ubnt-letsencrypt icon indicating copy to clipboard operation
ubnt-letsencrypt copied to clipboard
verified publisher icon j-c-m

SSL certificate problem: unable to get local issuer certificate (potentially just on older firmware)

Open m-hume opened this issue 3 years ago • 1 comments

I currently run EdgeRouter ER-X/ER-X-SFP/EP-R6: Firmware v1.10.10 on several devices Recently the following error is given (with --debug 3) SSL certificate problem: unable to get local issuer certificate

curl is using an out of date cacert.pem for SSL communications

# update to the latest version of the script
curl https://raw.githubusercontent.com/j-c-m/ubnt-letsencrypt/master/install.sh | sudo bash
# get the most recent cacert.pem
sudo curl --insecure https://curl.se/ca/cacert.pem --output /config/ssl/cacert.pem
# make acme.sh use it
echo CA_BUNDLE=\'/config/ssl/cacert.pem\' | sudo tee -a /config/.acme.sh/account.conf

Hope this saves someone some time mh

m-hume avatar Jan 05 '22 09:01 m-hume

Did save my day, THANKS!

rogerthn2019 avatar Apr 20 '22 18:04 rogerthn2019

I had to downgrade a few ER-X from 2.0.9 to 1.10.11 because of stability issues, the above fix will still work. Also adding a system-wide fix from https://community.ui.com/questions/Fix-Solution-Lets-Encrypt-DST-Root-CA-X3-Expiration-Problems-with-IDS-IPS-Signature-Updates-HTTPS-E/0404a626-1a77-4d6c-9b4c-17ea3dea641d?page=1

sudo -i
sed -i 's|^mozilla\/DST_Root_CA_X3\.crt|!mozilla/DST_Root_CA_X3.crt|' /etc/ca-certificates.conf
curl -sk https://letsencrypt.org/certs/isrgrootx1.pem -o /usr/local/share/ca-certificates/ISRG_Root_X1.crt
update-ca-certificates --fresh

j-c-m avatar Jun 12 '23 16:06 j-c-m

@j-c-m should probably add those steps into the installation instructions, at least for EdgeOS 1.x.

RobBiddle avatar Oct 19 '23 21:10 RobBiddle

0b6acca now incorporates the cacert bundle update in the install/update script!

j-c-m avatar Nov 12 '23 21:11 j-c-m