Renewed my SSL certificate but getting UNABLE_TO_VERIFY_LEAF_SIGNATURE in nodejs on AWS EC2 server

Question

I have a nodejs/express api on a AWS EC2 server with a ssl certificate that is generated with Let's encrypt every 3 months. Auto renewal isn't on and we let it exipre before trying to renew but after renewing it we are getting an error saying:

Unable to verify the first certificate

or

UNABLE_TO_VERIFY_LEAF_SIGNATURE

depending on what we are testing with.

We are using Certbot for renewing with the following command (and not $ certbot renew) :

$ sudo certbot certonly --dns-route53 -d *.example.com -d example.com --server https://acme-v02.api.letsencrypt.org/directory

Certificates are generated as expected with an expiration date 3 months from now.

Any ideas on what's going on ? I've tried most of the things I could find on SO and elsewhere but nothing worked.

P.S. Servers and I don't go along very well :/ (I do mobile app dev) so assume that I don't know anything when replying :D

Answer 1

I got the same error while building the Frontend app (Vitesse) and when testing the API in Insomnia. I fixed it by adding the intermedium.ctr certificate to by Backend (Node.js) server. The Server is in a Digital Ocean Droplet

(If you do not have the certificates, you can follow this video: NodeJS + Express SSL Install and Configuration)

This is my working code in the Backend (Node.js):

// Internal modules:
const https = require("https");
const fs = require("fs");

// First install the module: npm install --save express
const express = require("express"); 
const app = express();

//The API listens the port 4000 (Maybe you also need to set up the Firewall to allow this port)
const port = 4000;
 
//In this folder I store the certificates. I bought them in ssltrust 
var absoluteCertsPath = "/ssl_certificates";

https
  .createServer(
    {
      key: fs.readFileSync(`${absoluteCertsPath}/private-key.txt`),
      cert: fs.readFileSync(`${absoluteCertsPath}/certificate.crt`),

      // ⬇️ I fixed the error by adding the intermedium.crt certificate ⬇️
      ca: fs.readFileSync(`${absoluteCertsPath}/intermedium.crt`), 
    },
    app
  )
  .listen(port, () => {
    console.log(`✅ Server running on HTTPS at port ${port}$:`);
  });

app.get('/', (req,res)=>{
    res.send("Successfully working through HTTPS :)")
})

Answer 2

Solution was quite easy, just needed to use the fullchain.pem file (and reboot your server if applicable).

Sidenote:

If someone on your team tells you that they've tested a solution and that it didn't work, don't just blindly trust them but test it yourself if all other possible solutions didn't work...(have lost 1+ day because someone thought they did test with the fullchain.pem (or did it wrongly)