LetsEncrypt - SSL certificate is not valid

  • Thank you for your reply, Zakaria.
    I did not change anything yet for fixing it beforehand, if you presumed I did, please let me know what steps I have to do first.

    I tried to follow your instructions.

    So I log into my server with Putty and type:

    Code
    1. openssl verify -CAfile chain1.pem cert1.pem


    Result comes out:

    Code
    1. Error loading file chain1.pem

    What did I do wrong?

  • You need to find your SSL bundle including a chain file for CA and a private key and a certificate, sometimes they are provided in one combined file, but in your server you will find the bundle in /etc/letsencrypt/archive/[yourdomainame] directory if you used certbot, otherwise find who is your SSL provider and where they store the SSL bundle files and use them in verifying the certificate with openssl.

    The error message is saying it couldn't find chain1 file, which should be in stated above directory if you used certbot.

    Code
    1. Error loading file chain1.pem


    Also, make sure to use

    Code
    1. dos2unix combined_chain1.pem

    To clear the chain file from dos formatted (^M) blue carriage return characters that I observed in the first cross signed root cert when combined the chain.

    If you dont have unix2dos installed, since it no longer comes prebuilt in distros, use


    Code
    1. yum install unix2dos


    Good luck.

    Edited 2 times, last by zakaria93 ().

  • If I want to open that folder or path: /etc/letsencrypt/archive with Filezilla or Putty, it shows me permission denied.
    What could be the problem here?

    What is the purpose of the /usr/share/ca-certificates/mozilla folder and the certificates in there?

  • If I want to open that folder or path: /etc/letsencrypt/archive with Filezilla or Putty, it shows me permission denied.
    What could be the problem here?

    What is the purpose of the /usr/share/ca-certificates/mozilla folder and the certificates in there?

    Sorry, I'm not sure about Mozilla. The guys here might be able to help. In regards permissions denied try to use sudo or login into your server using root or ask your hosting provider to provide the needed privileges.

  • If I want to open that folder or path: /etc/letsencrypt/archive with Filezilla or Putty, it shows me permission denied.
    What could be the problem here?

    What is the purpose of the /usr/share/ca-certificates/mozilla folder and the certificates in there?

    Hi BerndBonker,


    Please open a new thread for your specific problem. And you will get support there as well. Looks like the Linux basics are missing.


    We should not fill this important thread with things like that.


    BR

  • I managed to get the permission probem fixed now. Is your solution only meant to fix domain by domain with the mentioned steps or will it fix all used certs at once and I can afterwards manage it again in iMSCP directly through the Domains section? Cause you mentioned I have to go to my desired domain folder.

  • it seems the plugin cron job validity checks between the renewals does not work properly with the new snap certbot.

    I can see many certificates which have been re-requested marked as invalid.

    All these certificates were generated with the snap certbot and they were still valid for about 2 months, but they are marked as invalid by the plugin cron job and the apache ssl conf are deleted.


    Is there any solution for the cron job validation check?

    Edited 2 times, last by fulltilt ().

  • I've not checked yet what really happens, for the moment I've just revoked the certs and re-created them. As soon as I find some time to look into that I'll write an update

  • I do a status check of the ssl_certs & letsencrypt tables with PMA every day ... this morning I had to manually renew 53 certificates.

    Few of them have already been renewed manually (revoke > request) during the past 14 days but the strange thing was that a certificate was included which was renewed yesterday.

    All these certificates were valid until the end of February but the validity check (cron job) marked them as invalid and deleted the apache ssl configs.


    all the chain files are valid for the new LE root certificate (do not contain any old chains)

    Edited 2 times, last by fulltilt ().

  • OK guys, it seems I found the way to renew certificates per cron job in the normal way.

    Thank you to vege.net for you hint here LetsEncrypt - SSL certificate is not valid but unfortunately it's not complete.


    The following little modifications, works for LE certificates and for paid certificates.

    Edit file /var/www/imscp/engine/PerlLib/iMSCP/OpenSSL.pm and instead of modifying line 134 as stated in the previous post, just add the little code below.

    Please let me know if it works for you also,

    bye Kess.