Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Generated SSL Certificate is not trusted #13

Open
j-flat opened this issue Oct 5, 2021 · 7 comments
Open

Generated SSL Certificate is not trusted #13

j-flat opened this issue Oct 5, 2021 · 7 comments

Comments

@j-flat
Copy link

j-flat commented Oct 5, 2021

Hi, I ran into this issue when I generated the SSL certificate for the first time on my EdgeRouterX. Everything seemed to go correctly when I ran the renew.acme.sh -script for the first time (DNS Authority is Cloudflare), but I needed to run it in insecure-mode since all curl-calls to HTTPS-endpoints are failing while SSL-certificate is invalid.

However the resulting certificate is still not trusted by Google Chrome (Version 94.0.4606.61 (Official Build) (x86_64)) as shown in the screenshot:
cert_not_trusted

Any ideas why is this and how to get it fixed?

@dmengelt
Copy link

dmengelt commented Nov 4, 2021

Hi @j-flat

I faced the exact same issues as you and did the following things to resolve it:

1. Update the CA certificates on EdgeOS so that you don't have to use the insecure mode anymore

root@edge:~# sed -i 's|^mozilla\/DST_Root_CA_X3\.crt|!mozilla/DST_Root_CA_X3.crt|' /etc/ca-certificates.conf
root@edge:~# curl -sk https://letsencrypt.org/certs/isrgrootx1.pem -o /usr/local/share/ca-certificates/ISRG_Root_X1.crt
root@edge:~# update-ca-certificates --fresh

Full details: https://community.ui.com/questions/Fix-Solution-Lets-Encrypt-DST-Root-CA-X3-Expiration-Problems-with-IDS-IPS-Signature-Updates-HTTPS-E/0404a626-1a77-4d6c-9b4c-17ea3dea641d?page=5

2. Save the intermediate certificate to /config/ssl/ca.pem and use it. Chrome (and other browsers) will no longer show it as "not trusted"

  • Extract the ISRG Root X1 from /config/ssl/server.pem and put it to a new file called /config/ssl/ca.pem
  • Remove the ISRG Root X1 from /config/ssl/server.pem
  • Use set service gui ca-file /config/ssl/ca.pem to configure EdgeOS with a ca file

@j-flat
Copy link
Author

j-flat commented Nov 5, 2021

Hi @dmengelt !

Thanks for helping out! I have a stupid question regarding the step 2., how can I identify ISRG Root X10 on the config/ssl/server.pem. I have never worked that much with certificates so I'm bit uncertain how to achieve that.

@dmengelt
Copy link

dmengelt commented Nov 8, 2021

You can copy the value of the certificate to an online base64 decoder and it will show you the name

@dmengelt
Copy link

@j-flat did it work?

@nahoj74
Copy link

nahoj74 commented Nov 23, 2021

I followed the advice as the problem surfaced on my edgerouter as well.

I would suspect that a hard refresh of the browser is needed after completing step 2. I didn't do it and ended up doing step 1 once again before refreshing the browser. Anyway, it now works. Thanks for sharing your knowledge!

@dmengelt
Copy link

@nahoj74 nice! glad it worked for you.

@Nadav-K
Copy link

Nadav-K commented Oct 7, 2022

Hi @dmengelt

I've encountered the same issue and have followed your instructions as well as I could.
Sadly it seems the outcome had not changed.

I'm questioning if I've done step 2 as you intended. Can you please comment if it was ok?
server.pem had a few certificates so I decoded each one separately.
in 2 of the certs ISRG Root X10 appears (with a lot of gibberish) around it - so I've followed the instructions for both of those.

Browsers (plural - chrome, edge, IE) show me it's invalid.
any ideas?

image

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants