Android's Google Chrome - Certificate not trusted


#1

https://www.ssllabs.com/ssltest/analyze.html?d=german-samplife.de&hideResults=on

<VirtualHost *:80>
ServerAdmin gangsta.sunny32@gmail.com
ServerName german-samplife.de
Redirect / https://german-samplife.de/
DocumentRoot …/…/var/www/germansamplife

SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/german-samplife.de/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/german-samplife.de/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/german-samplife.de/chain.pem
Include /etc/letsencrypt/options-ssl-apache.conf

<VirtualHost *:80>
ServerAdmin gangsta.sunny32@gmail.com
ServerName www.german-samplife.de
Redirect / https://german-samplife.de/
DocumentRoot …/…/var/www/germansamplife

SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/german-samplife.de/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/german-samplife.de/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/german-samplife.de/chain.pem
Include /etc/letsencrypt/options-ssl-apache.conf

What is wrong? :S

//edit - apache2 is 2.2.x


#2

The SSLCertificateChainFile /etc/letsencrypt/live/german-samplife.de/chain.pem doesn’t seem to be working, SSL Labs shows that the certificate chain is incomplete.

Is there anything in your apache error log that would indicate apache fails to load that file? Could you post the contents of /etc/letsencrypt/live/german-samplife.de/chain.pem just in case?

Did you manually configure your apache to enable SSL, or did you use certbot’s apache plugin?


#3

content of “/etc/letsencrypt/live/german-samplife.de/chain.pem”
-----BEGIN CERTIFICATE----- MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/ MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT DkRTVCBSb290IENBIFgzMB4XDTE2MDMxNzE2NDA0NloXDTIxMDMxNzE2NDA0Nlow SjELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUxldCdzIEVuY3J5cHQxIzAhBgNVBAMT GkxldCdzIEVuY3J5cHQgQXV0aG9yaXR5IFgzMIIBIjANBgkqhkiG9w0BAQEFAAOC AQ8AMIIBCgKCAQEAnNMM8FrlLke3cl03g7NoYzDq1zUmGSXhvb418XCSL7e4S0EF q6meNQhY7LEqxGiHC6PjdeTm86dicbp5gWAf15Gan/PQeGdxyGkOlZHP/uaZ6WA8 SMx+yk13EiSdRxta67nsHjcAHJyse6cF6s5K671B5TaYucv9bTyWaN8jKkKQDIZ0 Z8h/pZq4UmEUEz9l6YKHy9v6Dlb2honzhT+Xhq+w3Brvaw2VFn3EK6BlspkENnWA a6xK8xuQSXgvopZPKiAlKQTGdMDQMc2PMTiVFrqoM7hD8bEfwzB/onkxEz0tNvjj /PIzark5McWvxI0NHWQWM6r6hCm21AvA2H3DkwIDAQABo4IBfTCCAXkwEgYDVR0T AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAYYwfwYIKwYBBQUHAQEEczBxMDIG CCsGAQUFBzABhiZodHRwOi8vaXNyZy50cnVzdGlkLm9jc3AuaWRlbnRydXN0LmNv bTA7BggrBgEFBQcwAoYvaHR0cDovL2FwcHMuaWRlbnRydXN0LmNvbS9yb290cy9k c3Ryb290Y2F4My5wN2MwHwYDVR0jBBgwFoAUxKexpHsscfrb4UuQdf/EFWCFiRAw VAYDVR0gBE0wSzAIBgZngQwBAgEwPwYLKwYBBAGC3xMBAQEwMDAuBggrBgEFBQcC ARYiaHR0cDovL2Nwcy5yb290LXgxLmxldHNlbmNyeXB0Lm9yZzA8BgNVHR8ENTAz MDGgL6AthitodHRwOi8vY3JsLmlkZW50cnVzdC5jb20vRFNUUk9PVENBWDNDUkwu Y3JsMB0GA1UdDgQWBBSoSmpjBH3duubRObemRWXv86jsoTANBgkqhkiG9w0BAQsF AAOCAQEA3TPXEfNjWDjdGBX7CVW+dla5cEilaUcne8IkCJLxWh9KEik3JHRRHGJo uM2VcGfl96S8TihRzZvoroed6ti6WqEBmtzw3Wodatg+VyOeph4EYpr/1wXKtx8/ wApIvJSwtmVi4MFU5aMqrSDE6ea73Mj2tcMyo5jMd6jmeWUHK8so/joWUoHOUgwu X4Po1QYz+3dszkDqMp4fklxBwXRsW10KXzPMTZ+sOPAveyxindmjkW8lGy+QsRlG PfZ+G6Z6h7mjem0Y+iWlkYcV4PIWL1iwBi8saCbGS5jN2p8M+X+Q7UNKEkROb3N6 KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg== -----END CERTIFICATE-----

i cant find anything in apache2 error_log and im using certbot


#4

The chain file looks fine.

Can you post the exact certbot command you used? The Include /etc/letsencrypt/options-ssl-apache.conf line indicates that you used the apache plugin, which would automatically configure your apache for SSL. However, the cipher suites listed by SSL Labs don’t seem to match what one would expect from an apache configuration created by certbot (for example, SSLv3 and RC4 ciphers are enabled). Any chance you made manual modifications to your configuration, or that you had SSL enabled prior to running certbot? In that case, posting all relevant config files might help us find the issue.


#5

Well, i dont remember what command i used.
I followed a tutorial from the official certbot website.

I added the line “/etc/letsencrypt/options-ssl-apache.conf” by myself.
I do have full root access to the server and can do every changes that will be needed.

Actualy my knowledge about this isnt that much (like my english, iam sorry) so which config files do you want me to post?


#6

I see, that probably indicates you used certbot in certonly mode, where you’d configure apache yourself.

I think all files that could be relevant ought to have at least a SSLCertificateFile line, so if you post all files that are found by this command, we should be able to figure this out: grep "SSLCertificateFile" /etc/apache2 -r


#7

Well i fixed it now.
The file “default-le-ssl.conf” where automaticly created when i created the ssl-certificate. The file was going with “VirtualHost *:443” so i was wondering about the port and tried to connect to “https://german-samplife.de:443” from my android phone via google chrome. And it worked. Now i just copied this default file to make a new one with port 80, and it works fine.

So maybe for the google users under us check the sites-enabled/sites-aviable config and try to use the default config.
Thanks to pfg, without your messages i think i would have give up :smile:


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.