LetsEncrypt: "unable to get local issuer certificate"

richb-hanover · January 1, 2021, 9:35pm

Using Virtualmin 6.03 (Webmin 1.962) on Ubuntu 14.04.3 on a VPS that hosts a number of Wordpress sites.

I have managed to get LetsEncrypt certs for the sites simply by fooling around in the Virtualmin GUI. And now Firefox/Chrome/Safari/Edge are all happy, and report a good HTTPS connection.

But… Only one of the sites gives a good output when when I use curl --verbose https://*sitename* The other sites give unable to get local issuer certificate error messages.

Works: https://randomneuronsfiring.com
Fails: https://lochlymelodge.com

I’ve attached the output from the curl command for both hosts. I imagine I need to add a bit of configuration to the non-working sites. But what? Any suggestions for debugging this would be welcomed. Thanks!

richb@ubuntu:/tmp$ curl --verbose https://lochlymelodge.com > junk.html
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 167.88.125.15:443...
* TCP_NODELAY set
* Connected to lochlymelodge.com (167.88.125.15) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [93 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [1399 bytes data]
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
} [2 bytes data]
* SSL certificate problem: unable to get local issuer certificate
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
* Closing connection 0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

# ======== This one works ===========

richb@ubuntu:/tmp$ curl --verbose https://randomneuronsfiring.com > junk.html
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:--  0:00:09 --:--:--     0*   Trying 167.88.125.15:443...
* TCP_NODELAY set
* Connected to randomneuronsfiring.com (167.88.125.15) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
  0     0    0     0    0     0      0      0 --:--:--  0:00:10 --:--:--     0* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [93 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [2602 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [333 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=randomneuronsfiring.com
*  start date: Nov  9 00:49:25 2020 GMT
*  expire date: Feb  7 00:49:25 2021 GMT
*  subjectAltName: host "randomneuronsfiring.com" matched cert's "randomneuronsfiring.com"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.
} [5 bytes data]
> GET / HTTP/1.1
> Host: randomneuronsfiring.com
> User-Agent: curl/7.68.0
> Accept: */*
> 
{ [5 bytes data]
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Fri, 01 Jan 2021 21:25:39 GMT
< Server: Apache/2.4.7 (Ubuntu) OpenSSL/1.0.1f
< Link: <https://RandomNeuronsFiring.com/wp-json/>; rel="https://api.w.org/"
< Link: <https://wp.me/aZg6o>; rel=shortlink
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
< Content-Type: text/html; charset=UTF-8
< 
{ [5 bytes data]
100 64977    0 64977    0     0   5909      0 --:--:--  0:00:10 --:--:-- 13976
* Connection #0 to host randomneuronsfiring.com left intact
richb@ubuntu:/tmp$

Joe · January 1, 2021, 10:46pm

No. Upgrade your software.

richb-hanover · January 2, 2021, 1:36pm

That makes good sense. I’ve had trouble with this, though.

Webmin automatically updates, but I’ve never found a way to get Virtualmin to update itself. Could you give me a pointer to a procedure? Thank you.

PS I saw your Virtualmin in 2021 post. I really appreciate the clear statement of your roadmap and your (financial) position: I had no idea. I intend to purchase a Pro license when my bank next opens up. Thanks again.

Joe · January 2, 2021, 6:24pm

Check to be sure you haven’t disabled the Virtualmin Universal repo (look in /etc/apt/sources.list for Virtualmin repos), and make sure it is working. From the command line run apt-get update and check for errors and fix them if there are any. A search of the forum will turn up several conversations about fixing updates not working on Ubuntu. They changed the signature requirements a while back, though I don’t think that effects 14.04, which upgrading to using the new vm/6 repos will fix (and is covered in several forum topics).

You’re also running on an unsupported distro, but the virtualmin-universal repo will continue to work for some time to come (and there is a new universal repo in the /vm/6 subdir).

In short, you need a line like this in your sources somewhere:

deb http://software.virtualmin.com/vm/6/gpl/apt/ virtualmin-universal main

And, you need to import the vm6 key:

 wget -qO- http://software.virtualmin.com/lib/RPM-GPG-KEY-virtualmin-6 | sudo apt-key add -

Edit: Also, make a plan to upgrade your OS to at least 16.04 (but preferably 18.04 or 20.04) or migrate to a server running a newer version. 14.04 is not safe to run on servers.

richb-hanover · January 2, 2021, 9:05pm

Thanks for the detailed info. I see no indication that Virtualmin is installed or maintained by apt. For example, /etc/apt/sources.list did not contain an entry for …software.virtualmin.com until I just added it today. (But I see that webmin is listed when I use apt list --installed)

I have a hazy memory that I used some kind of shell script to install Virtualmin years and years ago (probably back when version 6.03 was current…)

Having added Virtualmin as an apt source, should I simply apt-get install virtualmin? Will that cause any problems with my current Virtualmin installation? Thanks again.

richb-hanover · January 2, 2021, 9:40pm

And yes, that’s also good advice. I’m working up my strength to make the change. Thanks again

Gomez_Adams · January 3, 2021, 2:35pm

Get your Virtualmin upgraded and current first. Then upgrade your Ubuntu. I went from 18.04 to 20.04 with no problems at all. It was as if I didn’t change a thing.

richb-hanover · January 3, 2021, 8:59pm

SOLUTION: This was the answer. It seems that upgrading my (ancient) 14.04 server to 18.04 caused the certificate errors to go away. (This included an upgrade from Apache 2.4.7 to 2.4.29, which is my guess for what did the trick.) Thanks, all!

system · January 7, 2021, 9:00pm

This topic was automatically closed 4 days after the last reply. New replies are no longer allowed.