SSL: Unable to verify the first certificate

aloxe · August 4, 2025, 9:02pm

SYSTEM INFORMATION
OS type and version	Ubuntu Linux 24.04.3
Webmin version	2.402
Virtualmin version	7.30.8
Webserver version	Nginx version 1.28.0

I requested SSL certificates via Virtual server > Manage Virtual Server > Setup SSL Certificate > SSL Providers.

The challenge goes fine and the certificate is installed but the server returns an error when using curl:

 curl -L -v -k https://example.com/
...
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.

When I try to see the certificate chain, I see the certificates but there are error messages.

openssl s_client -connect example.com:443 -showcerts
 ...
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 1863 bytes and written 398 bytes
Verification error: unable to verify the first certificate

In Webmin > Webmin Configuration > SSL Encryption I see that the Private key file and Certificate file are present allong with an Additional certificate file: /etc/webmin/letsencrypt-ca.pem

I could not figure out where the Root Certificate can be set or what is missing for to validate it.

When I check NGINX conf file I see that SSL are correctly in the directives with:

	listen IPv4 ssl;
	listen [IPv6]:443 ssl;
	ssl_certificate /etc/ssl/virtualmin/XXXXX/ssl.combined;
	ssl_certificate_key /etc/ssl/virtualmin/XXXXX/ssl.key;

Any hints?

Joe · August 4, 2025, 9:22pm

That error indicates it’s serving a self-signed certificate, and your client isn’t configured to trust that signer (the server itself). So, you don’t have a valid certificate for this domain.

I don’t know why that would be the case if you were able to request a certificate.

What does Webmin have to do with it? You’re making a request to port 443, which is your web server, and not Webmin.

aloxe · August 27, 2025, 1:19pm

Nothing I messed up while looking for a solution.

This is not a self signed certificate. I read the file fine with a browser that reads and accepts the Let’s Encrypt certificate. The problem is with some APIs on system like my local system that do not know the local issuer.

So to make this response useful for future readers, it is more a responsibility of the API checking the certificate.

It is possible to fix the error on the local side by downloading a list of certificate issuers.

Although in my case they decided to drop the ssl check from their script.

aloxe · August 27, 2025, 1:21pm

Also a small note that can help:

I then updated nginx configuration so it uses ssl.combined instead of ssl.cert (a chain with the certificate and the CA). This fixes the error with the openssl command above but not the one with the curl command.