Posts by zakaria93

  • LetsEncrypt - SSL certificate is not valid

    Quote from BerndBonker

    If I want to open that folder or path: /etc/letsencrypt/archive with Filezilla or Putty, it shows me permission denied.
    What could be the problem here?

    What is the purpose of the /usr/share/ca-certificates/mozilla folder and the certificates in there?

    Sorry, I'm not sure about Mozilla. The guys here might be able to help. In regards permissions denied try to use sudo or login into your server using root or ask your hosting provider to provide the needed privileges.

  • LetsEncrypt - SSL certificate is not valid

    You need to find your SSL bundle including a chain file for CA and a private key and a certificate, sometimes they are provided in one combined file, but in your server you will find the bundle in /etc/letsencrypt/archive/[yourdomainame] directory if you used certbot, otherwise find who is your SSL provider and where they store the SSL bundle files and use them in verifying the certificate with openssl.

    The error message is saying it couldn't find chain1 file, which should be in stated above directory if you used certbot.

    Code
    1. Error loading file chain1.pem


    Also, make sure to use

    Code
    1. dos2unix combined_chain1.pem

    To clear the chain file from dos formatted (^M) blue carriage return characters that I observed in the first cross signed root cert when combined the chain.

    If you dont have unix2dos installed, since it no longer comes prebuilt in distros, use


    Code
    1. yum install unix2dos


    Good luck.

  • LetsEncrypt - SSL certificate is not valid

    Quote from BerndBonker

    I am a little overwhelmed by the amount of different solutions here. Are there special solutions for different operating systems?
    Could anybody sum up which solutions are the most effective and lasting ones and how to step by step get it done for someone who doesn't work on servers regularly?

    Thank you!


    Here is how I resolved it and I think it might help if your issue was with running


    Code
    1. openssl verify -CAfile chain1.pem cert1.pem


    It's returning


    Code
    1. C=US, O=Internet Security Research Group, CN=ISRG Root X1
    2. error 2 at 2 depth lookup: unable to get issuer certificate
    3. error cert1.pem: verification failed


    Then your CA file is missing some certificates and you can download all needed certs using following one combined command that will generate combined_chain1.pem

    Code
    1. wget -O isrgrootx1.pem https://letsencrypt.org/certs/isrgrootx1.pem && wget -O isrg-root-x1-cross-signed.pem https://letsencrypt.org/certs/isrg-root-x1-cross-signed.pem && wget -O lets-encrypt-r3.pem https://letsencrypt.org/certs/lets-encrypt-r3.pem && wget -O lets-encrypt-r3-cross-signed.pem https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem && cat isrgrootx1.pem isrg-root-x1-cross-signed.pem lets-encrypt-r3.pem lets-encrypt-r3-cross-signed.pem > combined_chain1.pem


    With combined_chain1.pem run

    Code
    1. openssl verify -CAfile combined_chain1.pem cert1.pem


    and it should return


    Code
    1. cert1.pem: OK


    With thanks.

    Zakaria.