IdenTrust - I have 2 dated 9/27/2017 IdenTrust_Commercial_Root_CA_1.pem and IdenTrust_Public_Sector_Root_CA_1.pem.

I discovered that attempting to validate the working certs for apache I the same error.

I would like a way to verify the wildcard certificate before I attempt to install it again.

Is there a root CA different for Let’s encrypt than the idenTrust one?

johnh…

What exactly is your question? What are you trying to verify?

Check the updated question - I had problems getting the rest of the item in the question originally.

Trying to verify with openssl the wild card cert.

What problems are you having installing the certificate?

If you're using Certbot, you can use "sudo certbot certificates" to display your certificates.

You can also use a command like "openssl x509 -noout -text -in fullchain.pem" to examine it (cryptographic verification not included).

Let's Encrypt certificates currently use the root DST Root CA X3. (It belongs to IdenTrust because they acquired a company called DST.)

Thanks for the pointers:

Found the following certs:
Certificate Name: gedmatch.com
Domains: *.gedmatch.com
Expiry Date: 2019-02-27 16:28:41+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/gedmatch.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/gedmatch.com/privkey.pem

I had examined the cert with openssl x509.

I'll look for the root CA.

johnh...

The DST root CA seem to be there:

root@pound0:/etc/ssl/certs# ls -l DST
lrwxrwxrwx 1 root root 53 Nov 21 2017 DST_ACES_CA_X6.pem -> /usr/share/ca-certificates/mozilla/DST_ACES_CA_X6.crt
lrwxrwxrwx 1 root root 53 Nov 21 2017 DST_Root_CA_X3.pem -> /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt

johnh…

I’m seeing in the cert:
Issuer: C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3
I’m seeing in the DST_Root_CA_X3.pem
Subject: O=Digital Signature Trust Co., CN=DST Root CA X3

Does Let’s Encrypt have it own CA? Am I missing a chain?

johnh…

Let’s Encrypt uses an intermediate certificate. See for more info:

You need to focus on why pound failed.
Can you show an error message?

There is nothing wrong with the cert.

Thanks for the pointer - with the * Let’s Encrypt Authority X3 (Signed by ISRG Root X1)
as a -CAfile I was able to get openssl to verify the certificate.

johnh…

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.