Welcome to Centmin Mod Community
Become a Member

Letsencrypt nginx: [warn] "ssl_stapling" ignored, issuer certificate not found

Discussion in 'Domains, DNS, Email & SSL Certificates' started by Dnyan, Sep 16, 2017.

  1. Dnyan

    Dnyan New Member

    5
    1
    3
    Sep 16, 2017
    Ratings:
    +1
    Local Time:
    11:40 AM
    1.13.5
    I use Generate Centmin Mod Nginx Vhost - CentminMod.com LEMP Nginx web stack for CentOS to setup https connection with lets encrypt.

    Some of users were getting security error mostly on android and on chrome browser

    Whenever i did nginx restart i get the error shown in thread tittle

    i Used SSL Server Test: civil4m.com (Powered by Qualys SSL Labs) to analyse the ssl and found that
    Certificate rated as B and full chain was not found.

    I gone back to configuration, did lot of reading on different website and found that,

    ssl_trusted_certificate required is a CA certificate

    i look at this code and found that the path to CA and Cert were given same.

    /root/.acme.sh/acme.sh --installcert -d mydomain.com -d www.mydomain.com --certpath /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme.cer --keypath /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme.key --capath /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-fullchain-acme.key


    i tried to rename the path with new name by adding acmeca.cer

    but was got error many times

    then i added path to ca manually in ssl config file
    From
    ssl_trusted_certificate /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme.cer

    To
    ssl_trusted_certificate /root/.acme.sh/civil4m.com/ca.cer

    Then i restarted the nginx

    Then error of nginx: [warn] "ssl_stapling" ignored, issuer certificate not found gone and nginx restarted without any error.

    i again check th ssl config at
    SSL Server Test: civil4m.com (Powered by Qualys SSL Labs) to analyse the ssl and found rating as A+

    Please tell me is i did anything wrong which may cause problem in future.

    If its a typing mistake made in tutorial, request you to correct it, I am not a coder, so whenever i get problem i will refer to it and also many would refer to it.

    By doing this this error got solved but still in handshake area i see

    Android 2.3.7 No SNI 2 Server sent fatal alert: handshake_failure
    IE 6 / XP No FS 1 No SNI 2 Server sent fatal alert: protocol_version

    IE 8 / XP No FS 1 No SNI 2 Server sent fatal alert: handshake_failure

    Java 6u45 No SNI 2 Server sent fatal alert: handshake_failure


    OpenSSL 0.9.8y Server sent fatal alert: handshake_failure


    Can anyone help me out, what is this and is it going to show security error on this type of browsers.

    Thanks.

    I am a total Noob, whatever coding i know is learn from Centminmod and i build my server from scratch through tutorials available here.

    So if i have to do some command line work, please write in details, else i cant understand.

    Hope someone will help me here.
     
  2. eva2000

    eva2000 Administrator Staff Member

    30,578
    6,854
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,275
    Local Time:
    4:10 PM
    Nginx 1.13.x
    MariaDB 5.5
    For posting code or command outputs, might want to use BBCODE CODE tags for better formatting and preventing parsing of domain names from config files. How to use forum BBCODE code tags :)

    That is normal as modern secure SSL ciphers do not support ancient OSes and browsers anymore hence partly why you got A+ rating.
    When you create a new nginx vhost domain via centmin.sh menu option 2 or menu option 22 or via /usr/bin/nv cli command line, you will create the Nginx vhost files and directories. You will get an outputted the path location where it will create the domain name's vhost conf file named newdomain.com.conf (and newdomain.com.ssl.conf if you selected yes to self signed SSL)
    • Nginx vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.conf
    • Nginx HTTP/2 SSL vhost conf path will be at /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf
    • Nginx Self-Signed SSL Certificate Directory at /usr/local/nginx/conf/ssl/newdomain.com
    • Vhost public web root will be at /home/nginx/domains/newdomain.com/public
    • Vhost log directory will be at /home/nginx/domains/newdomain.com/log
    Please post the contents of /usr/local/nginx/conf/conf.d/newdomain.com.conf and if applicable /usr/local/nginx/conf/conf.d/newdomain.com.ssl.conf wrapped in CODE tags (outlined at How to use forum BBCODE code tags)

    You shouldn't need to do that specifically.

    Troubleshooting



    There are various steps you can do to troubleshoot failed letsencrypt issuances, renews, reissues etc.
    • acmetool.sh logs all command line or shell menu runs to log files at /root/centminlogs. To troubleshoot, copy the contents of the log run and post contents of log to pastebin.com or gist.github.com and share link in this thread. To find the log list the logs in ascending date order
      Code (Text):
      ls -lahrt /root/centminlogs
      .
    • For direct acmetool.sh runs, there should be a 2nd & 3rd & 4th log in format /root/centminlogs/centminmod_${DT}_nginx_addvhost_nv.log and /root/centminlogs/acmetool.sh-debug-log-$DT.log and /root/centminlogs/acmesh-issue_*.log or /root/centminlogs/acmesh-reissue_*.log which would need to be included via separate pastebin.com or gist.github.com post.
    • Enable acmetool.sh debug mode. In persistent config file at /etc/centminmod/custom_config.inc (create it if doesn't exist) add and enable acmetool.sh debug mode which gives much more verbose letsencrypt issuance process information when you re-run acmetool.sh or centmin.sh menu options 2, 22 or /usr/bin/nv command lines.
      Code (Text):
      ACMEDEBUG='y'
    Without the answers to above questions and logs, there is nothing to help troubleshoot.
     
  3. Dnyan

    Dnyan New Member

    5
    1
    3
    Sep 16, 2017
    Ratings:
    +1
    Local Time:
    11:40 AM
    1.13.5
    Is using a ca cert by definimg path to root acme folder is ok


    I use option 2 to create http site and later added https by learning through http to https migration.

    I was always getting error for certificate file. Even though it was present at that directory and content certificate.

    So finally i change path to root to acme folder

    And problem got solve.

    I am asking, is it ok if i keep that path in ssl config file
     
  4. eva2000

    eva2000 Administrator Staff Member

    30,578
    6,854
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,275
    Local Time:
    4:10 PM
    Nginx 1.13.x
    MariaDB 5.5
    technically it's ok but may break auto renewals, hence why troubleshooting as outlined above is best as you shouldn't need to do that.
     
  5. Dnyan

    Dnyan New Member

    5
    1
    3
    Sep 16, 2017
    Ratings:
    +1
    Local Time:
    11:40 AM
    1.13.5
    Sir i think, you did not understood what i wanted to say.

    in auto generator Vhost on your site.
    at third step to copy certificate to ssl config directory.
    i attached screen shot of it Nginx code.png

    i pasted this code just to show that, you have given a path for certificate and CA certificate to single file

    /root/.acme.sh/acme.sh --installcert -d mydomain.com -d www.mydomain.com --certpath /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme.cer --keypath /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme.key --capath /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme.cer --reloadCmd /usr/bin/ngxreload --fullchainpath /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-fullchain-acme.key

    read the highlighted text in above command, Cert and CA Path are pointing to single file.

    this was causing problem.
    so i gave the path for trusted ssl to root CA file.

    My intention of creating this thread is just to take your attention, boss it look something wrong two type files have single path shown in your tutorial.

    If i am correct then, next intention is to correct the tutorial code as there are many like me use this tutorial and does not understand what going wrong.

    Its my request to you, please read my post carefully, i know my english is not much good, which can be understood very easily.

    Thank You
     
  6. eva2000

    eva2000 Administrator Staff Member

    30,578
    6,854
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +10,275
    Local Time:
    4:10 PM
    Nginx 1.13.x
    MariaDB 5.5
    Best to use CODE tags for easier reading of your output ;)

    No it isn't a typo, it's correct install command as nginx ssl_trusted_certificates for nginx purpose with letsencrypt only requires the
    Code (Text):
    /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme.cer
    

    Every Centmin Mod Nginx HTTP/2 HTTPS site using Letsencrypt integration so far has worked using the default setup it's deliberately set to point to same file as that is all that is required. I just tested twice with new site and both worked without problems using the same point to same file.

    The CA file just has ca bundle without SSL cert. But non-CA file is ssl cert + CA file which is correct and needed for working OCSP stapling. You can double check doing a side by side sdiff
    Code (Text):
    sdiff /root/.acme.sh/mydomain.com/ca.cer  /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme.cer 
    

    this should show left side only ca bundle and right side ssl cert at top right and ca bundle at bottom right

    and only show diff
    Code (Text):
    sdiff -s /root/.acme.sh/mydomain.com/ca.cer  /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme.cer 
    

    should only show ssl cert on right

    but doesn't explain why your ssllab is reporting ok as OCSP stapling would usually be broken with just pointing to ca.cer file. That is why need to see your Nginx vhost domain.com.ssl.conf config file to double check it's setup correctly.
     
  7. Dnyan

    Dnyan New Member

    5
    1
    3
    Sep 16, 2017
    Ratings:
    +1
    Local Time:
    11:40 AM
    1.13.5
    i did as per your tutorial earlier, but on every nginx restart command i was getting error
    nginx: [warn] "ssl_stapling" ignored, issuer certificate not found
    i checked this file
    /usr/local/nginx/conf/ssl/mydomain.com/mydomain.com-acme.cer by opening with nano -w,

    it was having certificate file inside it but, nginx is not picking it throwing error
    nginx: [warn] "ssl_stapling" ignored, issuer certificate not found

    And then OK

    Even with error my HTTPS was working correct but as the issue of some people getting not secure error made me to dig into it.

    the change i made, increased the ssl rating from B to A+ and also the error thrown by nginx was gone.

    so far no report for security error made by no user.

    Thanks for your replies, i am happy to know that, i did not made any mistake by pointing CA cert file path to trusted ssl path.
    nginx not throwing any error and
    my ssl rating increased from B to A+