Generated SSL Certificate is not trusted

[j-flat]

Hi, I ran into this issue when I generated the SSL certificate for the first time on my EdgeRouterX. Everything seemed to go correctly when I ran the renew.acme.sh -script for the first time (DNS Authority is Cloudflare), but I needed to run it in insecure-mode since all curl-calls to HTTPS-endpoints are failing while SSL-certificate is invalid.

However the resulting certificate is still not trusted by Google Chrome (_Version 94.0.4606.61 (Official Build) (x8664)) as shown in the screenshot:

Any ideas why is this and how to get it fixed?

[dmengelt]

Hi @j-flat

I faced the exact same issues as you and did the following things to resolve it:

1. Update the CA certificates on EdgeOS so that you don't have to use the insecure mode anymore

root@edge:~# sed -i 's|^mozilla\/DST_Root_CA_X3\.crt|!mozilla/DST_Root_CA_X3.crt|' /etc/ca-certificates.conf
root@edge:~# curl -sk https://letsencrypt.org/certs/isrgrootx1.pem -o /usr/local/share/ca-certificates/ISRG_Root_X1.crt
root@edge:~# update-ca-certificates --fresh

Full details: https://community.ui.com/questions/Fix-Solution-Lets-Encrypt-DST-Root-CA-X3-Expiration-Problems-with-IDS-IPS-Signature-Updates-HTTPS-E/0404a626-1a77-4d6c-9b4c-17ea3dea641d?page=5

2. Save the intermediate certificate to /config/ssl/ca.pem and use it. Chrome (and other browsers) will no longer show it as "not trusted"

• Extract the ISRG Root X1 from /config/ssl/server.pem and put it to a new file called /config/ssl/ca.pem
• Remove the ISRG Root X1 from /config/ssl/server.pem
• Use set service gui ca-file /config/ssl/ca.pem to configure EdgeOS with a ca file

[j-flat]

Hi @dmengelt !

Thanks for helping out! I have a stupid question regarding the step 2., how can I identify ISRG Root X10 on the config/ssl/server.pem. I have never worked that much with certificates so I'm bit uncertain how to achieve that.

[dmengelt]

You can copy the value of the certificate to an online base64 decoder and it will show you the name

[dmengelt]

@j-flat did it work?

[nahoj74]

I followed the advice as the problem surfaced on my edgerouter as well.

I would suspect that a hard refresh of the browser is needed after completing step 2. I didn't do it and ended up doing step 1 once again before refreshing the browser. Anyway, it now works. Thanks for sharing your knowledge!

[dmengelt]

@nahoj74 nice! glad it worked for you.

[Nadav-K]

Hi @dmengelt

I've encountered the same issue and have followed your instructions as well as I could. Sadly it seems the outcome had not changed.

I'm questioning if I've done step 2 as you intended. Can you please comment if it was ok? server.pem had a few certificates so I decoded each one separately. in 2 of the certs ISRG Root X10 appears (with a lot of gibberish) around it - so I've followed the instructions for both of those.

Browsers (plural - chrome, edge, IE) show me it's invalid. any ideas?

Thanks!