2 votos

Compruebe el código de retorno: 21 (no se puede comprobar el first certificate) Permite cifrar Apache a Nginx con crontab problema

Hice esto https://www.digitalocean.com/community/tutorials/how-to-secure-apache-with-let-s-encrypt-on-ubuntu-14-04


a continuación, el interruptor de apache a nginx con el siguiente ***https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-14-04

***todo estaba bien. pero ahora facebook depurador de darme: Curl de Error : SSL_CACERT certificado SSL problema: no se puede obtener el local emisor del certificado

***PREGUNTA: ¿Cómo puedo volver a descargar todos los certificados de la entidad emisora de certificados y hacer un nuevo paquete en mi situación?

Alexs-MacBook-Air:~ alex$ openssl s_client -connect goeasysmile.com:443
CONNECTED(00000003)
depth=0 /CN=goeasysmile.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /CN=goeasysmile.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /CN=goeasysmile.com
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
 0 s:/CN=goeasysmile.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFFjCCA/6gAwIBAgISBPstpF9NiACN8vtDkMYUsZ/fMA0GCSqGSIb3DQEBCwUA
MEoxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MSMwIQYDVQQD
ExpMZXQncyBFbmNyeXB0IEF1dGhvcml0eSBYMzAeFw0xNzA5MjExMTIwMDBaFw0x
NzEyMjAxMTIwMDBaMBoxGDAWBgNVBAMTD2dvZWFzeXNtaWxlLmNvbTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKxogeMt8i4wigwQX8idtb4NsBsjY8Aa
huTiGBi+99WVFUU8v6yAIQew+Q2Csd0cxF3Iq6I4pajEzqb/tTYXXVGLL7isdwRG
pRbhcrkF4Urxk3BhdP6f/7QCMkp4/H3knvKBa+cugZXQ3lz/73uVQ6F+bC7ZEp2U
mSkMGS1NT5bPiPML8KOLhOpIT0rj03e3T2PA8oy+TheI8pZ4E+LVnS4qzbas6PN/
ijgfG/ev/C62zmlwz+Dfe8UbiZ0sAmOQ/Q7/a2iaxZBiX+ZTMHGtv4cEd+2p8knn
ZQ+ZM/pmzYyU8o+NlykN2/joY7FlRMDEBJdnstf42OSQGtFWI1CCjv0CAwEAAaOC
AiQwggIgMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUFJk9G1tyeWd/7eHnbYuKRLMn
1Z8wHwYDVR0jBBgwFoAUqEpqYwR93brm0Tm3pkVl7/Oo7KEwbwYIKwYBBQUHAQEE
YzBhMC4GCCsGAQUFBzABhiJodHRwOi8vb2NzcC5pbnQteDMubGV0c2VuY3J5cHQu
b3JnMC8GCCsGAQUFBzAChiNodHRwOi8vY2VydC5pbnQteDMubGV0c2VuY3J5cHQu
b3JnLzAvBgNVHREEKDAmgg9nb2Vhc3lzbWlsZS5jb22CE3d3dy5nb2Vhc3lzbWls
ZS5jb20wgf4GA1UdIASB9jCB8zAIBgZngQwBAgEwgeYGCysGAQQBgt8TAQEBMIHW
MCYGCCsGAQUFBwIBFhpodHRwOi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCBqwYIKwYB
BQUHAgIwgZ4MgZtUaGlzIENlcnRpZmljYXRlIG1heSBvbmx5IGJlIHJlbGllZCB1
cG9uIGJ5IFJlbHlpbmcgUGFydGllcyBhbmQgb25seSBpbiBhY2NvcmRhbmNlIHdp
dGggdGhlIENlcnRpZmljYXRlIFBvbGljeSBmb3VuZCBhdCBodHRwczovL2xldHNl
bmNyeXB0Lm9yZy9yZXBvc2l0b3J5LzANBgkqhkiG9w0BAQsFAAOCAQEAgHbVMCYk
ySK1ivEO2myMfCkwi0GBTqj9/oKW6T7DNJSpcLYYPZgaQai98QgHBT6P3dsiCSI4
FComGitu8M7foip2eHX6JWPBtCAN1QocsgY3UbppGWKY99qIDi3u5DJLheDzsDPo
633B2J1cm5f3quDTpZPRcW7tzx45VQ/YqT7Ydr3kxriAXUf3pedCXHk3SIZ/92qe
tJE0MFe7zlwnSDAb5uNohVAeQSVymQG/afSifNGYOWclcDOrLatEJn+JlJ4oPbbA
y+en2IeIH5Ez63SJDgzqMHvCSAtmCVUWsI2seGOUMzJikeVAx13jE8JCYdmuvzTN
sRb6/GJYbfWcBA==
-----END CERTIFICATE-----
subject=/CN=goeasysmile.com
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
---
SSL handshake has read 2261 bytes and written 456 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: E8704CF999E67354784246C113DCB93BAB0E0C0BF47942FC44B25B95B8655EB4
    Session-ID-ctx: 
    Master-Key: 4E520458361D6EFF58193ECC63A17DAAEC16146D0834D852E7A5284CD114BF02FA9ED939DF97A58B07AB9176A0A72352
    Key-Arg   : None
    Start Time: 1506319952
    Timeout   : 300 (sec)
    Verify return code: 21 (unable to verify the first certificate)
---
closed

Podría tener algo que ver con mi buggy /var/log/le-renovar.registro de contab

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/www.goeasysmile.com/fullchain.pem (failure)
Upgrading certbot-auto 0.14.0 to 0.14.1...
Replacing certbot-auto...
Creating virtual environment...
Installing Python packages...
Had a problem while installing Python packages.
pip prints the following errors:
=====================================================
Collecting argparse==1.4.0 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt (line $
/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/u$
  SNIMissingWarning
/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/u$
  InsecurePlatformWarning
  Downloading argparse-1.4.0-py2.py3-none-any.whl
Collecting pycparser==2.14 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt (line $
  Downloading pycparser-2.14.tar.gz (223kB)
Collecting cffi==1.4.2 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt (line 21))
  Downloading cffi-1.4.2.tar.gz (365kB)
Collecting ConfigArgParse==0.10.0 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt$
  Downloading ConfigArgParse-0.10.0.tar.gz
Collecting configobj==5.0.6 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt (line$
  Downloading configobj-5.0.6.tar.gz
Collecting cryptography==1.5.3 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt (l$
  Downloading cryptography-1.5.3.tar.gz (400kB)
Collecting enum34==1.1.2 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt (line 65$
  Downloading enum34-1.1.2.tar.gz (46kB)
Collecting funcsigs==0.4 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt (line 68$
  Downloading funcsigs-0.4-py2.py3-none-any.whl
Collecting idna==2.0 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt (line 71))
  Downloading idna-2.0-py2.py3-none-any.whl (61kB)
Collecting ipaddress==1.0.16 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt (lin$
  Downloading ipaddress-1.0.16-py27-none-any.whl
Collecting linecache2==1.0.0 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt (lin$
  Downloading linecache2-1.0.0-py2.py3-none-any.whl
Collecting ordereddict==1.1 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt (line$
  Downloading ordereddict-1.1.tar.gz
Collecting parsedatetime==2.1 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt (li$
  Downloading parsedatetime-2.1-py2-none-any.whl
Collecting pbr==1.8.1 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt (line 85))
  Downloading pbr-1.8.1-py2.py3-none-any.whl (89kB)
Collecting pyasn1==0.1.9 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt (line 88$
  Downloading pyasn1-0.1.9-py2.py3-none-any.whl
Collecting pyOpenSSL==16.2.0 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt (lin$
  Downloading pyOpenSSL-16.2.0-py2.py3-none-any.whl (43kB)
Collecting pyparsing==2.1.8 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt (line$
  Downloading pyparsing-2.1.8-py2.py3-none-any.whl (54kB)
Collecting pyRFC3339==1.0 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt (line 1$
  Downloading pyRFC3339-1.0-py2.py3-none-any.whl
Collecting python-augeas==0.5.0 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt ($
  Downloading python-augeas-0.5.0.tar.gz (90kB)
Collecting pytz==2015.7 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt (line 117$
  Downloading pytz-2015.7-py2.py3-none-any.whl (476kB)
Collecting requests==2.12.1 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt (line$
  Downloading requests-2.12.1-py2.py3-none-any.whl (574kB)
Collecting six==1.10.0 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt (line 134))
  Downloading six-1.10.0-py2.py3-none-any.whl
Collecting traceback2==1.4.0 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt (lin$
  Downloading traceback2-1.4.0-py2.py3-none-any.whl
Collecting unittest2==1.1.0 (from -r /tmp/tmp.AnzE95LVFd/letsencrypt-auto-requirements.txt (line$

...

    running build_ext
    generating cffi module 'build/temp.linux-x86_64-2.7/_padding.c'
    creating build/temp.linux-x86_64-2.7
    generating cffi module 'build/temp.linux-x86_64-2.7/_constant_time.c'
    generating cffi module 'build/temp.linux-x86_64-2.7/_openssl.c'
    building '_openssl' extension
    creating build/temp.linux-x86_64-2.7/build
    creating build/temp.linux-x86_64-2.7/build/temp.linux-x86_64-2.7
    x86_64-linux-gnu-gcc -pthread -fno-strict-aliasing -DNDEBUG -g -fwrapv -O2 -Wall -Wstrict-pr$
    x86_64-linux-gnu-gcc: internal compiler error: Killed (program cc1)
    Please submit a full bug report,
    with preprocessed source if appropriate.
    See <file:///usr/share/doc/gcc-4.8/README.Bugs> for instructions.
    error: command 'x86_64-linux-gnu-gcc' failed with exit status 4

    ----------------------------------------
Command "/root/.local/share/letsencrypt/bin/python2.7 -u -c "import setuptools, tokenize;__file_$
', '
'), __file__, 'exec'))" install --record /tmp/pip-SvFhes-record/install-record.txt --single-vers$
/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/pip/_vendor/requests/packages/u$
  InsecurePlatformWarning
You are using pip version 8.0.3, however version 9.0.1 is available.
You should consider upgrading via the 'pip install --upgrade pip' command.
=====================================================

Certbot has problem setting up the virtual environment.

Based on your pip output, the problem can likely be fixed by
increasing the available memory.

Consult https://certbot.eff.org/docs/install.html#problems-with-python-virtual-environment
for possible solutions.
You may also find some support resources at https://certbot.eff.org/support/ .

2voto

Encuentra la respuesta aquí: https://community.letsencrypt.org/t/cannot-verify-domain-with-openssl/11545

Usted tendrá que referirse a fullchain.pem en su configuración del servidor web, en lugar de cert.pem.

Llegar a nginx servidor virtual config

sudo nano /etc/nginx/sites-enabled/default

He cambiado esta línea

ssl_certificate /etc/letsencrypt/live/www.goeasysmile.com/cert.pem;

a

ssl_certificate /etc/letsencrypt/live/www.goeasysmile.com/fullchain.pem;

Esta era me impide compartir enlaces bastante a través de facebook metatag de información como la og:image. Ahora se puede yay!

EnMiMaquinaFunciona.com

EnMiMaquinaFunciona es una comunidad de administradores de sistemas en la que puedes resolver tus problemas y dudas.
Puedes consultar las preguntas de otros sysadmin, hacer tus propias preguntas o resolver las de los demás.

Powered by: