Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Invalid certificates? - Unable to locally verify the issuer's authority. #33

Closed
danwashusen opened this issue Dec 3, 2020 · 3 comments
Closed

Invalid certificates? - Unable to locally verify the issuer's authority. #33

danwashusen opened this issue Dec 3, 2020 · 3 comments

Comments

@danwashusen
Copy link

danwashusen commented Dec 3, 2020
edited
Loading

Hi! We've been using the role since 4.3 with good success. This morning I upgraded to v4.6 and kicked off the renewal process, as I've done several times before... However this time it appears the certificate is invalid (Ubuntu 20.04):

$ wget https://foo.bar.com/
--2020-12-03 16:02:49--  https://foo.bar.com/
Resolving foo.bar.com (foo.bar.com)... xxx.yyy.zzz.210
Connecting to foo.bar.com (foo.bar.com)|xxx.yyy.zzz.210|:443... connected.
ERROR: cannot verify foo.bar.com's certificate, issued by 'CN=R3,O=Let's Encrypt,C=US’:
  Unable to locally verify the issuer's authority.
To connect to foo.bar.com insecurely, use `--no-check-certificate'.

While trying to figure out what's wrong I noticed that the certificate chain appears to have changed:
image

Oddly Chrome/Brave is happy to open the certificate...

At this point I'm not sure its this role that's the cause of the issues but I thought I'd raise a ticket as it seems likely.
@danwashusen
Copy link
Author

danwashusen commented Dec 4, 2020
edited
Loading

A bit more info; it seems like the Chromium derivatives (Chromem, Brave, Edge, etc) and our Windows GitLab runner are happy with the certificate. Firefox, ubuntu based GitLab runners, wget on MacOS all complain that the certificates are invalid.

My hunch at the moment is that the certificate chain created by the role is invalid.

danwashusen pushed a commit to sixtydigits/ansible-role-lets-encrypt-route-53 that referenced this issue Dec 7, 2020
LetsEncrypt seems to be issuing certificates from the R3 intermediate…
444d1f5 
… certificate now. At this point I'm unsure if this is a permanent change but several tests for different domain names over a few days seems to suggest it is. Fixes issues noted in mprahl#33.
@danwashusen danwashusen mentioned this issue Dec 7, 2020
Merged
@danwashusen
Copy link
Author

The above commit 'fixes' the issue in my testing (where all new certificates were issued from the R3 chain). Although if LetsEncrypt changing their certificate chain is a thing, then maybe there is someway for the role to detect the change and handle it appropriately?

mprahl pushed a commit that referenced this issue Jan 4, 2021
@mprahl
LetsEncrypt seems to be issuing certificates from the R3 intermediate…
cf665ad 
… certificate now. At this point I'm unsure if this is a permanent change but several tests for different domain names over a few days seems to suggest it is. Fixes issues noted in #33.
@mprahl mprahl closed this as completed Jan 4, 2021
@mprahl
Copy link
Owner

mprahl commented Jan 4, 2021

Thanks for the contribution @danwashusen. The fix is released in v4.7.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@danwashusen @mprahl