Skip to content

Fix for Error Connecting to OctoPrint Over HTTPS in PrusaSlicer (Error 60) On Linux

Ben Turner edited this page Mar 22, 2020 · 1 revision

The Problem

If you're experiencing this error, you will see a popup that contains text that looks something like this:

Could not connect to OctoPrint: Peer certificate cannot be authenticated with given CA certificates: SSL certificate problem: unable to get local issuer certificate [Error 60] Note: OctoPrint version at least 1.1.0 is required.

Since OctoPrint doesn't itself support HTTPS, you're also likely using haproxy as your reverse proxy on whatever is running your OctoPrint instance, and that is providing the TLS connecting using an SSL certificate. This is fine. If you're running something different, like Nginx or Apache, you will need to adjust the steps to fix it to meet the standards of those servers, or switch to haproxy. Up to you.

You're likely using a free, but not self-signed, SSL certificate, such as one from Let's Encrypt. This may also occur with paid SSL certificates, and the same solution should work.

Throughout this guide, I will be referring to your server's FQDN (Fully Qualified Domain Name) as octo.example.com. Change that wherever you see it to your server's FQDN.

You can test to see if you have this problem by typing the following into a terminal on the affected system (or any other *nix system with curl installed) curl -v https://octo.example.com/api/version If you receive something that ends in an error, you have the problem. If it comes back with the same info you get when you put that in a browser, then you're good, and you don't have this problem.

The Why

The problem is that while the certificate is valid, and your machine does have the root CA to verify that, it does not have the intermediate CA. These are important because that's what actually signed your certificate. You are supposed to provide the intermediate CA along with your certificate. Your web browser still works fine because other web sites use Let's Encrypt Certificates, and helpfully attach the Intermediate CA's, which your browser then caches, and can use to verify your site. PrusaSlicer uses curl, which isn't going to random sites or caching their CAs. Windows isn't affected. I'm not sure why, but it has to do with the way CAs and certificates, in general, are handled.

The Fix

Usually, people will get their Let's Encrypt certificates through an application called certbot. What you need to do is create a new file, which contains (According to this website, the order is supposed to be important, but I have found that it isn't, but YMMV), in order, your certificate, the intermediate CA, and then your key. This will be the file you provide to haproxy. It's different for nginx and apache, but this page on certbot's docs should help you if you need it.

Essentially, using the filenames provided by certbot's doc page linked above, you need to run the following command. Note, you'll need to run this command every time certbot renews the certificates, so I would put an entry in cron to do this automatically, or else use the post_hook feature of certbot, but that's outside the scope of this guide. The filenames may have your domain names appended to it, that's fine, just put that in there too. According to the certbot documentation, it should provide you with 2-4 files, unless you used the certonly command, in which case, you'll need to redo getting your certs, without that command. There are:

  • privkey.pem, which contains your private key.
  • cert.pem, which contains your certificate.
  • chain.pem, which contains the intermediate CA.
  • fullchain.pem, which contains your certificate, and the intermediate CA.

As fullchain.pem and privkey.pem are the two most common certs, we will use those.

Run the command cat fullchain.pem privkey.pem > ssl_certs.pem

You could also do cat cert.pem chain.pem privkey.pem > ssl_certs.pem if you wanted to, but simpler is usually better.

You would then use ssl_certs.pem (or whatever you want to name it), as the SSL file in your haproxy.cfg, such as bind *:443 ssl crt ssl_certs.pem (Just replace your existing SSL cert file in your haproxy.cfg with ssl_certs.pem)

Restart your haproxy server, and then redo the curl test from above. If it works, then problem solved! Finally, test it in PrusaSlicer, and it should work. If curl works but PrusaSlicer doesn't connect, then that would be another problem entirely.

Note

If for whatever reason, none of your files contain Let's Encrypt's Intermediate CA, it's available on their website to be downloaded, so you can append it. It's the X3 file.

This DOES NOT work with self-signed certificates. For that, there's a completely different method, which is outside the scope of this guide.