LetsEncrypt - SSL certificate is not valid

  • another necessary fix for Proftpd TLS


    Code
    1. cd /etc/imscp
    2. wget https://letsencrypt.org/certs/isrgrootx1.pem
    3. nano /etc/proftpd/proftpd.conf
    4. nano /etc/imscp/proftpd/working/proftpd.conf
    5. below:
    6. TLSRSACertificateKeyFile /etc/imscp/imscp_services.pem
    7. add:
    8. TLSCACertificateFile /etc/imscp/isrgrootx1.pem
    9. sudo service proftpd restart
  • The problem is not related to letsencrypt plugin.
    It is - verify certs with openssl, which return error: "certificate has expired" or "unable to get issuer certificate" (if disable expired DST certificate).

    Trick: "$rs = 0;" after "... execute" (/var/www/imscp/engine/PerlLib/iMSCP/OpenSSL.pm:138)

    The solution is stupid, but working... :(

  • Good morning


    So many solutions here ;)


    The problem is not about certbot, nor about i-MSCP or its LetsEncrypt plugin but about openSSL v1.0.x which cannot validate the SSL certificates.


    To solve the problem, you need in order:

    1. Make sure that the CA ISRG Root X1 is installed on your system (in /etc/ssl/certs) : PEM AVAILABLE HERE
    2. Remove the old X3 (mozilla) CA which has expired


    kess Good job. I don't think that all steps are required. You don't need to import the full CA. Regarding certbot, I'll update it.


    kivamp You're totally right. To solve the problem, install the ISRG root X1 and remove the expired one manually from /etc/ssl/certs

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • To solve the problem, you need in order:

    1. Make sure that the CA ISRG Root X1 is installed on your system (in /etc/ssl/certs) : PEM AVAILABLE HERE
    2. Remove the old X3 (mozilla) CA which has expired

    Alas :(

    Code
    1. # openssl verify cert.pem
    2. C = US, O = Internet Security Research Group, CN = ISRG Root X1
    3. error 2 at 2 depth lookup: unable to get issuer certificate
    4. error cert.pem: verification failed
  • Alas :(

    Code
    1. # openssl verify cert.pem
    2. C = US, O = Internet Security Research Group, CN = ISRG Root X1
    3. error 2 at 2 depth lookup: unable to get issuer certificate
    4. error cert.pem: verification failed

    ls -la /etc/ssl/certs ?


    did you also run update-ca-certificates -f ?

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206


  • OK, I checked one more time with:


    Stretch (OpenSSL 1.1.0l)

    Ubuntu 18 (OpenSSL 1.1.1)

    Buster (OpenSSL 1.1.1d)


    The letsencrypt certificates for the panel (Panel URL & imscp_services) are issued without any problems ...

    But all LE certificates for the customers are shown as invalid (verification process fails)

  • ls -la /etc/ssl/certs ?


    did you also run update-ca-certificates -f ?

    # ls /etc/ssl/certs/ISRG_Root_X1.pem

    /etc/ssl/certs/ISRG_Root_X1.pem

    update-ca-certificates -f  

    and

    dpkg-reconfigure ca-certificates

    did both, result is same :(

    # openssl verify /etc/letsencrypt/live/mydomain.com/cert.pem

    C = US, O = Internet Security Research Group, CN = ISRG Root X1

    error 2 at 2 depth lookup: unable to get issuer certificate

    error /etc/letsencrypt/live/mydomain.com/cert.pem: verification failed

  • For me the same.

    From my all domain (wich had ssl conf in the apache directory), now there is no _ssl.conf file. The panel says "Wrong ssl certificate". This is so annoying :(