Welcome to Centmin Mod Community
Become a Member

Letsencrypt SSL I keep getting ERR_CERT_AUTHORITY_INVALID with Let's Encrypt

Discussion in 'Domains, DNS, Email & SSL Certificates' started by Benjamin74, Oct 10, 2017.

  1. Benjamin74

    Benjamin74 Member

    32
    2
    8
    May 2, 2016
    Ratings:
    +5
    Local Time:
    11:07 PM
    Hello guys,

    There is something really weird when installing Let's Encrypt SSL certificates : sometimes it works... sometimes it doesn't... and I have no clue why.

    e.g.:

    - on a VPS that is already hosting a site over SSL, which let's encrypt certificates works fine : adding a new site with Let's Encrypt I end up with ERR_CERT_AUTHORITY_INVALID... no clue why

    - on a newly installed VPS, I get that ERR_CERT_AUTHORITY_INVALID too

    There is either something wrong with the way I set this up... or with the script (I doubt it's the script), no clue.

    I'm always using option 4 (Live HTTPS)...

    All VPSes are running centOS 6 and CentMin Beta...

    All domains are using CloudFlare as DNS only (domains are "paused" inside CloudFlare).

    Any clue or tips ? What is the MAIN cause of this ERR_CERT_AUTHORITY_INVALID error ?

    Thanks,

    Cheers,
     
  2. eva2000

    eva2000 Administrator Staff Member

    30,168
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,137
    Local Time:
    7:07 AM
    Nginx 1.13.x
    MariaDB 5.5
    How was the initial letsencrypt ssl certificate obtained ? Which method ?
    • Was the domain nginx vhost alreadying created prior or new domain nginx vhost site setup for first time ?
    • Via centmin.sh menu option 2, 22, /usr/bin/nv ?
    • If you ran centmin.sh menu option 2 or 22, which letsencrypt option did you select from
      Code (Text):
      -------------------------------------------------------------
      Setup full Nginx vhost + Wordpress + WP Plugins
      -------------------------------------------------------------
      
      Enter vhost domain name you want to add (without www. prefix): acme3.domain1.com
      
      Create a self-signed SSL certificate Nginx vhost? [y/n]: n
      Get Letsencrypt SSL certificate Nginx vhost? [y/n]: y
      
      You have 4 options:
      1. issue staging test cert with HTTP + HTTPS
      2. issue staging test cert with HTTPS default
      3. issue live cert with HTTP + HTTPS
      4. issue live cert with HTTPS default
      Enter option number 1-4: 1
      
    • Via addons/acmetool.sh ? which specific command ? examples
      Code (Text):
      ./acmetool.sh issue acme.domain.com
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com live
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com d
      
      Code (Text):
      ./acmetool.sh issue acme.domain.com lived
      
    • What was order of steps you did ? Did you run centmin.sh menu option 2 first with letsencrypt ? Then did you run addons/acmetool.sh afterwards ?

    Centmin Mod Self-Signed SSL Fallback



    If you're seeing a Centmin Mod's self-signed ssl certificate instead of letsencrypt ssl certificate, then that's acmetool.sh and centminmod's fallback if letsencrypt verification fails to obtain letsencrypt ssl cert, it falls back to centmin mod self-signed ssl certificate on https port 443 side so to preserve the https nginx vhost

    Troubleshooting



    There are various steps you can do to troubleshoot failed letsencrypt issuances, renews, reissues etc.
    • acmetool.sh logs all command line or shell menu runs to log files at /root/centminlogs. To troubleshoot, copy the contents of the log run and post contents of log to pastebin.com or gist.github.com and share link in this thread. To find the log list the logs in ascending date order
      Code (Text):
      ls -lahrt /root/centminlogs
      .
    • For direct acmetool.sh runs, there should be a 2nd & 3rd & 4th log in format /root/centminlogs/centminmod_${DT}_nginx_addvhost_nv.log and /root/centminlogs/acmetool.sh-debug-log-$DT.log and /root/centminlogs/acmesh-issue_*.log or /root/centminlogs/acmesh-reissue_*.log which would need to be included via separate pastebin.com or gist.github.com post.
    • Enable acmetool.sh debug mode. In persistent config file at /etc/centminmod/custom_config.inc (create it if doesn't exist) add and enable acmetool.sh debug mode which gives much more verbose letsencrypt issuance process information when you re-run acmetool.sh or centmin.sh menu options 2, 22 or /usr/bin/nv command lines.
      Code (Text):
      ACMEDEBUG='y'
    If acme.sh auto renewals didn't happen, check output for the following commands
    Code (Text):
    grep acme /var/log/cron* | sed -e "s|$(hostname -s)|host|g"
    

    Code (Text):
    echo y | /usr/local/src/centminmod/addons/acmetool.sh checkdates
    

    Code (Text):
    "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh"
    


    Without the answers to above questions and logs, there is nothing to help troubleshoot.
     
  3. Benjamin74

    Benjamin74 Member

    32
    2
    8
    May 2, 2016
    Ratings:
    +5
    Local Time:
    11:07 PM
    So it was all 100% new vHost(s) created through menu 22 with Option 4. issue live cert with HTTPS default.

    I'll try to see with your commands where the problem comes from and will report back if I can find the source of the problem !
     
  4. Benjamin74

    Benjamin74 Member

    32
    2
    8
    May 2, 2016
    Ratings:
    +5
    Local Time:
    11:07 PM
    [SOLVED]

    Don't ask me why but even if you ONLY plan to use domain.com... you should ALSO add a DNS A record for www.domain.com or the Let's Encrypt certificate will fail !
     
    • Like Like x 1
  5. eva2000

    eva2000 Administrator Staff Member

    30,168
    6,785
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,137
    Local Time:
    7:07 AM
    Nginx 1.13.x
    MariaDB 5.5
    Yep you need DNS A record for non-www and www version of domain :)