Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

The certificate chain failed OpenSSL’s verification

Discussion in 'Security' started by meeven, Jun 12, 2018.

  1. meeven

    meeven Well-Known Member

    Joined:
    May 8, 2007
    Messages:
    132
    Likes Received:
    1
    Trophy Points:
    168
    I am trying to install SSL on a domain recently migrated from a Hostgator cPanel server and having its DNS hosted externally. On checking the logs, I got the following errors:

    Code:
    Log for the AutoSSL run for “clientdomain”: Tuesday, June 12, 2018 6:48:56 PM GMT+05-30 (Let’s Encrypt™)
     6:48:56 PM AutoSSL’s configured provider is “Let’s Encrypt™”.
     Checking websites for “clientdomain” …
     6:48:56 PM Checking “clientdomain.com” …
     6:48:56 PM ERROR TLS Status: Defective
     Certificate expiry: 5/31/19, 2:20 AM UTC (352.54 days from now)
     ERROR Defect: OPENSSL_VERIFY: The certificate chain failed OpenSSL’s verification (0:18:DEPTH_ZERO_SELF_SIGNED_CERT).
     6:49:03 PM WARN “Let’s Encrypt™” DCV error (clientdomain.com): Invalid response from http://clientdomain.com/.well-known/acme-challenge/8IEZMOStz-0mjNo8pVeFSy7BBrKhSkevS3n76i4bHA4: " <!DOCTYPE html> <html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equi" (The client lacks sufficient authorization (urn:acme:error:unauthorized))
     WARN “Let’s Encrypt™” DCV error (www.clientdomain.com): Invalid response from http://www.clientdomain.com/.well-known/acme-challenge/1dex54YGjCQU8lODvaqjI7Glqr8U7QlXDyrM_sGn6Ts: " <!DOCTYPE html> <html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equi" (The client lacks sufficient authorization (urn:acme:error:unauthorized))
     WARN “Let’s Encrypt™” DCV error (mail.clientdomain.com): Invalid response from http://mail.clientdomain.com/.well-known/acme-challenge/CxIbzQAanIlUc9D9IhGE4FgLN_lAd269g-MiOkaPuq4: " <!DOCTYPE html> <html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equi" (The client lacks sufficient authorization (urn:acme:error:unauthorized))
     ERROR Impediment: TOTAL_DCV_FAILURE: Every domain failed DCV.
     6:49:03 PM The system has completed the AutoSSL check for “clientdomain”.
    
    I checked the /home/username/public_html/.well-known/acme-challenge folder and didn't find any of the files listed in the error message above, if that's what they are.

    It would be very helpful to know exactly what the problem is, here and fix it.
     
    #1 meeven, Jun 12, 2018
    Last edited by a moderator: Jun 12, 2018
  2. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    2,230
    Likes Received:
    160
    Trophy Points:
    143
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hello,


    Does the domain have an AAAA record or is it by chance using IPv6? If so can you confirm that the IPv6 address resolves to the server? Furthermore, if you switch to the Comodo provider rather than the Let's Encrypt provider do you continue to receive the same error?

    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. meeven

    meeven Well-Known Member

    Joined:
    May 8, 2007
    Messages:
    132
    Likes Received:
    1
    Trophy Points:
    168
    @cPanelLauren, thanks for editing the title of my post! I couldn't find a way to do it myself.:)

    To answer your question, yes, the domain has an AAAA record at the external DNS provider for both the root domain and the www domain. And, the IPV6 address does resolve to the server FQDN. I also checked the Basic Config section WHM setup and both the IPv4 and IPv6 addresses are bound to the server. The only non-standard thing about the domain's config (in fact, all domains on the server) is that it uses external DNS, via Linode DNS manager.

    About using Comodo as the provider, I am not sure what impact this might have. Is this safe to change?
     
  4. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    2,230
    Likes Received:
    160
    Trophy Points:
    143
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @meeven

    It is safe to change though it will update the certificate on any domains to Comodo SSL's if they don't currently have certificates.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. meeven

    meeven Well-Known Member

    Joined:
    May 8, 2007
    Messages:
    132
    Likes Received:
    1
    Trophy Points:
    168
    @cPanelLauren, I was able to get this sorted out, thanks to cPanel tech support.

    The solution is to assign the IPv6 address to the domain using the WHM » "Assign IPv6 Address" interface and then run LetsEncrypt for the domain again.
     
  6. cPanelLauren

    cPanelLauren Forums Analyst
    Staff Member

    Joined:
    Nov 14, 2017
    Messages:
    2,230
    Likes Received:
    160
    Trophy Points:
    143
    Location:
    Houston
    cPanel Access Level:
    DataCenter Provider
    Hi @meeven

    Glad to hear you were able to get the issue sorted out! Thanks for letting us know what the resolution was.


    Thanks!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice