SSL certificate problem: unable to get local issuer certificate for

Hello ​@S.lhotellier 

We have this example for the configuration, can you try with that instead of your configuration.

...
...
<VirtualHost *:443>
    #####################
    # SSL configuration #
    #####################
    SSLEngine On
    SSLProtocol All -SSLv3 -SSLv2 -TLSv1 -TLSv1.1
    SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-DSS-AES256-GCM-SHA384:DHE-DSS-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-GCM-SHA256:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ADH:!IDEA
    SSLHonorCipherOrder On
    SSLCompression Off
    SSLCertificateFile /etc/pki/tls/certs/ca.crt
    SSLCertificateKeyFile /etc/pki/tls/private/ca.key
...
...

as you have things like:

SSLProtocol all -TLSv1.2

SSLProtocol all +TLSv1.2 +TLSv1.3

On the one configuration.

Hello,

Same issue here.

SSL certificate problem: unable to get local issuer certificate for "https://123.456.789.000/centreon/api/latest/configuration/hosts".

I had an expired certificate. I replaced it with the currently valid one. That wasn’t enough, same error message. I simply added a DNS entry covered by the certificate in the /etc/hosts file with the IP mentioned in the error message, and it worked.

I can add new hosts now.

Hi, 

i have the same issue.. fresh installed 24.10.13

Cert is fine , is trusted… 

can you do a curl to your FQDN from your CLI on the Central? Do you get any errors?

yes, curl is ok 

*  SSL certificate verify ok.

​@ahartung selfsigned or known CA? 

known CA

website https is ok .. Zertifikat is ok 

LDAP Search is working

now is working  😎

i created a new chain

cat /etc/pki/tls/certs/root.crt /etc/pki/tls/certs/intermediate.crt > /etc/pki/tls/certs/sectigo_chain.crt

 

sudo update-ca-trust
sudo update-ca-trust extract

and restart httpd 

what error do you see and where?

Sectigo chain in the redhat system was ok


curl -v https://cpint-cestst01.rbdom.rbroot.net --cacert /etc/pki/tls/certs/root_sectigo.crt

* Trying 10.236.23.87:443... * Connected to cpint-cestst01.rbdom.rbroot.net (10.236.23.87) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * CAfile: /etc/pki/tls/certs/root_sectigo.crt * TLSv1.0 (OUT), TLS header, Certificate Status (22): * TLSv1.3 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS header, Certificate Status (22): * TLSv1.3 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS header, Finished (20): * TLSv1.2 (IN), TLS header, Unknown (23): * TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8): * TLSv1.2 (IN), TLS header, Unknown (23): * TLSv1.3 (IN), TLS handshake, Certificate (11): * TLSv1.2 (OUT), TLS header, Unknown (21): * TLSv1.3 (OUT), TLS alert, unknown CA (560): *

SSL certificate problem: unable to get local issuer certificate * Closing connection 0 curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.


the certificate was not from root-ca 

Root CA: Sectigo Public Server Authentication Root R46
   ↓
Intermediate: Sectigo Public Server Authentication CA OV R36
   ↓
Server-Zertifikat: cpint-cestst01.rbdom.rbroot.net

i create a new chan 

cat /etc/pki/tls/certs/root.crt /etc/pki/tls/certs/intermediate.crt > /etc/pki/tls/certs/sectigo_chain.crt

sudo update-ca-trust
sudo update-ca-trust extract


in the centrron version 24.10.5 i think it was  working .. ok now is fine :)

and restart httpd 

that fine and working :)

Hello,

Issue again today on older servers.

- New selfsign cert (https://docs.centreon.com/docs/administration/secure-platform/#secure-the-web-server-with-https)
- ServerName missing in /etc/apache2/sites-available/* conf’
- Restart apache2 and php8.2-fpm

Done.

Hi,

I got the first issue and a solution today. As I might come to this issue once again in the future, I’ll write down what I’ve done. For context on my side, I should complete the description:

• I am able to duplicate a host
• I am able to save anything like a service
• I am unable to save a host with the message in the first post (even without modifying anything)
  • Either trying to edit an entry or creating a new host: impossible
• As a workaround, editing the db entry is possible

In my case, I suspect an issue either with Sectigo CA, Mozilla CA bundle (which the one of my OS I suppose) or Debian 12. To solve this:

curl -w %{certs} https://myserveraddress.full.name -k > /etc/ssl/certs/ca_issue.pem

(create the CA file in PEM format from info provided by the https server)

openssl x509 -inform PEM -in /etc/ssl/certs/ca_issue.pem -out /etc/ssl/certs/ca_issue.crt

(convert the PEM in a CRT)

update-ca-certificates --fresh

(erase everything from my certificate database and rebuild a new one)

WARNING: this is a Debian 12 solution. If you are using another distribution, folder of your CA store is different.

It is terribly wrong to do that as this CA should already be in my local store. So I’ll call it a “dirty solution as I have no idea why it is not working from fresh install”. If in the future you want to erase what you’ve done: delete the two files and relaunch the last command.