[solved]Certbot ssl error

seth · 2021-10-09 06:30:37

It prints a lot of files, some of which might be suspicious.
You can fix stuff by repeating what you did before (delete the bad cert, link the good one, restart apache) but we want to know what creates the bogus certificate.

Morta · 2021-10-09 09:01:08

seth wrote:

It prints a lot of files, some of which might be suspicious.
You can fix stuff by repeating what you did before (delete the bad cert, link the good one, restart apache) but we want to know what creates the bogus certificate.

[root@5erver certs]# ls -R /usr/share/p11-kit/modules/ /{etc,usr/share}/ca-certificates/trust-source
/etc/ca-certificates/trust-source:
anchors  blocklist  free-vpn.it.p11-kit  ISRG_Root_X1.p11-kit  R3.p11-kit

/etc/ca-certificates/trust-source/anchors:
localhost.pem

/etc/ca-certificates/trust-source/blocklist:

/usr/share/ca-certificates/trust-source:
anchors  blocklist  mozilla.trust.p11-kit

/usr/share/ca-certificates/trust-source/anchors:

/usr/share/ca-certificates/trust-source/blocklist:

/usr/share/p11-kit/modules/:
p11-kit-trust.module

seth · 2021-10-09 10:39:41

And do you think you want to take a closer look at one of those files?
You know, the one with the very suspisciously related filename?

You should also check where it and the other two files in that path are coming from and whether the other ones might possess similar potential for trouble?

Morta · 2021-10-09 10:50:38

seth wrote:

And do you think you want to take a closer look at one of those files?
You know, the one with the very suspisciously related filename?
You should also check where it and the other two files in that path are coming from and whether the other ones might possess similar potential for trouble?

Yes i will, but what is with free-vpn.it.p11-kit. That is a domain from me, but no cert which should be there?!
And ISRG_Root_X1.p11-kit looks like the kit who made the ISRG_Root_X1.1.pem cert but i have no idea....
R3.p11-kit doesn't say anything to me.

progandy · 2021-10-09 11:37:41

That looks like some sort of let's encrypt certificate chain (ISRG X1 Root, Let's Encrypt R3 Intermediate and then your cert for free-vpn.it). Either you put them there or maybe an ACME client created them. I have no idea why you would store them as trust sources, though.

Last edited by progandy (2021-10-09 11:41:41)

Morta · 2021-10-09 11:47:50

progandy wrote:

That looks like some sort of let's encrypt certificate chain (ISRG X1 Root, Let's Encrypt R3 Intermediate and then your cert for free-vpn.it). Either you put them there or maybe an ACME client created them. I have no idea why you would store them as trust sources, though.

Thanks for you input. So i can delete it?

On my laptop i have installed certbot too and there neither ISRG X1 Root, free-vpn.it or R3.kit. So i can delete all three and look what happens?

Last edited by Morta (2021-10-09 11:50:28)

seth · 2021-10-09 13:46:15

p11-kit is plain text, you can just look at the file to see what it is.
R3 is perhaps "GlobalSign Root CA - R3" or "GTS Root R3" and maybe dated or not - we don't know, but you can check.

Given your situation I'm willing ot bet that /etc/ca-certificates/trust-source/ISRG_Root_X1.p11-kit is the offending, dated cert - but *know* I do not.

Morta · 2021-10-09 14:08:26

- I delete all certs with ISRG_Root_X1.pem
- Removed free-vpn.it.p11-kit ISRG_Root_X1.p11-kit
- Renamed ISRG_Root_X1.1.pem to ISRG_Root_X1.pem
- Linked ISRG_Root_X1.pem to /etc/ssl/certs
- Updated the certs with update-ca-trust
- Restarted httpd service

AAAAAAAAAAAAAAND is running again! I will try a reboot later but i can now fix it and that is nice!

Thanks to everybody who helped.

Shoutout to seth...

Last edited by Morta (2021-10-09 14:09:35)

Arch Linux

#26 2021-10-09 06:30:37

Re: [solved]Certbot ssl error

#27 2021-10-09 09:01:08

Re: [solved]Certbot ssl error

#28 2021-10-09 10:39:41

Re: [solved]Certbot ssl error

#29 2021-10-09 10:50:38

Re: [solved]Certbot ssl error

#30 2021-10-09 11:37:41

Re: [solved]Certbot ssl error

#31 2021-10-09 11:47:50

Re: [solved]Certbot ssl error

#32 2021-10-09 13:46:15

Re: [solved]Certbot ssl error

#33 2021-10-09 14:08:26

Re: [solved]Certbot ssl error

Board footer