LetsEncrypt OpenSsl unable to get local issuer certificate

  • Hello,


    I have a problem using the LetsEncrypt plugin. It seems like, that Ubuntu 18.04 is not able to issue or renew certificates. All I get in the UI is:

    SSL certificate is not valid: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    error 2 at 1 depth lookup:unable to get issuer certificate


    Even if I want to check the certificate agains the chain I get the same error:

    root@ /etc/letsencrypt/live/domain.tld # openssl verify -untrusted chain.pem cert.pem

    cert.pem: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3

    error 20 at 1 depth lookup:unable to get local issuer certificate


    I have no idea what happened - can someone help me please?


    OS: Ubuntu 16.04 (up2date) - (not 18.04)

    I-MSCP: 1.5.3 Build 20180516

    LetsEncrypt: 3.5.0

    Edited once, last by UncleSam ().

  • Hello UncleSam!

    I am sorry - but, you are not using the latest I-MSCP Version! Ubuntu 18.04 support was released since 1.5.3 (2018120700).

    Please update your I-MSCP installation for further support.

    Best regards

    Support Infos: I-MSCP Version: 1.5.x / Distro: Debian Stretch / PHP: 7.1.27 - FPM / I-MSCP Plugins: Let´s Encrypt + PHPSwitcher (latest Versions)

  • First of all I am sorry I have Ubuntu 16.04 LTS (up2date) not 18.04 as mentioned in my first post. I tried to download the new package and it told me it can not validate the ssl certificate from github ... so it seems a general problem.


    I am checking my environment today evening - at the moment I think this is a non I-MSCP related problem.

    Edited once, last by UncleSam ().

  • First of all I am sorry I have Ubuntu 16.04 LTS (up2date) not 18.04 as mentioned in my first post. I tried to download the new package and it told me it can not validate the ssl certificate from github ... so it seems a general problem.

    FloRet88 is talking about your i-MSCP version, not really about your distribution version since xenial is still supported because not EOL ;)


    For the problem, stay us informed and if you don't figure out, we'll try to reproduce ;)

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • Thx for your help. At the momenta I have no clue what happened. All I can say is, that every ssl connection is revoked with the message "unable to get issuer certificate".


    I would appreciate any help but all in all it has nothing to do with I-Mscp.


    Additional information so far:

    - openssl is fine

    - /etc/ssl/certs is fine


    If I try to connect to ssl it tells me the error every time. But if I specify /etc/ssl/certs as CApath it is working fine ... seems like a default path is broken ... I hope to find where to set it again.

    Edited once, last by UncleSam ().

  • Ok I found the problem:

    It seems like the SSL_CERT_DIR which specifies the path to the default trusted certificates is no longer set. At the moment I have no idea how to set it again, so if someone has an idea :-)


    At the moment if I do # export SSL_CERT_DIR=/etc/ssl/certs/ everything is working again - but only for the user which executed this command.

  • First of all sorry about the three posts but I want to tell you now what I found - maybe someone has still some ideas:


    After checking against a new system it seems that there is a symlink from /usr/lib/ssl/certs to /etc/ssl/certs.

    In my case the /usr/lib/ssl/certs folder is somehow mounted read only (filesystem) but i have no clue why. I tried to (re-)move it but was unable to. So ubuntu seems to first check this folder for the certificate files which strace tells me. And as it cannot find any cert in there it fails.


    Why this happens now ... I have no idea. Even why I cannot remove the folder.


    For me the only way to go is to move to a new server and transfer everything.

  • For me the only way to go is to move to a new server and transfer everything.

    What ??? =O Can I check your system before let you going into jungle? I can check it after eating if you want ;) Reinstalling everything each time you have a problem is not a solution.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • Hi UncleSam, NuxWin

    did you find the Problem ?

    i tried to renew my letsencrypt certs tody (working before) and after the renew i got the same error.


    i am also on xenial latest updates, used certbot and the openssl verify also brings up the error

    i copied the Cert files to my Notebook and there the check works fine.


    If you have any infos it would be nice..



    Oli

  • oskaralpha I was unable to fix it and moved to another hoster to get the newest Ubuntu LTS version.

    Nuxwin was not on my machine and so he was not directly in touch with this problem. So I do not know if he can help because this was very strange all in all as you can read in my posts...