SSL intermediate/chain issue

explosive

explosive

Verified User
Joined
Dec 29, 2010
Messages
181
Location
PL/EU
Hi,

I have problems with SSL certificate:

- wildcard
- Apache 2.4.4
- every path in config is checked, it's OK
- WORKS in DirectAdmin:2222 (so certificate and CA are OK, full chain)
- csf open port 443

Problem: Apache don't send full chain. "The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate"

Test: openssl s_client -connect some.domain.com:443

Result:

from anywhere
verify error:num=20:unable to get local issuer certificate
verify error:num=27:certificate not trusted
verify error:num=21:unable to verify the first certificate

from localhost (some.domain.com)
Verify return code: 0 (ok)

---

I can't figure out what is going on. If I have OK from localhost so configuration must be OK.
So WHY everybody else can't see full chain?!? 443 works so it's not firewall.
What I'm missing?
 
Last edited:
Well did you install the ca certificates in the appropriate area when setting up your ssl?
 
As already write: yes. "appropriate area" = httpd.conf (it's main, hostname SSL).
 
Remember, when you rewrite the configs, CB/DA can overwrite httpd.conf....

Copy and edit the httpd.conf in a custom folder in the Custombuild folder

or use chattr +i
 
In /etc/httpd/conf/extra/httpd-ssl.conf I have proper SSL setup:

SSLCertificateFile /etc/httpd/conf/ssl.crt/certificate.pem
SSLCertificateKeyFile /etc/httpd/conf/ssl.key/server.key
SSLCertificateChainFile /etc/httpd/conf/ssl.crt/ca-bundle.pem
SSLCACertificateFile /etc/httpd/conf/ssl.crt/ca-bundle.pem

(that same are in da.config and works)
 
Sorry I can't. Anyway I check this many times - you don't see from outside nothing more beside what I wrote in first post. Apache don't send full chain.
 
If so, then the only solution... you should try to downgrade apache to 2.2.x, and check either with apache mailing lists, or directly post a bug report to their bug-tracker.
 
First you said you added them to httpd.conf, then I mention httpd-ssl.conf, and you said you added them there. So, you're stating conflicting statemets there.
 
Somewhere up above you wrote Wildcard.

Perhaps the CARoot Cert must be installed in the userlevel httpd.conf file if any.

Jeff

Otherwise the only other thing I can think of is to watch the log while using your browser, to see exactly what apache is searching through.

Jeff
 
nobaloney said:
Somewhere up above you wrote Wildcard.

Perhaps the CARoot Cert must be installed in the userlevel httpd.conf file if any.
Click to expand...
Yes, WILDCARD. This is main SSL cert for server: for DA, email, access to /roundcube /phpmyadmin etc.

But how install in the userlevel - this is hostname, like: s66.hostname.com and DirectAdmin not allow to
create account with server hostname.

I've installed this cert on 2 more servers and on every is that same problem.

nobaloney said:
Somewhere up above you wrote Wildcard.
Otherwise the only other thing I can think of is to watch the log while using your browser, to see exactly what apache is searching through.
Click to expand...
What log exactly do you mean?

Thx.
 
I didn't really study the thread before posting my previous response. Obviously I should have.

You may need to create a new file and path, and make changes to the various configuration files to read them.

But that could get complicated if you're not an extremely experienced administrator and not willing to try things.

Instead you can install the Certificate according to the DirectAdmin FAQ Instructions, which include setting up the CA Root Certificate for DirectAdmin.

And for all other cases, try copying the CA Root Certificate under the Wildcard Certificate, into each file where you've installed the Wildcard Certificate. No blank lines between the certs... something like this:
Code: 
-----BEGIN CERTIFICATE-----
your wildcard cert data here
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
the CA Root cert data here
-----END CERTIFICATE-----

And then restart each service requiring the Certificate.

This should work in all cases. If it doesn't then I can offer you a commercial service to try to resolve the difficulties, but remember that some Certificates may not work for anything except http, so you should check with your Certificate vendor first to see if their Certificate will work with email, etc.

Jeff
 
What is in your httpd-vhosts.conf?

In out installs we do not use SSLCACertificateFile as this is for Apache 1.*

Just adding the CA won't work, you have to create the bundle, for Comodo Essential Wildcard you would use:

cat EssentialSSLCA_2.crt ComodoUTNSGCCA.crt UTNAddTrustSGCCA.crt AddTrustExternalCARoot.crt > yourDomain.ca-bundle
 
You must log in or register to reply here.
Back
Top