Apache directives


#1

I am trying to help out a bit with a patch for ISPConfig to allow the use of LE with the click of a button. It’s working well so far and all of my domains have had their certificates installed without trouble in the both the closed and public beta.

What’s the difference in using SSLCACertificateFile vs SSLCertificateChainFile and pointing it to the chain.pem file? SSL Labs gives me an A either way. Just wondering if anyone had any insight on using one directive versus the other. The default directive used by ISPConfig is SSLCACertificateFile and the author of the patch doesn’t want to mess with the default vhost template for ISPConfig (rightfully so).


#2

They do very different things.

SSLCACertificateFile is used to define the CAs trusted for clients authenticating with client certificates.

SSLCertificateChainFile defines the list of intermediate certificates the server should return. This should point to the chain.pem file generated by the LE client.

Pointing SSLCACertificateFile at chain.pem is at best doing nothing, it potentially breaks client certificate authentication.

Not setting SSLCertificateChainFile to chain.pem results in an incomplete setup, while tolerated by most browsers (they download the intermediate certs themselves), it breaks many mobile browser as well as tools like curl.


#3

So working within the constraints of the current ISPConfig system which uses the following directives:

SSLCertificateFile
SSLCertificateKeyFile
SSLCACertificateFile

Is there a way to setup Apache to use the files created by the LE client? Or is the SSLCertificateChainFile going to be necessary to work? I noticed in the past with ISPConfig that I would sometimes get certificate errors on mobile devices. Perhaps the ISPConfig vhost template needs to be updated anyway?

Thanks!


#4

As far as I can tell, ISPConfig is doing it wrong. SSLCACertificateFile is only for validating against client certificates.

When this was originally set up, perhaps the intent was to use SSLCACertificatePath, which points to a directory for both client and server chain construction.

Anyway, it’s a valid bug that should be filed with the ISPConfig folks.


#5

To confuse the issue further, according to GoDaddy (my current/previous certificate issuer) if you are using Apache <2.4.8 you are suppose to use SSLCertificateChainFile directive to point to the intermediate bundle path and if you are 2.4.8+ then you should use SSLCACertificateFile to point to it. Apparently in 2.4.8+ SSLCertificateChainFile is deprecated. I am currently using 2.4.7.


#6

Slightly wrong, but not surprising for GoDaddy. You still shouldn’t use SSLCACertificateFile.

For 2.4.8, SSLCertificateChainFile is obsoleted and you should use fullchain.pem with SSLCertificateFile. However, it’s just deprecated and not removed, so you can continue to use the older style for at least a while and most likely until 2.5 or greater.


#7

Thanks for the answer! I am happy to abandon GoDaddy, but I couldn’t argue with the $5 price tag when I purchased my first SSL certificate. I am in the process of upgrading Ubuntu and Apache now. I was wondering what I was going to have to change in my vhosts when I was done. Thanks for explaining!

If we point SSLCertificateFile to fullchain.pem in Apache <2.4.8, I assume that will not work out as intended?


#8

I haven’t tried personally, but based on the information in the documentation, it will likely only read the first certificate or maybe error out. You’ll need to use SSLCertificateChainFile if you’re running 2.4.7 or older.


#9

Thanks again!

After the upgrade, I pointed SSLCACertificateFile to chain.pem and received an A- on SSL Labs but when I commented out that line my grade was dropped for an incomplete chain when I had SSLCertificateFile pointed to cert.pem. So that configuration seems to work.

I tried the other way too by pointing SSLCertificateFile to fullchain.pem and commenting out SSLCACertificateFile and it worked as expected as well.

Thanks for your help!