System Diagnostics - Check Validity Of SSL Certificate

Greetings,

I hope you are well. I’ve recently purchased a wildcard SSL certificate and am using it with UCS. While I seem to have apache and the web interface working with it, system diagnostics show the error below:

Found invalid certificate ‘/etc/myssl/cert.pem’:
error /etc/myssl/cert.pem: verification failed

I followed these steps: Using your own SSL certificates

Any suggestions on how to fix this?

Thanks,
David.

Hey,

my guess is that the CA you got the certificate from uses an intermediate CA that isn’t known to the UCS system.

Under the hood that system diagnostics script executes the following command: openssl verify /path/to/certificate.pem Armed with that knowledge one can deduce what’s to be done: register the intermediate CA certificate as a trusted CA certificate.

But first make sure this is actually the problem. Execute openssl verify /etc/myssl/cert.pem and post its output here, please.

If this is indeed the problem, you can register the intermediate CA. On Debian-based systems such as UCS the necessary steps are:

  1. Copy the intermediate CA’s certificate to /usr/local/share/ca-certificates. Note that it must be encoded in PEM (not DER), and that the file name’s extension must be .crt and not .pem.
  2. Execute the command update-ca-certificates as root.

Afterwards there should be symbolic links in /etc/ssl/certs pointing to the file you’ve copied to /usr/local/share/ca-certfiicates; one for the file name itself (this time with the extension .pem, curiously) and one for the hash of the certificate.

Now try that openssl verify /etc/myssl/cert.pem again.

Kind regards,
mosu

5 Likes

Hi Mosu,

Thanks for your help.

Here’s the output of openssl verify /etc/myssl/cert.pem:

error 20 at 0 depth lookup: unable to get local issuer certificate
error /etc/myssl/cert.pem: verification failed

But you were completely right and I feel silly that I forgot to do something as simple as this. I failed to register the intermediate CA properly with UCS and after doing as you’ve instructed I no longer get the error in system diagnostics. Thank you very much for the easy fix!

Regards,
David.

Glad I could help, and you’re very welcome.

1 Like

This worked perfectly and was my same issue. For anyone reading this, although I’d been searching for hours for an answer in the official docs, it wasn’t till I came to this forum that I found the answer. I love the open source community for this software…great minds and great help.

Thank you for this! I’m not new to sysadmin stuff, but I’m always behind the curve on ssl certs…don’t know why I can’t get some of those concepts to stick in my head.

Thanks again!

Mastodon