Sunday, October 27, 2024

Re: Hosting gitea with httpd and relayd: git and curl return "SSL certificate problem: unable to get local issuer certificate"

I want to provide a quick update.

It took some time, but renaming the certificates actually worked. I don't know why it didn't work immediately, despite several "# rcctl restart relayd" commands, but after some time it just started working.

I no longer receive SSL certificate errors when running "git clone" and "curl". I also tested a "git push", and it worked perfectly.


Thanks again for your help.

On Sun, Oct 27, 2024 at 10:22 AM Am Jam <intdfdx@gmail.com> wrote:
On Sat, Oct 26, 2024 at 11:32 PM Anthony J. Bentley <anthony@anjbe.name> wrote:
relayd will pick up src.domain.io.crt, which is probably not a
full chain certificate. It won't pick up src.domain.io.fullchain.pem,
which is (probably) a full chain cert.

As I can't see your acme-client.conf or your previous httpd.conf that
worked without TLS errors, I'm guessing your old httpd.conf specified
src.domain.io.fullchain.pem as its certificate instead of
src.domain.io.crt, which is why it worked, and your acme-client.conf
probably only writes a full chain to src.domain.io.fullchain.pem.

Anthony, thank you for your generous time troubleshooting with me here. Your assumptions are correct; however, the obvious solution of renaming the fullchain certificate file doesn't appear to work.

# acme-client.conf
 domain src.domain.io {
        domain key "/etc/ssl/private/src.domain.io.key"
        domain certificate "/etc/ssl/src.domain.io.crt"
        domain full chain certificate "/etc/ssl/src.domain.io.fullchain.pem"
        sign with letsencrypt
}

# OLD httpd.conf
server "src.domain.io" {
        listen on * tls port 443

        tls {
                certificate "/etc/ssl/src.domain.io.fullchain.pem"
                key "/etc/ssl/private/src.domain.io.key"
        }

        location "/.well-known/acme-challenge/*" {
                root "/acme"
                request strip 2
        }

        location "/*" {
                fastcgi socket tcp 127.0.0.1 3000
        }
}

server "src.domain.io" {        
        listen on * port 80

        location "/.well-known/acme-challenge/*" {
                root "/acme"
                request strip 2
        }
        location * {
                block return 302 "https://$HTTP_HOST$REQUEST_URI"
        }
}


That httpd.conf was my old httpd-only-no-relayd working config.
Now that I have relayd up and running, reading your replies made me think I could do the following:

# cd /etc/ssl
# mv src.domain.io.crt src.domain.io.notfullchain.crt
# mv src.domain.io.fullchain.pem src.domain.io.crt

This does not appear to disrupt the browser pointing to src.domain.io. However, "git clone" and "curl" still return the error: SSL certificate problem: unable to get local issuer certificate.


Many Thanks.

No comments:

Post a Comment