LetsEncrypt - SSL certificate is not valid


  • Worked for nearly anything except SMTP, Mail Clients who try to send mails via SSL got Error "Encryptionmethod not supported".

  • Hello ! I am still on Ubuntu 16.04 (yes. Please grill me :-) )

    I tried all the offered solutions but I still get the error in Domain overview that the cert is invalid.


    I updated the CA-Certs and replaced the IRG1


    SSL certificate is not valid: CN = osteria-caruso.de error 20 at 0 depth lookup: unable to get local issuer certificate


    Any help is appreciated.


    Best wishes


    Niels

  • there is no final solution yet.

    some customer php-scripts also make use of "openssl verify". they're also fail.

    and its not the openssl version. openssl3.0 says also

    Code
    1. C=US, O=Internet Security Research Group, CN=ISRG Root X1
    2. error 2 at 1 depth lookup: unable to get issuer certificate
    3. error chain1.pem: verification failed

    The problem is that the certbot used by the plugin still generates a chain with old X3 in it. Got no idea how to get rid of it, yet

  • The problem is that the certbot used by the plugin still generates a chain with old X3 in it. Got no idea how to get rid of it, yet

    yes, I can confirm that an old X3 chain is copied to /etc/letsencrypt/*/archive/ by the current LE plugin


    It seems the LE validation function for panel url & imscp services are different from the customer LE certificates validation.

    After installed a new CA ISRG Root X1 in /etc/ssl/certs , the LE certificates for the panel (Panel URL & imscp services) are issued without any problems!

    But all LE certificates for the customers are shown as invalid (probably different validation process or function).

  • Hi,

    Sorry for lame questions flame me later.


    To clarify is this the solution?


    1. Download the CA ISRG Root X1.pem file from the link in the thread

    2. Copy it to /etc/ssl/certs/ISRG_Root_X1.pem

    3. Run update-ca-certificates -f

    4. Delete old cert in /etc/ssl/certs?


    Whats the name of the cert that needs deleting? Do you need to restart any services after?

    Thanks,

  • robbo007


    Best solution for now (by vege.net but rewrited a bit by me):


    1. cd /usr/share/ca-certificates/mozilla/

    2. wget https://letsencrypt.org/certs/lets-encrypt-r3.pem

    3. mv lets-encrypt-r3.pem lets-encrypt-r3.crt

    4. dpkg-reconfigure ca-certificates
    In this step check new letsencrypt Cert (lets-encrypt-r3.crt)


    5. Edit file: /var/www/imscp/engine/PerlLib/iMSCP/OpenSSL.pm and comment line 134 with # to look like that:



    Code
    1. my $cmd = [
    2. 'openssl', 'verify',
    3. # ( ( $self->{'ca_bundle_container_path'} ne '' ) ? ( '-CAfile', $self->{'ca_bundle_container_path'} ) : () ),
    4. '-purpose', 'sslserver', $self->{'certificate_container_path'}
    5. ];


    6. Go to Let's Encrypt tab on your domains and press button to renew certificate.

    Edited once, last by theqkash ().

  • Thanks so much for clarifying this. Worked perfectly.