nginx-proxy-manager icon indicating copy to clipboard operation
nginx-proxy-manager copied to clipboard

Published 20 hours ago verified publisher icon NginxProxyManager

Certificate Chain invalid with LE and NPM

Open lordimac opened this issue 1 year ago • 3 comments

Checklist

  • Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
    • Yes
  • Are you sure you're not using someone else's docker image?
    • Yes
  • Have you searched for similar issues (both open and closed)?
    • Yes

Describe the bug We are using NPM with Lets Encrypt Certificates. After creating a Host and issueing the certificate everything works fine on modern browsers and latest systems. Certificate is valid. But if we try to open the website on an older system, like Android 7, the SSL validation gets failed. It looks like this is because of an old and invalid root certificate. If we check the website with sslchecker.com it tells us also also that CHAIN CERT 1 and ROOT 1 is missing. If we check the chain details, we see that DST Root CA X3 and a NA cert are invalid since 29/30 september 2021. If I check letsencrypt.org with sslchecker.com everything is fine.

Nginx Proxy Manager Version v2.9.19

To Reproduce Steps to reproduce the behavior: Create Cert for Domain and check with sslchecker.com

Screenshots firefox_2023-01-12_11-26-03

Operating System Android 7.0

lordimac avatar Jan 12 '23 10:01 lordimac

OK, I commented the following line in letsencrypt.ini preferred-chain = ISRG Root X1

After removing and reissueing the certificate, I get a valid chain.

firefox_2023-01-12_13-20-12

lordimac avatar Jan 12 '23 12:01 lordimac

Hi,

i have nearly the same problem. I downloaded the certificate from the NPM "SSL Certificates" page and use use it with a GitLab server. grafik

If you use the "GitHub Desktop" Client and try to connect to the GitLab server, you get this error message: grafik

If you create the certificate with the certbot tool (Docker image "certbot/certbot": docker run -it certbot/certbot ....), the "GitHub Desktop" Client works fine; you do not get any error messages.

The chain.pem from NPM contains only one certificate; only the intermediate certificate from LetsEncrypt.

openssl crl2pkcs7 -nocrl -certfile ./npm/chain.pem | openssl pkcs7 -print_certs -noout
subject=C = US, O = Let's Encrypt, CN = R3
issuer=C = US, O = Internet Security Research Group, CN = ISRG Root X1

The chain.pem from certbot contains two certificates.

openssl crl2pkcs7 -nocrl -certfile ./certbot/chain.pem | openssl pkcs7 -print_certs -noout
subject=C = US, O = Let's Encrypt, CN = R3
issuer=C = US, O = Internet Security Research Group, CN = ISRG Root X1

subject=C = US, O = Internet Security Research Group, CN = ISRG Root X1
issuer=O = Digital Signature Trust Co., CN = DST Root CA X3

Same with the fullchain.pem: NPM contains two certificates und certbot contains three certificates.

Is it possible to create chain files with the complete chain? => chain.pem = intermediate and root certificate => fullchain.pem = intermediate, root and server certificate

Shineson1001 avatar Jan 13 '23 11:01 Shineson1001

Issue is now considered stale. If you want to keep it open, please comment :+1:

github-actions[bot] avatar Jan 30 '24 01:01 github-actions[bot]