certs issue

[adatamonk]

hi there,

to follow up my last issue - i have skyhole up and running but I seem to have gotten stuck at the certs step.

Ran: openssl s_client -connect skyhole.mydomain.com:443 Got: Verify return code: 21 (unable to verify the first certificate)

Port 443 is open: 443/tcp ALLOW Anywhere

Would you know how I can go about fixing this issue? I think it may be the reason my phone does not connect to skyhole.mydomain.com

[kquinsland]

It sounds like you have an incomplete or untrusted certificate chain.

Spend some time reading up on how to validate a certificate chain. You should also run the chain verification commands on the certificates files directly.

https://stackoverflow.com/questions/25482199/verify-a-certificate-chain-using-openssl-verify

Or similar should be enough to confirm that your certs are all there. Remember, you need the root CA to already be loaded and trusted by your phone for it to connect.

On Fri, Sep 13, 2019, 12:25 agamus notifications@github.com wrote:

hi there,

to follow up my last issue - i have skyhole up and running but I seem to have gotten stuck at the certs step.

Ran: openssl s_client -connect skyhole.mydomain.com:443 Got: Verify return code: 21 (unable to verify the first certificate)

Would you know how I can go about fixing this issue? I think it may be the reason my phone does not connect to skyhole.mydomain.com

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/kquinsland/skyhole/issues/2?email_source=notifications&email_token=AANZP5YUFOBN5UK7E6XWXALQJPSKVA5CNFSM4IWTJDQKYY3PNVWWK3TUL52HS4DFUVEXG43VMWVGG33NNVSW45C7NFSM4HLJ56HA, or mute the thread https://github.com/notifications/unsubscribe-auth/AANZP55IJVW75PFJMNA4MJDQJPSKVANCNFSM4IWTJDQA .

[adatamonk]

it looks like the script didn't generate any certs, this directory seems empty:

/opt/skyhole/docker/vol/coredns/config/certs/fchain.pem/

sorry I am not too familiar with ssl :) could this also be the issue? how would i fix this?

[kquinsland]

traefik does the ACME dance with Lets Encrypt. check the logs for traefik and make sure that there's some useful data in acme.json

when acme.json changes, this script is run: https://github.com/kquinsland/skyhole/blob/master/docker/helpers/keys/keys.sh

which will take the cert/key from acme.json and turn it into a format that coredns can use.

On Fri, Sep 13, 2019 at 12:38 PM agamus notifications@github.com wrote:

it looks like the script didn't generate any certs, this directory seems empty:

/opt/skyhole/docker/vol/coredns/config/certs/fchain.pem/

sorry I am not too familiar with ssl :)

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/kquinsland/skyhole/issues/2?email_source=notifications&email_token=AANZP57WOLS2MU5JQTKX763QJPT4LA5CNFSM4IWTJDQKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD6V76OY#issuecomment-531365691, or mute the thread https://github.com/notifications/unsubscribe-auth/AANZP52JTM5NIO3IDI7KWWLQJPT4LANCNFSM4IWTJDQA .

[kaustubh105]

it looks like the script didn't generate any certs, this directory seems empty:

/opt/skyhole/docker/vol/coredns/config/certs/fchain.pem/

sorry I am not too familiar with ssl :) could this also be the issue? how would i fix this?

I had the same problem too, /opt/skyhole/docker/vol/coredns/config/certs/fchain.pem/ is not supposed to be a directory. Delete the directory, and run the following commands:

touch /opt/skyhole/docker/vol/coredns/config/certs/fchain.pem touch /opt/skyhole/docker/vol/coredns/config/certs/key.pem

You might have to run those with sudo