How old is that Apache?
SSLCertificateChainFile was deprecated many years ago!
2 Likes
2.4.18, is that bad?
No that's good [enough].
But using SSLCertificateChainFile is no longer necessary.
Again:
3 Likes
Well I mean, it works so I won't change it, but thanks for the info.
1 Like
"it works" for now - LOL
Cheers from Miami 
2 Likes
Normally Apache is configured like below thread. Note only versions prior to 2.4.8 need the ChainFile setting and after is deprecated (as rg305 noted)
You definitely would not use fullchain.pem in both the ...File and ...Chain settings but it doesn't look like you are (per SSL Checker site I linked earlier)
And, something seems not quite right with your config as you are sending the X1 root. That's not harmful except it is extra data transmitted that is not used.
Apache Config:
Cert Chain Issue
https://www.ssllabs.com/ssltest/analyze.html?d=vistaman.ftp.sh&hideResults=on
2 Likes
What? What does that mean?
Also, is it bad if my website does not work with https on Android 5? The error code is NET:ERR_CERT_AUTHORITY_INVALID.
It means what deprecated objects normally mean:
They are not expected to be around forever.
Otherwise, I'd still be using WFW3.11, WordPerfect, and Netscape
3 Likes
Do you know the anwser to my question? Sorry if this is annoying by the way.
1 Like
The answer about Android 5 is because you are using the "short chain" instead of the default "long chain".
Please show us the VirtualHost for port 443 for this domain. And, put 3 backticks before and after so nothing is lost like:
```
VirtualHost lines
```
3 Likes
<VirtualHost *:443>
#UWAMP Generate Virtual Host
DocumentRoot "C:/UwAmp/www/"
ServerName "main-serveur"
SSLEngine on
SSLCertificateKeyFile "C:\Users\Maksio\apache\privkey.pem"
SSLCertificateFile "C:\Users\Maksio\apache\fullchain.pem"
Alias "/mysql/" "C:/UwAmp/phpapps/phpmyadmin/"
Alias "/mysql" "C:/UwAmp/phpapps/phpmyadmin/"
Alias "/uwamp/" "C:/UwAmp/phpapps/uwamp/"
Alias "/uwamp" "C:/UwAmp/phpapps/uwamp/"
<Directory "C:/UwAmp/phpapps/phpmyadmin/">
AllowOverride All
Options FollowSymLinks Includes Indexes
Require local
</Directory>
<Directory "C:/UwAmp/phpapps/uwamp/">
AllowOverride All
Options FollowSymLinks Includes Indexes
Require local
</Directory>
<Directory "C:/UwAmp/www/">
AllowOverride All
Options FollowSymLinks Indexes
Require all granted
</Directory>
</VirtualHost>
1 Like
That's the VirtualHost for vistaman.ftp.sh ?
2 Likes
Maybe it's the only, OR default, host file - LOL
Where is this "SSLCertificateChainFile" being used?:
3 Likes
Yeah, looks like it is the one responding it just relies on default name matching. I get 403 when trying their mysql or uwamp URI's per that VHost's 'require local'
So, how did fullchain.pem become the short chain?
I wonder if this happens in Certify? I know Windows builds its own chains for IIS which are always the short chain because DST is expired. But, I didn't think this affected other servers.
It's late there now but ...
@webprofusion Should Certify export the fullchain.pem for Apache as the default "long chain" from Let's Encrypt? How could it become the short chain as seems to here?
3 Likes
Sounds like CTW installs the cert into Windows root store.
Then exports it from that root store as .pem files.
If so, that means it's at the mercy of Windows to provide the chain.
That said, there should be some sort of "export using long chain" option within CTW.
2 Likes
Oh, I forgot to say, I did what you said and used the full chain like this:
SSLCertificateKeyFile "C:\Users\Maksio\apache\privkey.pem"
SSLCertificateFile "C:\Users\Maksio\apache\fullchain.pem"
1 Like
Now you just need to use an even longer full chain file - LOL
But it should be done in an automated fashion.
2 Likes
Where do I get that? There is nothing more that Certify The Web provides.
Be patient.
There is already a request to the developer.
See post #34: Certbot certificate has been set up but site cannot be accessed via https - #34 by MikeMcQ
I think the sun is not up yet down under, so it might be a few more hours before you hear from him.
3 Likes
Oh, OK.