Lego: x509: certificate signed by unknown authority

Created on 29 Jun 2016  路  9Comments  路  Source: go-acme/lego

Hi folks,

We have been using lego without any problem (release v0.3.1) but now the client reports following error:

2016/06/29 08:43:10 Could not create client: get directory at 'https://acme-v01.api.letsencrypt.org/directory': failed to get "https://acme-v01.api.letsencrypt.org/directory": Get https://acme-v01.api.letsencrypt.org/directory: x509: certificate signed by unknown authority

Is it there a file or configuration we have to update so certificate provided by https://acme-v01.api.letsencrypt.org/directory is accepted?

Thanks for your time and for lego,

picture francisbrosnan

Most helpful comment

Fixed!

Finally, for some reason, this debian/wheezy system didn't have accepted the set of default certificates that comes from ca-certificates package. If someone hits this error, just run:

>> dpkg-reconfigure ca-certificates
...and accept trusting those presented. After that, re-running lego again works as expected.

Thanks for your time, hints and support,
Best Regards,

picture francisbrosnan on 29 Jun 2016
👍4

All 9 comments

Strange! Looks like your connection was being MITM'ed...

mholt picture mholt on 29 Jun 2016

Uhmn.. If I run wget over the url I get this:

LANG=C wget --spider https://acme-v01.api.letsencrypt.org/directory
Spider mode enabled. Check if remote file exists.
--2016-06-29 15:26:36--  https://acme-v01.api.letsencrypt.org/directory
Resolving acme-v01.api.letsencrypt.org (acme-v01.api.letsencrypt.org)... 95.100.116.66, 2a02:26f0:e0:18a::3d5, 2a02:26f0:e0:186::3d5
Connecting to acme-v01.api.letsencrypt.org (acme-v01.api.letsencrypt.org)|95.100.116.66|:443... connected.
ERROR: **The certificate of `acme-v01.api.letsencrypt.org' is not trusted.**
ERROR: **The certificate of `acme-v01.api.letsencrypt.org' hasn't got a known issuer.**
francisbrosnan picture francisbrosnan on 29 Jun 2016

^ That's not good. What kind of network are you on? Corporate? University? Comcast? All are terrible. :smile:

mholt picture mholt on 29 Jun 2016

With your hint, I believe this has to do with openssl/libssl and some sort of system configuration where default certificate chains are not trusted...I'm checking this...

francisbrosnan picture francisbrosnan on 29 Jun 2016

Could you show the certificate you are getting when trying to connect to the server (f.e. curl -iv ...)?

xenolf picture xenolf on 29 Jun 2016

Sure, It's the same as the one presented by other systems working without any issue:

>> openssl s_client -connect acme-v01.api.letsencrypt.org:https
CONNECTED(00000003)
depth=2 C = US, O = IdenTrust, CN = IdenTrust Commercial Root CA 1
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
 0 s:/CN=*.api.letsencrypt.org/O=INTERNET SECURITY RESEARCH GROUP/L=Mountain View/ST=California/C=US
   i:/C=US/O=IdenTrust/OU=TrustID Server/CN=TrustID Server CA A52
 1 s:/C=US/O=IdenTrust/OU=TrustID Server/CN=TrustID Server CA A52
   i:/C=US/O=IdenTrust/CN=IdenTrust Commercial Root CA 1
 2 s:/C=US/O=IdenTrust/CN=IdenTrust Commercial Root CA 1
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHDzCCBfegAwIBAgIQfwAAAQAAAU4w1QtkQskueDANBgkqhkiG9w0BAQsFADBa
MQswCQYDVQQGEwJVUzESMBAGA1UEChMJSWRlblRydXN0MRcwFQYDVQQLEw5UcnVz
dElEIFNlcnZlcjEeMBwGA1UEAxMVVHJ1c3RJRCBTZXJ2ZXIgQ0EgQTUyMB4XDTE1
MDYyNjE3MDU0NVoXDTE4MDYyNTE3MDU0NVowgYUxHjAcBgNVBAMTFSouYXBpLmxl
dHNlbmNyeXB0Lm9yZzEpMCcGA1UEChMgSU5URVJORVQgU0VDVVJJVFkgUkVTRUFS
Q0ggR1JPVVAxFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxEzARBgNVBAgTCkNhbGlm
b3JuaWExCzAJBgNVBAYTAlVTMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAlkLBpvVuOTZrpaPkzmAx+5OcK6gffKPon8E6ktJmNsjfrh3ATdgKt121ccD+
7I3gBcZu5euG1ldynO/wx29oeGhBiiWx9Bkm1brFKDLvH56ztO29xEo5ZQnxV7w0
25NvjBca5J2tRiAIjcdjMITE1usp5rrNLNM2LIs1RutP7bexvuNv2dGyJ0uNIWI4
Ym2Tt5rnUTx7Vsz0M4nz2i6sSB9ajrSa1h4hFrZYqIU/zpl20f7So8oZDYCZN4WY
xYgbUuEneWxFigElkJbNk0UeVN26tdMGHdIWCabgoZSy80X+pFvxCgdbLQzS0LXQ
orqkGsMYO0+fjjmLj0742IHYswIDAQABo4IDozCCA58wDgYDVR0PAQH/BAQDAgWg
MIICJwYDVR0gBIICHjCCAhowggELBgpghkgBhvkvAAYDMIH8MEAGCCsGAQUFBwIB
FjRodHRwczovL3NlY3VyZS5pZGVudHJ1c3QuY29tL2NlcnRpZmljYXRlcy9wb2xp
Y3kvdHMvMIG3BggrBgEFBQcCAjCBqhqBp1RoaXMgVHJ1c3RJRCBTZXJ2ZXIgQ2Vy
dGlmaWNhdGUgaGFzIGJlZW4gaXNzdWVkIGluIGFjY29yZGFuY2Ugd2l0aCBJZGVu
VHJ1c3QncyBUcnVzdElEIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRw
czovL3NlY3VyZS5pZGVudHJ1c3QuY29tL2NlcnRpZmljYXRlcy9wb2xpY3kvdHMv
MIIBBwYGZ4EMAQICMIH8MEAGCCsGAQUFBwIBFjRodHRwczovL3NlY3VyZS5pZGVu
dHJ1c3QuY29tL2NlcnRpZmljYXRlcy9wb2xpY3kvdHMvMIG3BggrBgEFBQcCAjCB
qhqBp1RoaXMgVHJ1c3RJRCBTZXJ2ZXIgQ2VydGlmaWNhdGUgaGFzIGJlZW4gaXNz
dWVkIGluIGFjY29yZGFuY2Ugd2l0aCBJZGVuVHJ1c3QncyBUcnVzdElEIENlcnRp
ZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL3NlY3VyZS5pZGVudHJ1c3Qu
Y29tL2NlcnRpZmljYXRlcy9wb2xpY3kvdHMvMB0GA1UdDgQWBBQvAQatcXq62MSt
v2WLHPKwErqzgDBFBgNVHR8EPjA8MDqgOKA2hjRodHRwOi8vdmFsaWRhdGlvbi5p
ZGVudHJ1c3QuY29tL2NybC90cnVzdGlkY2FhNTIuY3JsMIGEBggrBgEFBQcBAQR4
MHYwMAYIKwYBBQUHMAGGJGh0dHA6Ly9jb21tZXJjaWFsLm9jc3AuaWRlbnRydXN0
LmNvbTBCBggrBgEFBQcwAoY2aHR0cDovL3ZhbGlkYXRpb24uaWRlbnRydXN0LmNv
bS9jZXJ0cy90cnVzdGlkY2FhNTIucDdjMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggr
BgEFBQcDAjAfBgNVHSMEGDAWgBSiViQ80NQVuei/eKMTEFhILhZU4TA1BgNVHREE
LjAsghUqLmFwaS5sZXRzZW5jcnlwdC5vcmeCE2FwaS5sZXRzZW5jcnlwdC5vcmcw
DQYJKoZIhvcNAQELBQADggEBAIgV29HRYYk2RfrkE6KOeAT6K3AJsKgNe+i9Pdo7
YLdiDGMv/kKyyTNsq4l8IEaY1kw3aqkyT44D8vp6yGbbNl1uAE4VnaPeChLOBK0G
xz3CjtoZPqLxmieft8jybIVWZKZlIIsZrSMaEvrmRTGYartBSuxqOzIjCNxvkkRt
MYDNYRhiy6NPMtA0kpDQCN6tOggXdCm19kmzKI8pUvQGCnGscXJvlQIeaZva0GWf
UOuPael/zohUUsm2lJowlIli939RdxUal0hwv8tD12qAyZAF2/+4y61ds4svGD9B
ukNnsAzS3EXNqq5qWFqRQyiTZfCcjaXEdtySyNAUiM6eFTY=
-----END CERTIFICATE-----
subject=/CN=*.api.letsencrypt.org/O=INTERNET SECURITY RESEARCH GROUP/L=Mountain View/ST=California/C=US
issuer=/C=US/O=IdenTrust/OU=TrustID Server/CN=TrustID Server CA A52
francisbrosnan picture francisbrosnan on 29 Jun 2016

Fixed!

Finally, for some reason, this debian/wheezy system didn't have accepted the set of default certificates that comes from ca-certificates package. If someone hits this error, just run:

>> dpkg-reconfigure ca-certificates
...and accept trusting those presented. After that, re-running lego again works as expected.

Thanks for your time, hints and support,
Best Regards,

francisbrosnan picture francisbrosnan on 29 Jun 2016
👍4

Hi!
Hit this on Windows 2003 since it does not support SHA2 by default (thanks for Win32 support by the way!). Patch 938397 (https://support.microsoft.com/en-us/kb/938397) solves the issue.

anilech picture anilech on 1 Dec 2016

Another possible step that I found is to install the ssl-cert package. It started working for me after that. Source.

ainar-g picture ainar-g on 10 Jul 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

richtr picture richtr  路  5Comments
mholt picture mholt  路  3Comments
cruscio picture cruscio  路  3Comments
datafoo picture datafoo  路  3Comments
mhf-ir picture mhf-ir  路  3Comments