0

I've recently started getting issues with my Let's Encrypt certificates.

On the web browser I don't get any issues for the certificate, but when I run an Java web app thru NGINX using the certificate and I try to connect using axios npm package from a Node.js web app I keep getting certificate validation errors.

I've tried verifying using the following commands and I get the following outputs:

openssl verify -CAfile C:\Certbot\live\example.org\fullchain.pem  C:\Certbot\live\example.org\cert.pem
C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 2 at 2 depth lookup: unable to get issuer certificate
openssl verify -untrusted C:\Certbot\live\example.org\chain.pem  C:\Certbot\live\example.org\cert.pem
C = US, O = Internet Security Research Group, CN = ISRG Root X1
error 20 at 2 depth lookup: unable to get local issuer certificate

I've even downloaded the ISRG Root X1 intermediate certificate and added it to the Certificate Store on my Windows Server 2016...

Munchkin
  • 133
  • 1
  • 1
  • 11
  • Unless you/whoever overrode it when obtaining the cert, LetsEncrypt [for now defaults to a 'compatibility' chain that still bridges to DST Root X3](https://letsencrypt.org/2020/12/21/extending-android-compatibility.html) (see the green arrows). That's why your commandline `openssl verify` fails. However, openssl except for broken 1.0.x, and thus nonancient nodejs, will succeed if you give it a truststore containing the _root_ cert for ISRG X1 not the cross cert. For direct nodejs this is usually the default but depending on your coding there may be many different ways; ... – dave_thompson_085 Sep 17 '22 at 03:20
  • ... for axios I don't know and don't see anything relevant in the doc on npmjs. I also don't know what you mean by "ISRG Root X1 intermediate" -- the ISRG intermediate is R3 or E1 (for now), and if you mean the _cross_ cert you already had that in your fullchain.pem file and don't need to download anything. But in any case nodejs does not use the Windows cert store at all. – dave_thompson_085 Sep 17 '22 at 03:23

1 Answers1

1

I think that you are missing the intermediate certificate in the Nginx configuration. You need to append it after the host certificate.

Mircea Vutcovici
  • 17,619
  • 4
  • 56
  • 83
  • I tried what you suggested like this: https://stackoverflow.com/a/70965546 but I still get the same error :/ – Munchkin Sep 19 '22 at 07:09
  • Huh weird after a restart it fixed it. Weird, because it's not how it should be defined in my opinion, since fullchain.pem was already defined elsewhere but as long as it works I guess – Munchkin Sep 19 '22 at 07:21