So I'm getting the title error from Facebook and also on the site running Wordpress and also complains about cert.. I'm using Letsencrypt on the site which is working just fine in browser. I've tried adding curl.cainfo path to cert but nothing changes.. Also added openssl.cafile.. Code: SSLEngine on SSLProtocol All -SSLv2 -SSLv3 # SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA$ SSLHonorCipherOrder on # <IfModule mod_headers.c> # Header always add Strict-Transport-Security "max-age=15768000" # </IfModule> SSLCertificateFile /var/www/clients/client0/web4/ssl/domain.com-le.crt SSLCertificateKeyFile /var/www/clients/client0/web4/ssl/domain-le.key SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off Nothing was changed in http config for the site. I did try adding the SSLCACertificateFile but that does nothing.. Anyone has any ideas?
When you open your site in the Browser, does it really show the LE certificate? I suspect, this is not working properly. The error "unable to get local issuer certificate" means, that the openssl does not know your root CA cert. Can be due to the fact, that the LE root certificate is not installed. If the root certificate is in the standard folder this should work: "openssl s_client -CApath /etc/ssl/certs/ -connect address.com:443" 1) What is the output of "openssl s_client -connect www.domain.com:443 -showcerts" 2) What is the result of "curl https://helloworld.letsencrypt.org". If that does not work, it is a client problem.
Okay, been playing around and testing and looks like there's a mess with certs.. 1) returns Code: openssl s_client -showcerts -connect semantica-portuguese.com:443 CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = es.semantica-portuguese.com verify return:1 --- Certificate chain 0 s:/CN=es.semantica-portuguese.com i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 Which is the main problem it seems? It returns cert for es subdomain.. Code: openssl s_client -connect www.semantica-portuguese.com:443 -servername www.semantica-portuguese.com CONNECTED(00000003) depth=0 CN = semantica-portuguese.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = semantica-portuguese.com verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s:/CN=semantica-portuguese.com i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 Code: openssl s_client -connect es.semantica-portuguese.com:443 -servername es.semantica-portuguese.com CONNECTED(00000003) depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3 verify return:1 depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3 verify return:1 depth=0 CN = es.semantica-portuguese.com verify return:1 --- Certificate chain 0 s:/CN=es.semantica-portuguese.com i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 i:/O=Digital Signature Trust Co./CN=DST Root CA X3 What the hell is going on? 2) curl https://helloworld.letsencrypt.org returns the HTML code..
correct If this is the only site for the server, you can use a wildcard cert ;-) Otherwise it could be good to start from scratch.. It could be that you do not have a servername for the main domain without subdomain defined. Then Apache serves the first domain, which is the es. subdomain. Your www. subdomain uses the certificate file of the domain without subdomain. If that is the case, change www.domain to domain in the apache config file and to a rewrite from www.domain -> domain
It is the only domain on the server currently. Yeah, that's the thing that I've noticed since the start, a few years ago, when cert was made it was made for non-www version but I never used non-www site. The server is set up according to the perfect set up guide and nothing custom was added. Is there a way to recreate the www cert but in a way that is connected to ispconfig so that any changes in ispconfig will not throw it off again? Is this something new? It worked fine up until a few days ago..
/etc/letsencrypt/renewal/semantica-portuguese.com.conf Code: ... [[webroot_map]] semantica-portuguese.com = /usr/local/ispconfig/interface/acme www.semantica-portuguese.com = /usr/local/ispconfig/interface/acme semantica-portugues.com = /usr/local/ispconfig/interface/acme www.semantica-portugues.com = /usr/local/ispconfig/interface/acme
Now it works.. I've just removed the es. subdomain cert as it is not really needed and then added the SSLCertificateChainFile to vhost and seems okay.. Why was SSLCertificateChainFile missing in vhost? I've checked in some other servers and its there while on this one it was not.
