Unable to get issuer cert locally

Hi,

I updated openssl on my ubuntu 20.04 server to openssl 1.1.1i last night and ever since then, node-red nodes are getting the error "UNABLE_TO_GET_ISSUER_CERT_LOCALLY"

I have been trying to find out how to fix this on google to no avail. Here's some information about the certificate I installed for node-red https on the admin edit page and to enable https in the settings file:

  1. I used letsencrypt certbot to issue the certificates that are used in node-red's settings.js file
  2. The path in settings.js to the pem files are:

/etc/letsencrypt/live/my.website.com/privkey.pem
/etc/letsencrypt/live/my.website.com/fullchain.pem

Ever since updating to openssl 1.1.1i a lot of my nodes are getting this error seen in the screenshot below:

It happens with any http request to any API I try to reach, for example the jsonplaceholder API:

It's a production server and I broke it :\

I was updating openssl because I was originally getting a ssl handshake failure with an http request I was working on and when I tested it on my local machine, updating to openssl 1.1.1i fixed the issue, but on my local machine I didn't have all the other flows to find this issue ahead of time.

Please help!!!

Thank you,
Dan

Since you seem to have an emergency production issue I suggest going back to the previous openssl version for the moment. I see the version supplied with 20.04 is 1.1.1f, presumably you installed 1.1.1i from a ppa or similar.

1 Like

I installed openssl 1.1.1i from this guide:
https://www.howtoforge.com/tutorial/how-to-install-openssl-from-source-on-linux/

I just tried to uninstall openssl using sudo apt-get remove openssl and sudo-apt-get remove --auto-remove openssl

then I did sudo apt-get purge openssl and sudo apt-get purge --auto-remove openssl

But when I run openssl version I still get the version number for 1.1.1i

I'm not super experienced with Ubuntu server, can I just follow that same guide but instead of using the 1.1.1i.tar.gz have it install 1.1.1f and it will automatically overwrite the 1.1.1i install?

I'm thinking about completely uninstalling node-red & reinstalling it since I have all my flows and credentials for everything saved.

I would just need to generate a new https certificate and stuff for https.

As it says in that tutorial "OpenSSL is installed in the '/usr/local/ssl' directory." so you would need to manually uninstall it from there. Unfortunately the tutorial does not tell you in detail how to do that. It may be enough just to rename the file in that directory, but I am not sure because it seems to have done a lot of messing about with libraries, so you might need someone who know what they are doing to sort out the mess.
I don't know whether rebuilding the previous version from source would do it, probably it would. I am surprised though that a minor version like this has had a major effect, so I wonder whether it is actually due to the method of install rather than the version. Sorry I can't be more helpful.

1 Like

That's ok, I appreciate the help. I'm just going to restore from an amazon snapshot to before I did the update. Only reason I did the update was because an SSL handshake error was happening with one API, and the only workaround I found was using a proxy server (something to do with CORs?) so I'll just stick to that workaround and not worry about it.

Oh, right, if you have a snapshot then yes, that sounds like an excellent idea.