Wildcard cert on pound


#1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: *.gedmatch.com

I ran this command: openssl verify fullchain.pem

It produced this output:
fullchain.pem: CN = *.gedmatch.com
error 20 at 0 depth lookup:unable to get local issuer certificate

My web server is (include version): pound V2.6

The operating system my web server runs on is (include version): Ubuntu 16.04.3 LTS

My hosting provider, if applicable, is: aws

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I have been successful in setting up single certificates on pound and apache - but having issues with setting up wildcard certs on pound. I was able to create the cert using dns text.

When I installed it in pound it did not work.

I then tried to verify the certificate with openssl and am getting the error about not being able to get the local issuer.

In doing search on web I found that there may be an issue with the CA certificate in /etc/ssl/certs - related to IdenTrust - I have 2 dated 9/27/2017 IdenTrust_Commercial_Root_CA_1.pem and IdenTrust_Public_Sector_Root_CA_1.pem.

I discovered that attempting to validate the working certs for apache I the same error.

I would like a way to verify the wildcard certificate before I attempt to install it again.

Is there a root CA different for Let’s encrypt than the idenTrust one?

johnh…


#2

What exactly is your question? What are you trying to verify?


#3

Check the updated question - I had problems getting the rest of the item in the question originally.

Trying to verify with openssl the wild card cert.


#4

What problems are you having installing the certificate?

If you’re using Certbot, you can use "sudo certbot certificates" to display your certificates.

You can also use a command like “openssl x509 -noout -text -in fullchain.pem” to examine it (cryptographic verification not included).

Let’s Encrypt certificates currently use the root DST Root CA X3. (It belongs to IdenTrust because they acquired a company called DST.)


#5

Thanks for the pointers:

Found the following certs:
Certificate Name: gedmatch.com
Domains: *.gedmatch.com
Expiry Date: 2019-02-27 16:28:41+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/gedmatch.com/fullchain.pem
Private Key Path: /etc/letsencrypt/live/gedmatch.com/privkey.pem

I had examined the cert with openssl x509.

I’ll look for the root CA.

johnh…


#6

The DST root CA seem to be there:

root@pound0:/etc/ssl/certs# ls -l DST
lrwxrwxrwx 1 root root 53 Nov 21 2017 DST_ACES_CA_X6.pem -> /usr/share/ca-certificates/mozilla/DST_ACES_CA_X6.crt
lrwxrwxrwx 1 root root 53 Nov 21 2017 DST_Root_CA_X3.pem -> /usr/share/ca-certificates/mozilla/DST_Root_CA_X3.crt

johnh…


#7

I’m seeing in the cert:
Issuer: C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3
I’m seeing in the DST_Root_CA_X3.pem
Subject: O=Digital Signature Trust Co., CN=DST Root CA X3

Does Let’s Encrypt have it own CA? Am I missing a chain?

johnh…


#8

Let’s Encrypt uses an intermediate certificate. See for more info:


#9

You need to focus on why pound failed.
Can you show an error message?

There is nothing wrong with the cert.


#10

Thanks for the pointer - with the * Let’s Encrypt Authority X3 (Signed by ISRG Root X1)
as a -CAfile I was able to get openssl to verify the certificate.

johnh…