CA Cert exception false - getinfo shows cert value TRUE

[mrkoozer]

Completed setup of the secure node on mainnet and receiving an out of compliance with the tracker.

Zen Tracking System Exception: "cert: could not validate the SSL certificate."

TLS cert reports as valid however the tracker states the node is out of compliance.

The 'transparant' balance for the 42 zen is on a transparent address on swing wallet.

I've re deployed and rebuilt node several times using a hosted VPS. Each time yielding the same outcome.

Cross referenced install using various guides however used the following guide for setup: https://blockoperations.com/how-to-build-and-operate-a-zencash-secure-node/#securenodetracker

$ zen-cli getnetworkinfo | grep true "tls_cert_verified": true, "reachable": true, "reachable": true, "limited": true,

zen-cli getinfo { "version": 2001051, "protocolversion": 170002, "walletversion": 60000, "balance": 0.00000000, "blocks": 230758, "timeoffset": 0, "connections": 8, "proxy": "", "difficulty": 573473.63484937, "testnet": false, "keypoololdest": 1514523794, "keypoolsize": 101, "paytxfee": 0.00000000, "relayfee": 0.00000100, "errors": "" }

zen-cli z_gettotalbalance { "transparent": "0.00", "private": "1.2498", "total": "1.2498" }

[mrkoozer]

node app.js states CNAME does not match.

[ghost]

Im having the same problem. It says "tls_cert_verified": true, but Zen Tracking System says

Exception: "cert: could not validate the SSL certificate."

[psine]

I'm having the same issue too when using PM2 per the instructions, but when I start the app manually it works.

[psyraxaus]

@mrkoozer and @dogpatchmedia what is the FQDN for your node?

[mrkoozer]

@psyraxaus my FQDN was znode01.opensystemsit.com ; however I was running it on a VPS and after a few weeks of no resolve I brought the node down :(

I would like to give it another try though however. I believe there is a new version to use correct?

[kthor7]

I am having the same issue. Was anyone able to resolve it?

[gyp5ydanger]

I am also have the same issue.. I got one MN working but the other MN keeps giving me this issue

[jbmanwell]

I too am having this issue sporadically on my SN. FQDN: zenblocks.host . I also followed the same guide as mentioned by the OP.

Edit: Turns out my DNS A record had two different IPs. One of which was coming from a www redirect. You'll want to remove any redirects and ensure the DNS A record only has a single IP. Thanks to @psyraxaus for his help!

[tarrenj]

Flagging @ADumaine

[ADumaine]

DNS configuration should be checked as jbmanwell and pysrax point out.

For testing the node certificate outside the tracker you can use an openssl command from another system. Example: openssl s_client -connect zenblocks.host:9033

The response should be a full certificate, info about the connection and a 'Verify return code: 0 (ok)' at the end.

CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = zenblocks.host
verify return:1
---
Certificate chain
 0 s:/CN=zenblocks.host
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
 2 s:/O=Digital Signature Trust Co./CN=DST Root CA X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGBjCCBO6gAwIBAgISAzRVqTIdCCP1ihaJZ2HnjMhEMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xODA0MjkyMTAwMDVaFw0x
ODA3MjgyMTAwMDVaMBkxFzAVBgNVBAMTDnplbmJsb2Nrcy5ob3N0MIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqoj3mOgAviTRHJbXeA5V/oGQs1gJr0bv
BXO/xXHytyGA6wAoeaimyrdeqQoQa+f9O/M6jcCZA1ASRtbvyFy5xpkzQmfKQD2b
Zc6APrUcoC3jjvfWO5smTCLuh8bsV68LLVdy3pmplfSiEqHcfX9opA75T/Q2Mpm7
4+wLcBkQ5Y4uzQYGmIwne+9RFqPLZb2n4drg7dGLW2lBdsQHQdgyj3bd83uePfY4
OiSBQ8BQeAIQSNi0MjhdUcOnqc8CdNAOYydO1/CrISdBTU1+oGxhNNTPxu3e6j6a
3M581eL20oc5loqf14NjpCSROzLQAv782zpDGI4XeKfh/pGV1/iAlwIDAQABo4ID
FTCCAxEwDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF
BQcDAjAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBRY9yeChlhvIG2XmdlGsjY5uUJs
OjAfBgNVHSMEGDAWgBSoSmpjBH3duubRObemRWXv86jsoTBvBggrBgEFBQcBAQRj
MGEwLgYIKwYBBQUHMAGGImh0dHA6Ly9vY3NwLmludC14My5sZXRzZW5jcnlwdC5v
cmcwLwYIKwYBBQUHMAKGI2h0dHA6Ly9jZXJ0LmludC14My5sZXRzZW5jcnlwdC5v
cmcvMBkGA1UdEQQSMBCCDnplbmJsb2Nrcy5ob3N0MIH+BgNVHSAEgfYwgfMwCAYG
Z4EMAQIBMIHmBgsrBgEEAYLfEwEBATCB1jAmBggrBgEFBQcCARYaaHR0cDovL2Nw
cy5sZXRzZW5jcnlwdC5vcmcwgasGCCsGAQUFBwICMIGeDIGbVGhpcyBDZXJ0aWZp
Y2F0ZSBtYXkgb25seSBiZSByZWxpZWQgdXBvbiBieSBSZWx5aW5nIFBhcnRpZXMg
YW5kIG9ubHkgaW4gYWNjb3JkYW5jZSB3aXRoIHRoZSBDZXJ0aWZpY2F0ZSBQb2xp
Y3kgZm91bmQgYXQgaHR0cHM6Ly9sZXRzZW5jcnlwdC5vcmcvcmVwb3NpdG9yeS8w
ggEDBgorBgEEAdZ5AgQCBIH0BIHxAO8AdQDbdK/uyynssf7KPnFtLOW5qrs294Rx
g8ddnU83th+/ZAAAAWMTa40VAAAEAwBGMEQCIEfagVHAQUFcshmEaag4i7S9r43Q
sH6L1bLlexcw9f/jAiA3ciE0MTNKwZIMF4BMg1fw2XslynZEuY1qd+05ONtCtAB2
ACk8UZZUyDlluqpQ/FgH1Ldvv1h6KXLcpMMM9OVFR/R4AAABYxNrjTYAAAQDAEcw
RQIgQGIxFa2QeYRRiaZTiPLFymJP/z2gUIr3QQoHtynrRsICIQCqtWJ+4SWzRsCs
K5ja7qhBx8bdPC2L48M0BkouZT8idDANBgkqhkiG9w0BAQsFAAOCAQEAJVWKrl4X
pOVa/KOHRQEPPLXKtm98c/TkBSGJhKqim1rodeaQASFqK7uqr/cK5+zXLxlLoW5k
2magWd0ivIGcIx23Ez5QEbIWyLxbqd1Ne0wg056sSRRZdUqTd+C40inLlHUkxKOx
V0Obg0MEYffKX6RQz0P6rqN7MJSbPXeCBh3EyopCv2ezxiD390X+dfzORGaAY6FS
y27qeRoFKrX0vE70zFpiTTBhLjaTwwCJuVyIvwnhx31v+A4RQRkQshiWP4z5V6uF
xgi9dKEvgk63H9Yitx+1GyyNdLbOyyZlkjJ153+5x3wlruCyi/+YFC0yRgbzuPte
BoTaKaeEYgcJ+g==
-----END CERTIFICATE-----
subject=/CN=zenblocks.host
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DS                                                   A+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:E                                                   CDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Requested Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SH                                                   A384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+S                                                   HA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 4273 bytes and written 446 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: 7090B410224C5B5EEAA0B40D512EB262280CCF20CD586D99EFC8B6B6F574DA0D
    Session-ID-ctx:
    Master-Key: E2C600D035A0B038CE82870C35B6DFBF817420C07D7545D25761CB091D8C2F17                                                   33E918FECD89A2FC7222F1D18C1FAC92
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 7200 (seconds)
    TLS session ticket:
    0000 - fd ed aa 6b 49 bd cb 23-52 4e 1b 01 b1 b6 51 05   ...kI..#RN....Q.
    0010 - c9 e3 42 9e 14 30 45 9d-e7 9f 9c 14 5b ad aa 14   ..B..0E.....[...
    0020 - 29 a2 a9 2c e2 3b 88 a7-d3 e0 8a 88 55 08 33 e1   )..,.;......U.3.
    0030 - 21 06 cf 00 08 07 a9 36-d9 6b d0 b0 f1 2a be 37   !......6.k...*.7
    0040 - 65 07 31 ab d7 71 f9 7f-35 ce c3 d2 4d dd c9 e2   e.1..q..5...M...
    0050 - 1b d4 98 09 f0 7b c0 5e-7d 30 b9 a6 db f1 a8 98   .....{.^}0......
    0060 - 14 ea 6e 17 3d ce bb cc-79 71 6c 06 ce ca 7e 0e   ..n.=...yql...~.
    0070 - 4c 74 f1 1c 03 cf fb ff-b2 e9 84 72 85 94 3e 63   Lt.........r..>c
    0080 - 49 90 2c 4e a0 24 14 72-87 3b 44 52 5a 0b 53 6e   I.,N.$.r.;DRZ.Sn
    0090 - 85 18 a2 53 67 1c 02 5c-4b 56 6a 32 6a 17 d1 c9   ...Sg..\KVj2j...

    Start Time: 1525283577
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
closed
```.

[mathiasvanheule]

I have exactly the same issue as the OP. "tls_cert_verified": true when i run zen-cli getinfo but on the tracker website I get a false message. My nameservers are routed to cloudflare, so I've now changed my nameservers back to the original and deleted every A/C-name record with the exception of my zen node. Will see if this help in a few hours I guess..