Searx (based on Nginx) "Let's Encrypt" SSL certificate is not valid for Safari (iPhone and MacOS), it is valid for the rest of the world

Francesco Galgani

2/7/23, 1:01 PM

I have a customized installation of Searx (https://searx.me/) at: https://ricercaalternativa.mydissent.net/

It has been working properly with Letsencrypt for years now. As of a few days ago, however, the certificate provided by Letsencrypt is compatible with everything except Apple (Safari on iPhone and on macOS).

This test shows a "chain issue": https://www.ssllabs.com/ssltest/analyze.html?d=ricercaalternativa.mydissent.net

I don't know how to solve the problem (and actually what is the meaning of this issue), also because the SSL certificate installation has always been fully automated with the following Bash script:

#!/bin/bash
YOUR_DOMAIN="ricercaalternativa.mydissent.net"
certbot certonly -d ${YOUR_DOMAIN} --manual --preferred-challenges dns
service uwsgi restart
service nginx restart

Anyway, --preferred-challenges dns seems ignored: it doesn't ask me to deploy a DNS record. This is the output:

# ./updateSSL.sh 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/ricercaalternativa.mydissent.net.conf)

What would you like to do?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: Keep the existing certificate for now
2: Renew & replace the cert (limit ~5 per 7 days)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
Renewing an existing certificate

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/ricercaalternativa.mydissent.net/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/ricercaalternativa.mydissent.net/privkey.pem
   Your cert will expire on 2022-01-05. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

This is the version of certbot:

# apt-cache policy certbot | grep Installed
  Installed: 0.31.0-2~deb10u1+ubuntu18.04.1+certbot+3

356

0 + 0

nginx

ssl-certificate

lets-encrypt

Score:1

Server

Ryan Bolger

2/11/23, 7:54 PM

Your problem stems from the fact that your web server is not sending any chain certificates with your leaf certificate. This is what the SSL Labs test is trying to tell you when it says, "This server's certificate chain is incomplete".

Browsers and other clients have to guess how to verify the certificate you're sending and some are more capable/lenient than others at doing this. Safari is not. This only started happening recently due to a recent Root CA certificate expiration.

In your nginx config, you likely have a line such as:

ssl_certificate  /etc/letsencrypt/live/ricercaalternativa.mydissent.net/cert.pem;

If so, change cert.pem to fullchain.pem and restart nginx. Then re-check via SSL Labs and see what it says about your chain.

0 + 0

Francesco Galgani

2/11/23, 10:18 PM

Thank you very much Ryan, your proposed solution works perfectly. For completeness of information for those who will look for solution to this problem, I found this little theoretical explanation: https://support.dnsimple.com/articles/what-is-ssl-certificate-chain/ Regarding the file to be modified for a standard installation of searx, it is: /etc/nginx/sites-enabled/searx-ssl

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Searx (based on Nginx) "Let's Encrypt" SSL certificate is not valid for Safari (iPhone and MacOS), it is valid for the rest of the world

TH: Searx (ขึ้นอยู่กับ Nginx) ใบรับรอง SSL "Let's Encrypt" ไม่ถูกต้องสำหรับ Safari (iPhone และ MacOS) ใช้ได้กับส่วนที่เหลือของโลก

RO: Searx (bazat pe Nginx) Certificatul SSL „Let’s Encrypt” nu este valabil pentru Safari (iPhone și MacOS), este valabil pentru restul lumii

RU: Searx (на основе Nginx) SSL-сертификат Let's Encrypt недействителен для Safari (iPhone и MacOS), он действителен для остального мира

VI: Searx (dựa trên Nginx) Chứng chỉ SSL "Let's Encrypt" không hợp lệ cho Safari (iPhone và MacOS), nó hợp lệ cho phần còn lại của thế giới

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.