Generated SSL Certificate is not trusted

Question

Generated SSL Certificate is not trusted

j-flat opened this issue 3 years ago · 7 comments

Hi, I ran into this issue when I generated the SSL certificate for the first time on my EdgeRouterX. Everything seemed to go correctly when I ran the renew.acme.sh -script for the first time (DNS Authority is Cloudflare), but I needed to run it in insecure-mode since all curl-calls to HTTPS-endpoints are failing while SSL-certificate is invalid.

However the resulting certificate is still not trusted by Google Chrome (Version 94.0.4606.61 (Official Build) (x86_64)) as shown in the screenshot:

Any ideas why is this and how to get it fixed?

Answer 1 · 2021-11-04T13:05:31.000Z

Hi @j-flat

I faced the exact same issues as you and did the following things to resolve it:

1. Update the CA certificates on EdgeOS so that you don't have to use the insecure mode anymore

root@edge:~# sed -i 's|^mozilla\/DST_Root_CA_X3\.crt|!mozilla/DST_Root_CA_X3.crt|' /etc/ca-certificates.conf
root@edge:~# curl -sk https://letsencrypt.org/certs/isrgrootx1.pem -o /usr/local/share/ca-certificates/ISRG_Root_X1.crt
root@edge:~# update-ca-certificates --fresh

Full details: https://community.ui.com/questions/Fix-Solution-Lets-Encrypt-DST-Root-CA-X3-Expiration-Problems-with-IDS-IPS-Signature-Updates-HTTPS-E/0404a626-1a77-4d6c-9b4c-17ea3dea641d?page=5

2. Save the intermediate certificate to /config/ssl/ca.pem and use it. Chrome (and other browsers) will no longer show it as "not trusted"

Extract the ISRG Root X1 from /config/ssl/server.pem and put it to a new file called /config/ssl/ca.pem
Remove the ISRG Root X1 from /config/ssl/server.pem
Use set service gui ca-file /config/ssl/ca.pem to configure EdgeOS with a ca file

Answer 2 · 2021-11-05T06:48:25.000Z

Hi @dmengelt !

Thanks for helping out! I have a stupid question regarding the step 2., how can I identify ISRG Root X10 on the config/ssl/server.pem. I have never worked that much with certificates so I'm bit uncertain how to achieve that.

Answer 3 · 2021-11-08T08:41:05.000Z

You can copy the value of the certificate to an online base64 decoder and it will show you the name

Answer 4 · 2021-11-11T07:38:03.000Z

@j-flat did it work?

Answer 5 · 2021-11-23T15:56:39.000Z

I followed the advice as the problem surfaced on my edgerouter as well.

I would suspect that a hard refresh of the browser is needed after completing step 2. I didn't do it and ended up doing step 1 once again before refreshing the browser. Anyway, it now works. Thanks for sharing your knowledge!

Answer 6 · 2021-11-23T16:03:57.000Z

@nahoj74 nice! glad it worked for you.

Answer 7 · 2022-10-07T12:42:33.000Z

Hi @dmengelt

I've encountered the same issue and have followed your instructions as well as I could.
Sadly it seems the outcome had not changed.

I'm questioning if I've done step 2 as you intended. Can you please comment if it was ok?
server.pem had a few certificates so I decoded each one separately.
in 2 of the certs ISRG Root X10 appears (with a lot of gibberish) around it - so I've followed the instructions for both of those.

Browsers (plural - chrome, edge, IE) show me it's invalid.
any ideas?

Thanks!