return code: 21

Hello, I'm getting "Verify return code: 21 (unable to verify the first certificate)" when using openssl to my bubble instance and, while I can connect just fine, a friend cannot. Is that the issue? How am I supposed to fix it? I tried fullchain.pem, a chained pem but always end up in the same error.

I'm using let's encrypt. Thanks

May 23 · 7 months ago

5 Comments ↓

I had a similar error when joined here because my account needed to be approved, maybe you need to approve your friends account first?

Well, the cert issue, I believe, is for everyone but I am able to connect to the instance anyway. That friend only told me he couldn't connect, I have no other clues.. So I checked everything again and noticed the cert issue. It's `openssl` complaining but it looks like lagrange works just fine (again for me at least). Also, one other person registered (I got mail), so I guess it works :)

I would still like to know if I can fix that issue. I have a molly-brown server on main domain and openssl doesn't complain there.

I can't recall if I've ever tested a certificate chain on a GmCapsule server. I'm not sure if OpenSSL requires a chain to be loaded differently than a single certificate, so perhaps I'm just calling the wrong API or something.

In any case, if you try to connect via regular openssl, it will try to verify the certificate(s) against known root CAs, which is usually not relevant with Gemini servers and the TOFU security practice.

ok but in the base domain, where molly-brown is running, lagrange says it's verified by CA, while bubble isn't.

Maybe not a big issue though?