You are not logged in.

#26 2021-10-09 06:30:37

seth
Member
Registered: 2012-09-03
Posts: 49,955

Re: [solved]Certbot ssl error

It prints a lot of files, some of which might be suspicious.
You can fix stuff by repeating what you did before (delete the bad cert, link the good one, restart apache) but we want to know what creates the bogus certificate.

Online

#27 2021-10-09 09:01:08

Morta
Member
Registered: 2019-07-07
Posts: 655

Re: [solved]Certbot ssl error

seth wrote:

It prints a lot of files, some of which might be suspicious.
You can fix stuff by repeating what you did before (delete the bad cert, link the good one, restart apache) but we want to know what creates the bogus certificate.

[root@5erver certs]# ls -R /usr/share/p11-kit/modules/ /{etc,usr/share}/ca-certificates/trust-source
/etc/ca-certificates/trust-source:
anchors  blocklist  free-vpn.it.p11-kit  ISRG_Root_X1.p11-kit  R3.p11-kit

/etc/ca-certificates/trust-source/anchors:
localhost.pem

/etc/ca-certificates/trust-source/blocklist:

/usr/share/ca-certificates/trust-source:
anchors  blocklist  mozilla.trust.p11-kit

/usr/share/ca-certificates/trust-source/anchors:

/usr/share/ca-certificates/trust-source/blocklist:

/usr/share/p11-kit/modules/:
p11-kit-trust.module

Offline

#28 2021-10-09 10:39:41

seth
Member
Registered: 2012-09-03
Posts: 49,955

Re: [solved]Certbot ssl error

And do you think you want to take a closer look at one of those files?
You know, the one with the very suspisciously related filename?

You should also check where it and the other two files in that path are coming from and whether the other ones might possess similar potential for trouble?

Online

#29 2021-10-09 10:50:38

Morta
Member
Registered: 2019-07-07
Posts: 655

Re: [solved]Certbot ssl error

seth wrote:

And do you think you want to take a closer look at one of those files?
You know, the one with the very suspisciously related filename?

You should also check where it and the other two files in that path are coming from and whether the other ones might possess similar potential for trouble?


Yes i will, but what is with  free-vpn.it.p11-kit. That is a domain from me, but no cert which should be there?!
And ISRG_Root_X1.p11-kit looks like the kit who made the ISRG_Root_X1.1.pem cert but i have no idea....
R3.p11-kit doesn't say anything to me.

Offline

#30 2021-10-09 11:37:41

progandy
Member
Registered: 2012-05-17
Posts: 5,184

Re: [solved]Certbot ssl error

That looks like some sort of let's encrypt certificate chain (ISRG X1 Root, Let's Encrypt R3 Intermediate and then your cert for free-vpn.it). Either you put them there or maybe an ACME client created them. I have no idea why you would store them as trust sources, though.

Last edited by progandy (2021-10-09 11:41:41)


| alias CUTF='LANG=en_XX.UTF-8@POSIX ' |

Offline

#31 2021-10-09 11:47:50

Morta
Member
Registered: 2019-07-07
Posts: 655

Re: [solved]Certbot ssl error

progandy wrote:

That looks like some sort of let's encrypt certificate chain (ISRG X1 Root, Let's Encrypt R3 Intermediate and then your cert for free-vpn.it). Either you put them there or maybe an ACME client created them. I have no idea why you would store them as trust sources, though.

Thanks for you input. So i can delete it?

On my laptop i have installed certbot too and there neither ISRG X1 Root, free-vpn.it or R3.kit. So i can delete all three and look what happens?

Last edited by Morta (2021-10-09 11:50:28)

Offline

#32 2021-10-09 13:46:15

seth
Member
Registered: 2012-09-03
Posts: 49,955

Re: [solved]Certbot ssl error

p11-kit is plain text, you can just look at the file to see what it is.
R3 is perhaps "GlobalSign Root CA - R3" or "GTS Root R3" and maybe dated or not - we don't know, but you can check.

Given your situation I'm willing ot bet that /etc/ca-certificates/trust-source/ISRG_Root_X1.p11-kit is the offending, dated cert - but *know* I do not.

Online

#33 2021-10-09 14:08:26

Morta
Member
Registered: 2019-07-07
Posts: 655

Re: [solved]Certbot ssl error

- I delete all certs with ISRG_Root_X1.pem
- Removed free-vpn.it.p11-kit  ISRG_Root_X1.p11-kit
- Renamed ISRG_Root_X1.1.pem to ISRG_Root_X1.pem
- Linked ISRG_Root_X1.pem to /etc/ssl/certs
- Updated the certs with update-ca-trust
- Restarted httpd service

AAAAAAAAAAAAAAND is running again! I will try a reboot later but i can now fix it and that is nice!

Thanks to everybody who helped.

Shoutout to seth...

Last edited by Morta (2021-10-09 14:09:35)

Offline

Board footer

Powered by FluxBB