Open j-flat opened 3 years ago
Hi @j-flat
I faced the exact same issues as you and did the following things to resolve it:
1. Update the CA certificates on EdgeOS so that you don't have to use the insecure mode anymore
root@edge:~# sed -i 's|^mozilla\/DST_Root_CA_X3\.crt|!mozilla/DST_Root_CA_X3.crt|' /etc/ca-certificates.conf
root@edge:~# curl -sk https://letsencrypt.org/certs/isrgrootx1.pem -o /usr/local/share/ca-certificates/ISRG_Root_X1.crt
root@edge:~# update-ca-certificates --fresh
2. Save the intermediate certificate to /config/ssl/ca.pem
and use it. Chrome (and other browsers) will no longer show it as "not trusted"
ISRG Root X1
from /config/ssl/server.pem
and put it to a new file called /config/ssl/ca.pem
ISRG Root X1
from /config/ssl/server.pem
set service gui ca-file /config/ssl/ca.pem
to configure EdgeOS with a ca fileHi @dmengelt !
Thanks for helping out! I have a stupid question regarding the step 2., how can I identify ISRG Root X10 on the config/ssl/server.pem
. I have never worked that much with certificates so I'm bit uncertain how to achieve that.
You can copy the value of the certificate to an online base64 decoder and it will show you the name
@j-flat did it work?
I followed the advice as the problem surfaced on my edgerouter as well.
I would suspect that a hard refresh of the browser is needed after completing step 2. I didn't do it and ended up doing step 1 once again before refreshing the browser. Anyway, it now works. Thanks for sharing your knowledge!
@nahoj74 nice! glad it worked for you.
Hi @dmengelt
I've encountered the same issue and have followed your instructions as well as I could. Sadly it seems the outcome had not changed.
I'm questioning if I've done step 2 as you intended. Can you please comment if it was ok? server.pem had a few certificates so I decoded each one separately. in 2 of the certs ISRG Root X10 appears (with a lot of gibberish) around it - so I've followed the instructions for both of those.
Browsers (plural - chrome, edge, IE) show me it's invalid. any ideas?
Thanks!
Hi, I ran into this issue when I generated the SSL certificate for the first time on my EdgeRouterX. Everything seemed to go correctly when I ran the
renew.acme.sh
-script for the first time (DNS Authority is Cloudflare), but I needed to run it in insecure-mode since allcurl
-calls to HTTPS-endpoints are failing while SSL-certificate is invalid.However the resulting certificate is still not trusted by Google Chrome (_Version 94.0.4606.61 (Official Build) (x8664)) as shown in the screenshot:
Any ideas why is this and how to get it fixed?