Apache SSLCertificateChainFile SSLCACertificateFile question

edwardsmarkf · February 15, 2021, 5:53pm

Hello -

In my httpd.conf, i have the following:

SSLCertificateFile     /etc/letsencrypt/live/www.MYDOMAIN.com/cert.pem
SSLCertificateKeyFile    /etc/letsencrypt/live/www.MYDOMAIN.com/privkey.pem
SSLCertificateChainFile     /etc/letsencrypt/live/www.MYDOMAIN.com/chain.pem
SSLCACertificateFile   /etc/letsencrypt/live/www.MYDOMAIN.com/chain.pem

and in my /etc/letsencrypt/live/MYDOMAIN.com/ directory i see:

cert.pem
chain.pem
fullchain.pem
privkey.pem

It would seem like either SSLCertificateChainFile or SSLCACertificateFile should be pointing to the fullchain.pem however both are pointing to chain.pem

this is probably a dumb question, but which one should point to fullchain.pem?

Osiris · February 15, 2021, 5:57pm

Please read the documentation about SSLCACertificateFile: it's used for client authentication, probably not something you actually want to do, right?

Depending on your Apache version, you may or may not need to set this directive. Again, please read the documentation.

This also depends on your Apache version. If you require to use chain.pem with the SSLCertificateChainFile directive, you won't need fullchain.pem. However, if you don't need to use chain.pem, you can use fullchain.pem without using cert.pem or chain.pem.

Also, please read the certbot documentation about what the files in /live/ actually are. For example, your statement you'd need to use fullchain.pem in SSLCertificateChainFile is not logical, if you know what the contents of fullchain.pem actually were.

rg305 · February 15, 2021, 11:34pm

If you are using:
Server version: Apache/2.4.37 (centos)
[or newer]
Then you don't need to use both of these:

Just:
SSLCertificateFile /etc/letsencrypt/live/www.MYDOMAIN.com/fullchain.pem

edwardsmarkf · February 16, 2021, 12:54am

rg305 - so would it be this one?:

SSLCertificateFile /etc/letsencrypt/live/www.MYDOMAIN.com/fullchain.pem

# httpd -v
Server version: Apache/2.4.37 (centos)
Server built: Nov 4 2020 03:20:37

https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatechainfile

### SSLCertificateChainFile is deprecated

SSLCertificateChainFile became obsolete with version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file.

i apologize for asking questions that are well documented. it appears my httpd.conf file has some obsolete lines.

schoen · February 16, 2021, 8:31am

I think this option has an unfortunate name, since of course the chain file is also a kind of "CA certificate file" (just not a "CA certificate file" that is used for client authentication, but client authentication isn't mentioned anywhere in the option name!).

Of course, I created the unfortunate option name --renew-by-default in Certbot, which has also caused lots of confusion for users and later got renamed to the more descriptive --force-renewal, so I can certainly sympathize with programmers not managing to convey the connotations they intended with their software option names.

griffin · February 16, 2021, 8:35am

You mean that format didn't convert my hard drive into an 8-track?

edwardsmarkf · February 18, 2021, 11:55pm

hey WATCH IT - i still have one of those.

system · March 20, 2021, 11:56pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Using certbot --certonly and existing httpd.conf Help	2	2314	April 12, 2018
Apache directives Server	8	8515	December 7, 2015
Installing LetsEncrypt on a Mac OS X Client Server (Questions) Help	13	10057	January 7, 2016
Putting certificate files under apache2 Server	8	5292	March 20, 2018
Possible documentation error in certbot docs Server	6	1452	September 20, 2016

Apache SSLCertificateChainFile SSLCACertificateFile question

Related topics