X509: certificate signed by unknown authority

CertifyMe · March 26, 2023, 5:03pm

Hey,
I have created a certificate successfully, I serve it using different sites and browsers and have no issues with it so far.
i'm in the middle of testing it with https://www.ssllabs.com/ and so far I get B grade.

the issue i am facing is i get error from a proxy i'm playing with (oauth proxy):
"x509: certificate signed by unknown authority"

when i tell the proxy to not validate the certificate it works, so what should i verify so that it will work

Osiris · March 26, 2023, 5:25pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is:

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know):

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):

Bruce5051 · March 26, 2023, 6:48pm

Also, what Certificate Authority would you expect to see?

CertifyMe · March 27, 2023, 8:18am

my domain is:
"example.com"

the command i ran to produce the cert:
was certbot create ... with dns validation

my current webserver im playing with where i have issues with is:
oauth-proxy-2 -> GitHub - oauth2-proxy/oauth2-proxy: A reverse proxy that provides authentication with Google, Azure, OpenID Connect and many more identity providers.

the OS is:
alpine:3.17.2

Hosting provider:
Docker in my workstation

Currently i can login with a user to the Docker, but can make manipulation and be root

I dont use a control panel to manage my site

the version of certbot is 2.2.0.

CertifyMe · March 27, 2023, 8:21am

@Bruce5051 what do you mean?
I guess I didnt explain it well enough.
I'm trying to use oauth proxy to serve a page, it holds the letsencrypt certificate, when i make a request the logs of the proxy show that for error, meaning my traffic doesnt go through, when i ask the proxy to not validate the certificate it allows me to pass through.

So i'm thinking the proxy does not know how to validate the certificate as a trusted cert, the question is why? i did supply the fullchain certificate and in SSL labs i get grade B for that certificate.

danb35 · March 27, 2023, 12:29pm

This sounds like a question for whatever oauth proxy you're using.

Bruce5051 · March 27, 2023, 2:20pm

I assume you do not expect; so what Authority do you expect to see signing the x509 certificate?

rg305 · March 27, 2023, 3:14pm

Real domains don't have underscores.

CertifyMe · March 28, 2023, 12:24pm

ok so change it to example.com

rg305 · March 28, 2023, 3:48pm

done.

system · April 27, 2023, 3:49pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.