search

NginxProxyManager / nginx-proxy-manager

Docker container for managing Nginx proxy hosts with a simple, powerful interface
https://nginxproxymanager.com
MIT License
22.61k stars 2.63k forks source link

Certificate Chain invalid with LE and NPM #2536

Open lordimac opened 1 year ago

lordimac commented 1 year ago

Checklist

Describe the bug We are using NPM with Lets Encrypt Certificates. After creating a Host and issueing the certificate everything works fine on modern browsers and latest systems. Certificate is valid. But if we try to open the website on an older system, like Android 7, the SSL validation gets failed. It looks like this is because of an old and invalid root certificate. If we check the website with sslchecker.com it tells us also also that CHAIN CERT 1 and ROOT 1 is missing. If we check the chain details, we see that DST Root CA X3 and a NA cert are invalid since 29/30 september 2021. If I check letsencrypt.org with sslchecker.com everything is fine.

Nginx Proxy Manager Version v2.9.19

To Reproduce Steps to reproduce the behavior: Create Cert for Domain and check with sslchecker.com

Screenshots firefox_2023-01-12_11-26-03

Operating System Android 7.0

lordimac commented 1 year ago

OK, I commented the following line in letsencrypt.ini preferred-chain = ISRG Root X1

After removing and reissueing the certificate, I get a valid chain.

firefox_2023-01-12_13-20-12

Shineson1001 commented 1 year ago

Hi,

i have nearly the same problem. I downloaded the certificate from the NPM "SSL Certificates" page and use use it with a GitLab server. grafik

If you use the "GitHub Desktop" Client and try to connect to the GitLab server, you get this error message: grafik

If you create the certificate with the certbot tool (Docker image "certbot/certbot": docker run -it certbot/certbot ....), the "GitHub Desktop" Client works fine; you do not get any error messages.

The chain.pem from NPM contains only one certificate; only the intermediate certificate from LetsEncrypt.

openssl crl2pkcs7 -nocrl -certfile ./npm/chain.pem | openssl pkcs7 -print_certs -noout
subject=C = US, O = Let's Encrypt, CN = R3
issuer=C = US, O = Internet Security Research Group, CN = ISRG Root X1

The chain.pem from certbot contains two certificates.

openssl crl2pkcs7 -nocrl -certfile ./certbot/chain.pem | openssl pkcs7 -print_certs -noout
subject=C = US, O = Let's Encrypt, CN = R3
issuer=C = US, O = Internet Security Research Group, CN = ISRG Root X1

subject=C = US, O = Internet Security Research Group, CN = ISRG Root X1
issuer=O = Digital Signature Trust Co., CN = DST Root CA X3

Same with the fullchain.pem: NPM contains two certificates und certbot contains three certificates.

Is it possible to create chain files with the complete chain? => chain.pem = intermediate and root certificate => fullchain.pem = intermediate, root and server certificate

github-actions[bot] commented 8 months ago

Issue is now considered stale. If you want to keep it open, please comment :+1: