Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Generated certificates do not include full certificate chain

    Scheduled Pinned Locked Moved ACME
    10 Posts 2 Posters 2.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mvalen
      last edited by

      Hello,
      I recently tried to curl my website with a LetsEncryptv2 certificate generated by the ACME package but I got the following error:

      curl: (60) SSL certificate problem: unable to get local issuer certificate===group

      I mitigated this error by adding the LetsEncrypt intermediate authority in my system CA bundle but I think it would be a good idea to deliver the full chain in the certificate.

      Did I missed something ?

      Kind regards

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        It works fine with the GUI set to use the cert as-is, and I've used it with haproxy and others without needing to change what it outputs.

        Could be a problem with your client, or if you generated the cert on pfSense but exported it for use elsewhere, perhaps something was missed.

        Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • M
          mvalen
          last edited by

          Hello Jimp,

          I wouldn't say that the certificate isn't working since all my browsers are able to rebuild the full certificate chain. The problem is that some SSL client (as you stated) required that servers provide the full certificate chain, which is not the case with the ACME generated certificates.

          May we have a button in the certificate setup to include intermediate CA's in the final certificate ?

          Let me know if you need more insight.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            And I'm saying I can't replicate the error here with any client, even cURL. It all works fine as-is.

            * SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=<my hostname>
*  start date: Jun 14 06:18:12 2018 GMT
*  expire date: Sep 12 06:18:12 2018 GMT
*  subjectAltName: host "<my hostname>" matched cert's "<my hostname>"
*  issuer: C=US; O=Let's Encrypt; CN=Let's Encrypt Authority X3
*  SSL certificate verify ok.

            The CA that signed my ACME cert is: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
            The ACME CA on pfSense is: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
            The ACME CA was signed by O=Digital Signature Trust Co., CN=DST Root CA X3

            Connecting to the GUI I am already served the ACME cert and the ACME intermediate CA.

            $ openssl s_client -showcerts -connect <my hostname>:443
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = <my hostname>
verify return:1
---
Certificate chain
 0 s:/CN=<my hostname>
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
 1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
---
Server certificate
subject=/CN=<my hostname>
issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 3239 bytes and written 302 bytes
Verification: OK
---

            I'd still look at your client to find the problem. I don't see what else we could possibly include beyond what we have done already.

            Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • M
              mvalen
              last edited by

              When I'm typing the same command than you I only have the first certificate which is displayed, meaning that the delivered certificate does NOT contains the full chain, which is your case.

              The LetsEncrypt intermediate authority is not installed on fresh Debian 9 installs, which is the reason why I got the error.

              So I don't understand what's going wrong.

              1 Reply Last reply Reply Quote 0
              • jimpJ
                jimp Rebel Alliance Developer Netgate
                last edited by

                What service are you attempting to connect to that is not sending the full chain? Is it the GUI, or some other package?

                Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • M
                  mvalen
                  last edited by

                  I'm trying to reach a website hosted behing a Squid Reverse-Proxy configured to use this certificate.

                  1 Reply Last reply Reply Quote 0
                  • jimpJ
                    jimp Rebel Alliance Developer Netgate
                    last edited by

                    Then it's probably a bug in the Squid Reverse Proxy function and not ACME or pfSense in general.

                    Use HAProxy instead and you'll be much better off. I don't believe anyone is currently maintaining the squid reverse proxy function.

                    Remember: Upvote with the πŸ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                    Need help fast? Netgate Global Support!

                    Do not Chat/PM for help!

                    1 Reply Last reply Reply Quote 0
                    • M
                      mvalen
                      last edited by

                      Ok jimp I will try HAproxy tonight, hope it will provided me the feature I was looking for in Squid, even it is very buggy.

                      1 Reply Last reply Reply Quote 0
                      • M
                        mvalen
                        last edited by

                        Ok worked fine with HAProxy. I would suggest you to drop the Squid packages since many features are deprecated or not working properly :)
                        Thank you for all your amazing stuff.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.