"503 Remote SSL cert could not be verified" when trying to fed with mastodon.social, but not other instances

[Starling000]

I am building an instance at left.community and I'm testing federation. Federating with most servers works, but when I try to @ a user on mastodon.social from left.community, no posts are loaded and a big blob of text is dumped to the system journal. When I try to @ left.community from mastodon.social, I get the error in the title: "503 Remote SSL cert could not be verified."

I don't seem to have any SSL issues when connecting to other domains, such as cybre.space. So is the issue on my server or on mastodon.social?

The error generated on my server when trying to contact mastodon.social is, frankly, enormous, so I'm uploading it in a text file.

errorlog.txt

---

• I searched or browsed the repo’s other issues to ensure this is not a duplicate.
• This bug happens on a tagged release and not on master (If you're a user, don't worry about this).

[pfigel]

There's an issue with your TLS/SSL configuration. Your web server is sending your server certificate, but it's not sending the intermediate certificate that would "chain" your server certificate back to a trusted root certificate. Most web browsers will fetch those intermediate certificates behind the scenes or have them already cached from other sides, but other TLS clients (such as the one used by Mastodon) will not do this and fail to build a trust chain.

If you used certbot to obtain your certificate, the fix is to point the ssl_certificate directive of your nginx configuration to fullchain.pem rather than cert.pem, a file that should exist in the same directory, and then reload nginx. If you're using a different ACME/Let's Encrypt client, the documentation should mention how you can get to the combined certificate + intermediate (chain) certificate file.

You can verify your fix (and possibly find other configuration issues) using SSL Labs. Your current problem would be the "Chain issues | Incomplete" part.

[Starling000]

That worked like a charm, thank you! This is my first time managing SSL certs, I appreciate the informative response.

[albjeremias]

So...
this guys from todon.nl complained they can't follow anyone on my instance... then they invited me to register on their instance.. I did it.. and I confirmed the bug.. I can't follow myself on my instance.. :(
So.. I get the error: "Remote SSL certificate could not be verified" ... and I went to investigate, but not luck the request is not sent directly to my instance, is sent to todon.nl instance.. and I get a "503 Service Unavailable".

How can I debug this further? asking todon.nl to check their logs?

[pfigel]

Did you run SSL Labs on your instance yet? That'll reveal the most common SSL/TLS configuration issues such as the missing intermediate/chain certificate problem the OP ran into.

(If there's nothing obvious in the result, please share the instance domain for further debugging.)

[SuperSandro2000]

I am having trouble with this, too.
My instance is at mastodon.supersandro.de and sslabs reports is green.

[cyborch]

I'm seeing the same issue today. My instance is activity.cyborch.com and ssl labs report is green for me too. This issue has been around for a very long time. Was a fix or a workaround ever found?

[Saqibm128]

I have the issue as well. Just trying to bump this. My instance is gaymedmastadon.social, and SSL labs report is also green.