caps all our vhost certificates to grade to B: This server's certificate chain is incomplete. Grade capped to B.
We have run each vhost’s certbot command individually: certbot --authenticator webroot --installer apache --webroot-path /srv/www/htdocs/<vhost> -d <vhost_domain> -d www.<vhost_domain>
We have examined /etc/apache2/vhosts.d/ip-based_vhosts-le-ssl.conf
Each vhost is properly configured with /etc/certbot/live/<vhost_domain/**fullchain.pem** as the certificate
and /etc/certbot/live/<vhost_domain/key.pem as the key.
So how can a chain be anymore complete than fullchain.pem?
This is the current chain send by your webserver for privustech.com:
Certificate chain
0 s:/CN=privustech.com
i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
1 s:/C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 1 DV Server CA
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
Obviously, it’s not correct. I’m guessing somewhere in your configuration files there’s some sort of reference to this StartCom certificate. Perhaps a forgotten SSLCertificateChainFile which should have been deleted outside the virtualhosts sections?
By the way, the SSL Server test also mentioned this extra certificate
ITOT we had outdated entries for SSLCertificateFile, SSLKeyFile, SSLCertificateChainFile, and SSLCACertificateFile in default-vhost-ssl.conf ssl-global.conf
• How were you able to read the server response? That would be a good thing to be able to do.
• Yes, it was in the Qualys reply… Information overload, TLDR… now I know better what to look for, thanks.
I was uncertain (and still am after quite some time with the documentation) of what files are edited by certbot. It appears that:
• certbot creates /etc/apache2/vhosts.d/ip-based_vhosts-le-ssl.conf and removes the default-vhost-ssl.conf and ssl-global.conf files but does not change any others.
In any case it is miles ahead of the next competitor…
With OpenSSL: openssl s_client -connect privustech.com:443 -servername privustech.com
To be fair, Qualys actually doesn't show the actual "chain" served by the server. It only shows the rebuild chain (if possible) and any "extra" certificate.
certbot should never delete any configuration file. It only searches for <VirtualHost> sections and copy such sections to a separate file with the filename applied from the filename from the source configuration file appended with -le-ssl.conf. It shouldn't even modify the original source configuration file on which the <VirtualHost> section was based on.