SSL website can't be accessed by curl unable to get local issuer certificate

aaP_admin93

Hello,

Yesterday I installed fresh install of aaPanel version 6.8.22 on Ubuntu 20 server.

I moved couple websites and generate SSL cert for them using build in tool (let's encrypt).

From end user perspective everything work nice, and i can access those websites via SSL protocol without any warnings.

Today I noticed that all those websites failed remote check, when I'm trying make api call from CURL using different server it fail with CURL 60: unable to get local issuer certificate

SSL Shopper says:
The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. The fastest way to fix this problem is to contact your SSL provider.

I'm using default nginx configuration that looks like this:

  #HTTP_TO_HTTPS_END
    ssl_certificate    /www/server/panel/vhost/cert/xxx/fullchain.pem;
    ssl_certificate_key    /www/server/panel/vhost/cert/xxx/privkey.pem;
    ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
    ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    add_header Strict-Transport-Security "max-age=31536000";
    error_page 497  https://$host$request_uri;

    #SSL-END

I can't find what might be wrong since i'm using default config - i expect more people would have this issue.

Any help would be great!

aaPanel_Kern

aaP_admin93
Hi, have you enabled 301 redirects?
Whether there is an error in the process of applying for an SSL certificate. Are there screenshots.

aaP_admin93

aaPanel_Kern
SSL is issued successfully and it's working in all common browsers i tested but when testing in curl it fail (this is critical since i'm using php api calls to websites).

I can't see any redirects (tested from postman)

aaP_admin93

I found problem and temporary solution,
When creating websites i added hostnames as domain.com and www.domain.com.
aaPanel generated SSL for those two domains but this is creating this error (in postman i can see while accessing mydomain.com ssl CA is for www.mydomain.com.
I removed www.mydomian.com on SSL tab and disable SSL, enable (get new cert just for mydomain.com) - and now it working perfect.

I have feeling this might be bug (?)
For www and non www there should be two certificates and nginx should send correct one (but i'm not ssl expert, i know there are wildcards but can they allow multiple hostnames? i'm not sure)

But this is how i resolved issue.
Most like for redirect i will create blank www.mydomain.com and make it redirect.

aaPanel_Kern

aaP_admin93
Hello, you can check the curl problem:
https://curl.se/docs/sslcerts.html

There are wildcards to allow multiple hostnames, but this is commercial SSL