CERTIFICATE_VERIFY_FAILED on ipfs-cluster-service with a Letsencrypt SSL cert

I’m hoping to use a Letsencrypt SSL certificate with my ipfs cluster so I can securely make API requests.

I first used certbot to create a certificate.

sudo certbot certonly --standalone -m insanity54@example.com -d cluster.sbtp.xyz

Next I copied the files to ~/.ipfs-cluster

$ pwd
  sudo cp /etc/letsencrypt/live/cluster.sbtp.xyz/{cert,chain,fullchain,privkey}.pem .

…and changed the owner of the letsencrypt files from root to my the name of my user account

chown -R sbtpxyz:sbtpxyz .

Next I configured service.json to point to what I think are the correct files.

$ cat service.json | grep ssl

When I’m running ipfs-cluster-service, I’m getting an error when I make API requests using HTTPie.

https https://cluster.sbtp.xyz:9094/health

https: LogLevel.ERROR: SSLError: HTTPSConnectionPool(host='cluster.sbtp.xyz', port=9094): Max retries exceeded with url: /health (Caused by SSLError(SSLCertVerificationError(1, '[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1006)'))) while doing a GET request to URL: https://cluster.sbtp.xyz:9094/health

I know I could add --verify no to that HTTPie command which is fine for dev, but I don’t want to do that in production. I’d like to get the full benefits of SSL cert chains and not disable them.

Similar issue when making a fetch using deno.

UNABLE_TO_VERIFY_LEAF_SIGNATURE: unable to verify the first certificate

Are there any errors in my work? Am I using the correct cert & key files?

Did some more searching and found the answer on the letsencrypt forum.

Looks like I need to use fullchain.pem instead of cert.pem.

cat service.json | grep ssl

Gonna mark this one as solved.

1 Like