Let’s Encrypt DST Root CA X3, Debian 8 and Virtualmin

OS type and version: Debian 8
Webmin version: 1.973
Virtualmin version: 6.15
Related products version: Letsencrypt

Normally the servers are not impacted but I have a few requests between sites hosted on the same server and with letsentrypt certificates that are causing problems since yesterday.

mod_fcgid: stderr: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed in /home/client/domains/payment/public_html/app/bank_calls/call_response.php on line 548

I have the impression that it is related
have you seen a fix for debian 8?

First caveat: You need to upgrade your OS. Debian 8 reached EOL 3 years ago. That’s dangerous.

I dealt with this on a bunch of Ubuntu 16 systems (on a private VPN network, these are not world-facing systems!) yesterday, and the problem is tricky and confusing, but the solution is dead simple.

Two things need to happen:

  1. The new signing cert needs to be added to (I think) /etc/ssl/certs (if it isn’t there already…and since your server was last updated in 2018(!) it probably isn’t).
  2. The old cross-signing cert (DST-blah-blah-blah) has to be deleted from /etc/ssl/certs.

And, you have to make sure your applications are using the system CA bundle (this, I believe, is automatic with anything using curl, which PHP probably is…maybe other PHP web client libraries also do, I don’t know). NodeJS was my problem child, and I needed to add --use-openssl-ca to my startup options to make it use the system CA bundle in /etc/ssl/certs.

Note these instructions will be somewhat different on other distros. I know Ubuntu 16.04 uses /etc/ssl/certs, but Debian may be different, and CentOS is definitely different (it’s in /etc/pki, I think, on CentOS).

Lets Encrypt wont be acceptable soon anyway. No one trust it. The only good it does is to make a CSR to get a real certificate.

What I dont understand, why dont you add support for Powerdns, or NSD from NSDabs which runs the .nl registry or Knot which run the cz registry. Bind is terrible to work with, unreliable.

If we install this does it support Cluster ? Or do we need one installation of virtual admin per server? Even channel which I hate, but their WHMS the real engine and that support Powerdns as Primary and I think either NSD or Knot a secondary cause its excellent in cluster and incl load balancing, Ip locations and so on, and runs with a db as slave. Sqlite3 is recommended.

SO can someone install virtual admin first then installl powerdns, nsd or knot or do we have to do it first ?

Please start new topics for new questions, don’t hijack other people’s conversations.

1 Like

This topic was automatically closed 8 days after the last reply. New replies are no longer allowed.