Error 503 - unable to get local issuer certificate

I installed my mastodon server, can federate, everything works great except following a RSS bot that I’m running on a local docker behind a firewall, using Let’s encrypt certificate. Browsers report no problems and can reach the bot fine. Other Mastodon instances can correctly follow the bots as well.

I got exactly one mention of an error in the bundle log:
Switching source:82.64.XX.XX from green to red because OpenSSL::SSL::SSLError SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate) on https://rssbot.xxxxx/u/YYY
I’ve modified my configuration and get an A label from ssllabs.

The logfile shows no mentions of errors any more but the user interface shows “error 503” when I try to follow one of the bots.
I presume that the IP is in some kind of a blacklist because of the earlier error? How to remove/whitelist? Is there a scheduled check?
Is there a way to overrule the “cache” that seems to exist for the “bad” IP?
Thanks for your inputs!

can you provide the output of openssl s_client -connect yourbot:443 -servername yourbot -showcerts and see if you get a full certificate chain returned?

Thanks for getting back so quickly
I get
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
verify return:1
depth=0 CN = domainname
verify return:1
Seems to be a full chain? Is it possible that mastodon caches DNS queries?

verify return: 1 is not good, did your certificate expire or something? Let’s Encrypt ones are valid for a short time and need to be renewed automatically. Some services do not notice the renewal until fully restarted.

Certificate is fine and HAproxy is alerted correctly when the certificates are updated. I kinda gave up on this approach and just went for twoot bot to mirror accounts. I prefer the ActivityPub approach of the RSSbot but nevermind.

Maybe the certificate on the server is fine, but the client side of verification is broken?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.