Certbot fullchain.pem does not satisfy Qualys

How can a chain be anymore complete than fullchain.pem?

The vhosts are functioning correctly with certbot certs under opensuse Leap 42.2 PHP7 and apache2, but

https://www.ssllabs.com/ssltest/analyze.html?d=privustech.com

caps all our vhost certificates to grade to B:
This server's certificate chain is incomplete. Grade capped to B.

We have run each vhost’s certbot command individually:
certbot --authenticator webroot --installer apache --webroot-path /srv/www/htdocs/<vhost> -d <vhost_domain> -d www.<vhost_domain>

We have examined /etc/apache2/vhosts.d/ip-based_vhosts-le-ssl.conf
Each vhost is properly configured with
/etc/certbot/live/<vhost_domain/**fullchain.pem** as the certificate
and
/etc/certbot/live/<vhost_domain/key.pem as the key.

So how can a chain be anymore complete than fullchain.pem?

This is the current chain send by your webserver for privustech.com:

Certificate chain
 0 s:/CN=privustech.com
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/C=IL/O=StartCom Ltd./OU=StartCom Certification Authority/CN=StartCom Class 1 DV Server CA
   i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority

Obviously, it’s not correct. I’m guessing somewhere in your configuration files there’s some sort of reference to this StartCom certificate. Perhaps a forgotten SSLCertificateChainFile which should have been deleted outside the virtualhosts sections?

By the way, the SSL Server test also mentioned this extra certificate :wink:

Excellent, thank you. We now get “A” ratings. :slight_smile:

ITOT we had outdated entries for SSLCertificateFile, SSLKeyFile, SSLCertificateChainFile, and SSLCACertificateFile in
default-vhost-ssl.conf
ssl-global.conf

• How were you able to read the server response? That would be a good thing to be able to do.

• Yes, it was in the Qualys reply… Information overload, TLDR… :frowning: now I know better what to look for, thanks.

I was uncertain (and still am after quite some time with the documentation) of what files are edited by certbot. It appears that:

• certbot creates /etc/apache2/vhosts.d/ip-based_vhosts-le-ssl.conf and removes the default-vhost-ssl.conf and ssl-global.conf files but does not change any others.

In any case it is miles ahead of the next competitor…

:slight_smile:

Thanks again.

With OpenSSL: openssl s_client -connect privustech.com:443 -servername privustech.com

To be fair, Qualys actually doesn’t show the actual “chain” served by the server. It only shows the rebuild chain (if possible) and any “extra” certificate.

certbot should never delete any configuration file. It only searches for <VirtualHost> sections and copy such sections to a separate file with the filename applied from the filename from the source configuration file appended with -le-ssl.conf. It shouldn’t even modify the original source configuration file on which the <VirtualHost> section was based on.

OK, thanks again… A big improvement over hand massaging…

Cheers, Andy

This issue has come up a few times on the forum so I filed a feature request:

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.