LetsEncrypt - SSL certificate is not valid

  • now it's broken ... (debian & ubuntu)

    new certificates can no longer be created and the check shows for a certificate that was generated an hour before:

    Code
    1. O = Digital Signature Trust Co., CN = DST Root CA X3
    2. error 10 at 3 depth lookup: certificate has expired
    3. error cert1.pem: verification failed


    any idea how to proceed?

  • now it's broken ... (debian & ubuntu)

    new certificates can no longer be created and the check shows for a certificate that was generated an hour before:

    Code
    1. O = Digital Signature Trust Co., CN = DST Root CA X3
    2. error 10 at 3 depth lookup: certificate has expired
    3. error cert1.pem: verification failed


    any idea how to proceed?

    we had the same problems, here is a hot fix which worked for us:


    what it does:

    - adding new letsencrypt CA cert to /etc/ssl/certs

    - removing "-CAfile fullchain1.pem" from openssl command (its not necessary anymore because openssl knows it now)


    Regards, Joern


    ps: Debian 9 / i-MSCP 1.5.3 Build: 2018120800



    Build: 2018120800

    Edited 2 times, last by vege.net ().

  • Thank You!

    should only the mozilla/letsencryypt-r3.crt selected in the dialog?

    I mean should any other be de-selected?

  • no, just added the cert.. dont know if the others are necessary.. (?)


    your welcome :-)

    OK, it seems it shows existing & available, only one cert (letsencrypt) was added

    Code
    1. Updating certificates in /etc/ssl/certs...
    2. 1 added, 0 removed; done.
    3. Processing triggers for ca-certificates (20200601~deb9u2) ...
    4. Updating certificates in /etc/ssl/certs...


    in /var/www/imscp/engine/PerlLib/iMSCP/OpenSSL.pm

    Only 'openssl', 'verify' should remain active?

    Edited 2 times, last by fulltilt ().

  • @Joern

    I noticed earlier today that the imscp (panel) certificates are not affected by the internal verification process ...

    you hit exactly the point to solve the problem w/ the customer stuff and the letsencrypt-r3.crt seems to work

  • openssl verify still shows an error but the certificate seems to be valid

    Code
    1. #openssl verify -CAfile fullchain1.pem cert1.pem
    2. C = US, O = Internet Security Research Group, CN = ISRG Root X1
    3. error 2 at 2 depth lookup: unable to get issuer certificate
    4. error cert1.pem: verification failed

    I also tried to remove the CA X3 incl. reboot afterwards but that didn't change anything ...

    Code
    1. nano /etc/ca-certificates.conf
    2. changed
    3. mozilla/DST_Root_CA_X3.crt
    4. to
    5. !mozilla/DST_Root_CA_X3.crt
    6. sudo update-ca-certificates
    7. sudo reboot
  • openssl verify still shows an error but the certificate seems to be valid

    Code
    1. #openssl verify -CAfile fullchain1.pem cert1.pem
    2. C = US, O = Internet Security Research Group, CN = ISRG Root X1
    3. error 2 at 2 depth lookup: unable to get issuer certificate
    4. error cert1.pem: verification failed

    this is what the patch does... it deletes the "-CAfile fullchain.pem"

    you dont need it anymore cause openssl got the CA now in /etc/ssl/certs