Self-signed certificate in chain

bartlebi · January 21, 2025, 1:49pm

I use my own wildcard certificate for the domain. But I see an error in the nginx log, for example:
[error] 354112#354112: OCSP_basic_verify() failed (SSL: error:13800065:OCSP routines::certificate verify error:Verify error: self-signed certificate in certificate chain) while requesting certificate status, responder: ocsp.globalsign.com, peer: 151.101.130.133:80, certificate: "/home/user/conf/web/mydomain/ssl/mydomain.pem"
I opened this file and checked it - there is only one wildcard certificate + 2 root certificates at the end. At the same time, some services really do not work, because they detect a self-signed certificate in the chain.
I do not see any error in the browser either (chrome).
I checked from another machine with openssl s_client -showcerts -connect mydomain.com:443 and it’s look good - every part of chain answer OK

sahsanu · January 21, 2025, 5:53pm

Without knowing the actual domain, it is hard to guess what’s going on. Perhaps you are using the wrong intermediate certificate, or you added more CA certificates than necessary…

Show the output of this command (replace example.com by the actual domain):

openssl s_client -connect example.com:443 -servername example.com 1>/dev/null <<<:

bartlebi · January 22, 2025, 9:57am

Thank you for your answer

This is the log in nginx error.log for each user domain. As an example 1 of the domains

2025/01/22 12:50:26 [error] 647551#647551: OCSP_basic_verify() failed (SSL: error:13800065:OCSP routines::certificate verify error:Verify error: self-signed certificate in certificate chain) while requesting certificate status, responder: ocsp.globalsign.com, peer: 151.101.194.133:80, certificate: "/home/shaffer/conf/web/dezarsenal.ru/ssl/dezarsenal.ru.pem"

And answer for this domain on

openssl s_client -connect dezarsenal.ru:443 -servername dezarsenal.ru 1>/dev/null <<<:


depth=2 OU = GlobalSign Root CA - R6, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign GCC R6 AlphaSSL CA 2023
verify return:1
depth=0 CN = www.dezarsenal.ru
verify return:1
DONE

bartlebi · January 22, 2025, 10:01am

Earlier I wrote that some services do not work because of the presence of a self-signed certificate in the chain. But now this problem does not exist. I apologize for misleading you - earlier with similar behavior the service had a different response when requesting openssl, but this entry in the nginx log file still confuses me.

sahsanu · January 22, 2025, 11:39am

I don’t see any obvious issues, everything seems to be working fine on my end. The only thing to note is that you mentioned the certificate was a wildcard certificate, but the one you are using is not a wildcard certificate.

Try to check OCSP validation:

cd /home/shaffer/conf/web/dezarsenal.ru/ssl/
openssl ocsp -issuer dezarsenal.ru.ca -cert dezarsenal.ru.pem -text -url http://ocsp.globalsign.com

Additionally, the error message in the log could simply be caused by a single issue, such as a problem validating the certificate, a network issue, or an error with GlobalSign.

If you notice this happening repeatedly, you could always disable ssl_stapling. In that case, browsers will rely on OCSP or CRLs to validate the certificate.

Although you’re not using it, as an example, Let’s Encrypt will discontinue the use of OCSP for their certificates on May 7th, 2025, and will instead rely on CRLs. Your certificate supports both methods (OCSP and CRL).

bartlebi · January 22, 2025, 6:21pm

Yes, I really do not use a wildcard certificate on this domain. Firstly i mean another domain, and this one i said just as an example. I tried to perform a check and got this answer:

OCSP Request Data:
    Version: 1 (0x0)
    Requestor List:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: D8B906F1819A8909FDC3D3A1C1C47E7BA395C45E
          Issuer Key Hash: AE6C05A39313E2A2E7E2D71CD6C7F07FC86753A0
          Serial Number: 619D00A3C845D7B8AAF59273
    Request Extensions:
        OCSP Nonce:
            04104E2C9ACF066B41C5DEC264A130E20F4F
Error querying OCSP responder
40E715A4A67F0000:error:1E800074:HTTP routines:OSSL_HTTP_REQ_CTX_nbio:redirection not enabled:../crypto/http/http_client.c:647:
40E715A4A67F0000:error:1E800076:HTTP routines:OSSL_HTTP_REQ_CTX_nbio:unexpected content type:../crypto/http/http_client.c:676:expected=application/ocsp-response, actual=text/html
40E715A4A67F0000:error:1E800067:HTTP routines:OSSL_HTTP_REQ_CTX_exchange:error receiving:../crypto/http/http_client.c:874:server=http://ocsp.globalsign.com:80

as far as I could understand this answer, a redirect is set up on the verification domain, which is not executed by the verification script and the response received from the server does not match the expected one. I tried to go to the specified address and was indeed redirected to Digital Certificates - PKI - SSL/TLS 🌎 GlobalSign GMO
Is this probably the expected behavior? In that case, maybe there is an incorrect address hardcoded somewhere in nginx?

sahsanu · January 22, 2025, 9:19pm

Sorry, I used the wrong url, use this:

cd /home/shaffer/conf/web/dezarsenal.ru/ssl/
openssl ocsp -issuer dezarsenal.ru.ca -cert dezarsenal.ru.pem -text -url http://ocsp.globalsign.com/gsgccr6alphasslca2023