Letsencrypt Datenschutzfehler / ERR_CERT_AUTHORITY_INVALID

Hi everyone,

I’ve been running an OH4 installation (Openhabian) on a Pi4 quite successfully. After recurring problems with the KNX bridge I decided to re-setup everything.

So after freshly flashing the SD-Card with Openhabian and restoring the backup with everything working fine, I set up the Nginx reverse proxy like before.

But now, when I try to connect to my installation via SSL, I always get ERR_CERT_AUTHORITY_INVALID in my browser, and the OpenHAB app also doesn’t connect with the remote server. I tried the following:

  • searching on the web intensely, including here - if I overlooked a thread, I’m happy to receive a hint

  • reinstalling everything again like described above

  • successfully renewing the certificate using certbot

  • successfully testing Nginx

and still it doesn’t work! All other connections (unencrypted HTTP, SSH-Sessions…) work just fine!

Certbot says:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Your existing certificate has been successfully renewed, and the new certificate
has been installed.

The new certificate covers the following domains:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 - Congratulations! Your certificate and chain have been saved at:
   Your key file has been saved at:
   Your certificate will expire on 2024-06-01. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again with the "certonly" option. To non-interactively
   renew *all* of your certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

and the output for

nginx -t

is just

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Any ideas, anyone?

So, assuming you have already actually looked in the location and see the files and confirmed that the path you specified in nginx.conf is exactly right?
and assuming you have checked the permissions on the directory you have those files in and insured that the user that is running nginx has at least read permissions to that directory and containing files?
Then you need to check to be sure you did not forget to comment out (put “#” in front of the default path for cert location) that is used for the other entry’s like the self-signed certs when you uncommented the path for the lets encrypt path. Nginx will take the first path it sees for cert location.
The other question is what browser are you using to access the URL?
And obviously restart the box to insure nginx read the updated configuration is also a good idea.
I have seen times when just restarting the nginx service alone did not pick up all my changes.

It would be helpful if you looked at the cert being served from NGINX in your browser, so in chrome this would be the warning in the URL bar, where you click “Site Is not Secure” → “Certificate is not valid” and then report the info printed there.

Assuming you also reloaded / restarted nginx?

(sudo) nginx -s reload
(sudo) systemctl restart nginx

Otherwise provide info as Dan requested, in general nginx reloads the certificates at start of service.

Hey digitaldan,

thank you for your time! My Chrome says this:

Does this tell you anything?

Hey thanks for the hint, I tried both - nothing changed

Actually, the setup of nginx has been happening completely automated - I used the tool openhabian-conf for the setup, and last time it worked just fine. But I took a look into the config and saw, that the paths and files should be correct… Restart doesn’t change anything. Thank you anyway for your time and help

what you posted shows you are using the self signed certificate so it does not appear you have uncommented the lets encrypt path in the correct conf file. And still have the path for the self signed certificate active. can you post the section of your niginx conf file relevant to your listening port (obviously *** out any sensitive info
Or you are not pointing at the nginx instance and are resolving to your openhab install.
Either way your browser is complaining about the fact it can not find a Root Certificate Authority named openhab.org. in his cert store.
And you are NOT presenting your lets encrypt certificate to the browser to secure the https connection.

Thank you, man!

That brings me a little closer to a solution. However, in the openhab-related part (which is included via

include /etc/nginx/sites-enabled/*;

in the nginx.conf, I cannot find any references to other certificates than the correct ones. Seems like I’m overlooking something important. This is the file:

# openHABian NGINX Configuration #

## Forward proxy
## Configure <server>:8888 as a manual (forward) proxy in your browser
## Access any local device in a *remote* (Tailscale VPN) location by target IP

server {
#    listen       8888;

    location / {
#VPN        resolver;           # use default Tailscale nameserver
#        proxy_pass https://$http_host$request_uri;
        proxy_pass http://$http_host$uri$is_args$args;

## Redirection
 server {
    if ($host = [my.domain]) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

#   listen                          80;
   server_name                     [my.domain];
   return 301                      https://$server_name$request_uri;


## Reverse Proxy to openHAB
server {
#    listen                          80;
   listen                          443 ssl;
    server_name                     [my.domain];
   add_header                      Strict-Transport-Security "max-age=31536000; includeSubDomains";

    # Cross-Origin Resource Sharing.
    add_header 'Access-Control-Allow-Origin' '*' always; # make sure that also a 400 response works
    add_header 'Access-Control-Allow_Credentials' 'true' always;
    add_header 'Access-Control-Allow-Headers' 'Authorization,Accept,Origin,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Content-Range,Range' always;
    add_header 'Access-Control-Allow-Methods' 'GET,POST,OPTIONS,PUT,DELETE,PATCH' always;
    add_header Set-Cookie X-OPENHAB-AUTH-HEADER=1;

## Secure Certificate Locations
    ssl_certificate /etc/letsencrypt/live/[my.domain]/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/[my.domain]/privkey.pem; # managed by Certbot

    location / {
        proxy_pass                              http://localhost:8080/;
        proxy_set_header Host                   $http_host;
        proxy_set_header X-Real-IP              $remote_addr;
        proxy_set_header X-Forwarded-For        $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto      $scheme;
        proxy_read_timeout 3600;

        proxy_set_header Authorization "";

## Password Protection
       auth_basic                              "Username and Password Required";
       auth_basic_user_file                    /etc/nginx/.htpasswd;

## Let's Encrypt webroot location
   location /.well-known/acme-challenge/ {
       root                                    /var/www/[my.domain];


# vim: filetype=conf

just taking a quick glance at what you posted I would think that nginx would not start correctly since you have a server block defined but you have commented out the listen port.

## Redirection
 server {
    if ($host = [my.domain]) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

#   listen                          80;
   server_name                     [my.domain];
   return 301                      https://$server_name$request_uri;


That should be throwing an error and preventing nginx from running.
Are you sure you posted the actual nginx.conf that you have active?
Are you also sure your nginx service is running ?
keep in mind nginx will process any and all conf files that are located in the site-enable folder or conf.d when running as a service
NGINX configures the server when it starts up based on configuration files. The location of the default setup is /etc/nginx/sites-enabled/default . To allow NGINX to proxy openHAB, you need to change this file (make a backup of it in a different folder first).

Okay I found the solution, actually it was my fault, so a layer 8 problem :melting_face:

In my firewall (on a Fritz Box) I forwarded to port 8443 instead of 443, which lead to redirecting the https-traffic to the OpenHAB interface that is meant for local area acces (i.e. from the LAN). That is also the reason why only OpenHAB’s self-signed certificate has been “seen” from the outside and not my Letsencrypt-certificate.

I forwarded my external port to 443 of my OpenHAB-instance - and everything works fine now. Thank you all very much for your time and great help!