hungnguyenm / edgemax-acme

Let's Encrypt setup instructions for Ubiquiti EdgeRouter using DNS-01
148 stars 31 forks source link

Generated SSL Certificate is not trusted #13

Open j-flat opened 3 years ago

j-flat commented 3 years ago

Hi, I ran into this issue when I generated the SSL certificate for the first time on my EdgeRouterX. Everything seemed to go correctly when I ran the renew.acme.sh -script for the first time (DNS Authority is Cloudflare), but I needed to run it in insecure-mode since all curl-calls to HTTPS-endpoints are failing while SSL-certificate is invalid.

However the resulting certificate is still not trusted by Google Chrome (_Version 94.0.4606.61 (Official Build) (x8664)) as shown in the screenshot:

cert_not_trusted

Any ideas why is this and how to get it fixed?

dmengelt commented 3 years ago

Hi @j-flat

I faced the exact same issues as you and did the following things to resolve it:

1. Update the CA certificates on EdgeOS so that you don't have to use the insecure mode anymore

root@edge:~# sed -i 's|^mozilla\/DST_Root_CA_X3\.crt|!mozilla/DST_Root_CA_X3.crt|' /etc/ca-certificates.conf
root@edge:~# curl -sk https://letsencrypt.org/certs/isrgrootx1.pem -o /usr/local/share/ca-certificates/ISRG_Root_X1.crt
root@edge:~# update-ca-certificates --fresh

Full details: https://community.ui.com/questions/Fix-Solution-Lets-Encrypt-DST-Root-CA-X3-Expiration-Problems-with-IDS-IPS-Signature-Updates-HTTPS-E/0404a626-1a77-4d6c-9b4c-17ea3dea641d?page=5

2. Save the intermediate certificate to /config/ssl/ca.pem and use it. Chrome (and other browsers) will no longer show it as "not trusted"

j-flat commented 3 years ago

Hi @dmengelt !

Thanks for helping out! I have a stupid question regarding the step 2., how can I identify ISRG Root X10 on the config/ssl/server.pem. I have never worked that much with certificates so I'm bit uncertain how to achieve that.

dmengelt commented 3 years ago

You can copy the value of the certificate to an online base64 decoder and it will show you the name

dmengelt commented 3 years ago

@j-flat did it work?

nahoj74 commented 2 years ago

I followed the advice as the problem surfaced on my edgerouter as well.

I would suspect that a hard refresh of the browser is needed after completing step 2. I didn't do it and ended up doing step 1 once again before refreshing the browser. Anyway, it now works. Thanks for sharing your knowledge!

dmengelt commented 2 years ago

@nahoj74 nice! glad it worked for you.

Nadav-K commented 2 years ago

Hi @dmengelt

I've encountered the same issue and have followed your instructions as well as I could. Sadly it seems the outcome had not changed.

I'm questioning if I've done step 2 as you intended. Can you please comment if it was ok? server.pem had a few certificates so I decoded each one separately. in 2 of the certs ISRG Root X10 appears (with a lot of gibberish) around it - so I've followed the instructions for both of those.

Browsers (plural - chrome, edge, IE) show me it's invalid. any ideas?

image

Thanks!