Certificate Chain not working

I have received a certificate chain from letsencrypt. I’m using windows server, Tomcat 9 with keystore. The certificate chain fails with the message.
This site can’t provide a secure connection

info.finwoks.com sent an invalid response.
Try running Windows Network Diagnostics.
ERR_SSL_PROTOCOL_ERROR

Diagnostics does not tell me anything.

If I double click on the certificate chain I get an output that show the certificate path as
DST Root CA X3
Let’s Encrypt Authority X1
info.finwoks.com
The last being my domain name
I can click on first two and then on View Certificate and see those certificates… However the last, my domain certificate the View Certificate is grayed out, but the Certificate status: says This certificate is OK.
I then ran OpenSSL openssl x509 -in domain-chain.crt -noout -text and got -
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:e5:f1:25:dd:45:fe:cb:bb:ed:b7:e2:2d:6c:a7:39:6a:a4
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let’s Encrypt, CN=Let’s Encrypt Authority X3
Validity
Not Before: Oct 23 19:43:04 2017 GMT
Not After : Jan 21 19:43:04 2018 GMT
Subject: CN=info.finwoks.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:b3:c1:fe:ad:12:aa:19:48:e7:99:6b:1a:e0:ac:
9f:58:f2:96:60:30:1c:da:e9:f7:28:e7:dd:03:3c:
44:d6:56:c8:12:31:b8:1d:13:62:6b:64:64:05:56:
d3:c3:1d:c9:d8:ab:43:78:52:7e:26:09:4b:34:45:
1c:31:e5:c0:f6:aa:85:2b:32:b7:4f:c1:0d:58:b0:
13:96:25:99:fa:c8:8b:74:bc:11:cf:a8:11:47:f5:
f2:78:2c:1a:76:d0:a1:e3:79:ce:3e:6b:43:1d:33:
c9:22:5b:95:28:d8:4a:0e:c8:27:84:5f:76:97:5c:
ce:be:c7:2b:8f:3c:7b:da:84:6c:df:8a:cc:70:54:
a0:78:f4:73:af:75:9f:20:ba:18:35:3c:1e:e1:43:
5e:74:e8:cb:1a:20:99:67:ff:34:dc:45:46:02:9e:
59:f9:2c:19:8c:db:fd:9e:ed:71:b4:e6:71:12:7b:
b5:22:ed:e4:38:06:ed:97:d6:b0:6d:5d:54:9d:44:
f2:55:43:45:f6:ab:a9:25:aa:7e:d2:df:3b:98:b9:
e6:ae:52:2d:d0:48:0d:59:e4:b9:a1:69:36:bf:13:
3b:70:a4:df:fd:63:0c:0d:38:94:9d:89:51:2b:66:
9f:ba:8b:9c:fd:1b:d5:d4:a2:73:47:d5:4f:71:4f:
4a:77
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
3A:62:01:AD:83:83:3E:E8:E5:23:6B:C2:42:33:76:05:B9:BE:2B:D5
X509v3 Authority Key Identifier:
keyid:A8:4A:6A:63:04:7D:DD:BA:E6:D1:39:B7:A6:45:65:EF:F3:A8:EC:A1

        Authority Information Access:
            OCSP - URI:http://ocsp.int-x3.letsencrypt.org
            CA Issuers - URI:http://cert.int-x3.letsencrypt.org/

        X509v3 Subject Alternative Name:
            DNS:info.finwoks.com
        X509v3 Certificate Policies:
            Policy: 2.23.140.1.2.1
            Policy: 1.3.6.1.4.1.44947.1.1.1
              CPS: http://cps.letsencrypt.org
              User Notice:
                Explicit Text: This Certificate may only be relied upon by Relying Parties and only in accordance with the Certificate Policy found at https://letsencrypt.org/repository/

Signature Algorithm: sha256WithRSAEncryption
    3a:c2:6b:e8:a0:54:d3:24:24:49:20:39:1d:85:e8:06:37:68:
    e7:f4:66:1c:8f:fb:67:61:c4:70:9f:64:76:02:60:27:07:69:
    7b:74:38:ac:9f:cb:03:eb:8c:79:d6:aa:23:03:62:41:7c:bd:
    28:d9:e4:27:41:86:66:a6:c7:4c:f6:b8:66:90:d9:6f:a2:26:
    b2:3a:4f:c3:bf:e9:f6:05:87:fb:0d:ee:29:72:90:14:07:3f:
    cc:42:20:30:a7:94:53:6e:52:be:de:f0:95:90:83:49:c5:7e:
    91:11:35:1e:57:7e:25:63:db:bf:99:60:a9:d5:3d:c7:c0:39:
    64:c2:25:26:35:65:8a:73:10:2c:ed:ba:2c:b3:41:98:bc:65:
    3f:ae:ff:21:37:76:d0:85:87:45:08:df:55:fd:91:58:8f:fe:
    04:f8:c5:59:ea:d5:f1:92:4d:0d:38:ff:e7:b2:55:0b:b2:3c:
    81:7b:23:df:de:dd:77:89:a7:bf:0b:a3:dc:fd:7f:09:6f:da:
    5c:a6:88:3d:c8:ce:f4:d9:21:1a:a4:b7:2b:0a:bc:bc:6f:56:
    5c:b9:30:94:fb:ba:67:70:f5:46:6b:3e:89:16:7c:86:51:3d:
    b0:28:f5:32:07:4b:09:c6:0f:fb:58:90:2f:cb:b8:30:48:eb:
    79:b4:ef:20

My Question Is the domain certificate corrupted or missing? Windows seems to say it is there.

Any clarification would be appreciated.
Don

Hi Don,

I can’t connect to https://info.finwoks.com/ at all, only to http://info.finwoks.com/. Are you running HTTPS on a port other than the default 443, or do you have a firewall that prevents people outside your network from connecting to port 443, or did you subsequently disable the HTTPS service while investigating the problem?

The “ERR_SSL_PROTOCOL_ERROR” is not a certificate-related error and does not suggest that there’s anything wrong or invalid about your certificate. Rather, it suggests that there’s a problem of some sort in the HTTPS configuration on the server side, for example things like speaking HTTP instead of HTTPS on port 443.

@flinn314, just to add one more comment to @schoen post, I’m wondering how did you get your intermediate certificate, you said that is Let’s Encrypt Authority X1 but it should be Let’s Encrypt Authority X3 so something scary is happening there :P.

Good catch, @sahsanu! I wasn’t looking closely at that part and I thought it was a browser like Firefox building a chain from ISRG Root X1 (which does happen in current Firefox versions). But you’re right, it says Let’s Encrypt Authority X1, which is not appropriate for any recent certificate.

Thanks for the catch. I’ll trace through and see why I’m getting X1 and
not X3. Seth, I’m redirecting to port 8443. Tomcat does the redirect.

I’ll respond when I find out why X1.

Don

As I thought, your server is speaking HTTP on port 8443, not HTTPS. You can see this by going to

http://info.finwoks.com:8443/

This is a result of some kind of server misconfiguration and isn’t related to your certificate.

Seth,

Tomcat does things as follows as recommended in the tomcat documentaton

I did do the redirect to 443 but same problem
and also


CONFIDENTIAL

turns on SSL

if you point the browser at info.finwoks.com//Financials/test_index.php it
does the redirect to port 8443.

I’m using the java code by Richard “Shred” Körber with a few
modifications. This is necessary because Tomcat uses different paths for
the challenge and authorization etc.
so the other scripts don’t work for Tomcat.

The java program uses bouncycastle and I’m looking at BC where it creates
the csr. I think that this is where the resulting X1 is. I’ll let you
know.

Don

Well, I don’t know anything about how to configure Tomcat but the HTTP instead of HTTPS listener is clearly something about the Tomcat configuration. A redirect doesn’t affect the behavior of whatever is or isn’t listening on the other end of the redirect; you can’t fix this problem by adding or removing redirects.

I'm still working on getting certificate

I’m attempting to get a client that will work with Tomcat, which has a number of peculiarities, making the existing clients unresponsive to Tomcat’s needs. The Apache Tomcat has no client for letsencrypt. If I can get this to work, I’ll supply it to the Tomcat group.

In this case I’m using the acme://letsencrypt.org/staging. This is because I’m at the limit, but I’m only using one or two real request per day. Don’t think I hit 20 per month. Don’t understand that but …

My certificate request is shown below. Is this correct? Because the certificate chain returned from letsencrypt, also shown below, has only two certificates - is this correct or is it an artifact of using staging? It also, as was pointed out earlier, by sahsanu, has CN=Fake LE Intermediate X1, which should be X3. Since I already passed authentication, the only thing that goes to acime is the csr. Is this correct? So why X1?

Certificate Request:
Data:
Version: 0 (0x0)
Subject: CN=info.finwoks.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (2048 bit)
Modulus (2048 bit):
00:cd:23:03:3f:b8:89:70:fb:65:f7:f3:ff:7e:a8:
45:24:21:28:a1:c6:76:bc:57:76:1a:15:1e:b4:06:
02:4f:de:c9:e1:d0:94:37:ca:be:fb:a1:e3:59:33:
1d:80:8c:e4:ef:0c:6f:77:25:12:8a:c6:80:c1:e1:
4c:b4:13:f2:9e:d5:35:c3:e6:b4:79:c4:db:77:ba:
11:ae:43:26:d5:e3:90:d0:2f:73:a6:7a:d9:17:d2:
bc:f1:10:89:68:58:1d:d8:d2:a7:67:51:b1:69:a4:
04:b8:02:af:2a:72:4e:01:3d:28:fe:bc:86:e8:29:
2a:eb:85:6b:bf:27:db:2f:3c:f2:27:97:37:a8:e4:
74:6c:fc:5c:45:52:f7:f0:88:d7:f2:fc:06:8a:bd:
b0:e8:56:72:1e:13:89:57:90:1e:be:82:26:9b:1f:
4b:96:8e:5b:db:25:83:2b:33:d4:cd:6d:5a:12:cd:
0d:e8:e3:12:37:5d:ab:a3:8e:bb:84:95:66:4c:92:
d4:44:b8:3b:9f:62:a8:2b:76:61:ea:a8:23:ee:fe:
99:f9:63:0d:80:cd:69:f7:c0:49:65:01:e4:f7:0c:
78:4d:1f:1b:8a:74:aa:77:a4:33:8b:54:99:20:9f:
40:d0:76:12:df:eb:44:6f:41:b3:42:85:43:74:84:
86:49
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Subject Alternative Name:
DNS:info.finwoks.com
Signature Algorithm: sha256WithRSAEncryption
a6:4c:e0:9b:61:ed:1d:6e:32:f9:17:9d:41:36:e3:23:c7:7d:
ff:61:27:74:ec:43:aa:3c:b8:bf:cb:72:7d:99:b8:fe:73:92:
fc:2f:da:ce:c9:1c:ec:85:76:45:0b:59:3d:61:c5:7e:6c:02:
cd:9d:7d:21:24:c9:db:0d:9f:6e:de:35:b8:f5:50:32:79:cf:
5a:86:70:65:cc:2d:39:5a:b2:b3:00:7a:31:e2:94:51:f0:4d:
b9:56:da:56:05:62:a0:a4:26:63:ac:5e:aa:97:57:37:de:e3:
ae:b8:1f:73:84:56:7c:79:f9:2f:51:6d:c2:b6:b6:bb:83:98:
94:fc:20:c4:d8:a9:fb:a5:55:84:61:1b:4f:f3:c0:72:65:b9:
15:6f:02:4a:d8:ca:b0:23:de:a4:a2:81:62:41:d6:5a:b5:bc:
07:c6:d5:a4:e6:e2:9f:39:a9:1d:ec:aa:ef:56:15:6a:35:1a:
e7:7a:10:ae:9e:c8:dd:5d:4a:4c:5c:dc:26:11:ab:60:6c:0f:
cb:e3:f1:7d:e0:6c:a6:da:5f:34:2a:3f:e7:80:cd:d9:4c:53:
2f:40:20:2d:11:04:f8:d6:ce:11:a1:8b:e0:7a:b6:dd:d3:26:
93:d6:81:25:be:41:c2:d4:9d:26:5e:1d:99:03:fd:e1:79:93:
ba:66:aa:ed

and the certificate chain I got from letsencrypt is

Certificate[1]:
Owner: CN=info.finwoks.com
Issuer: CN=Fake LE Intermediate X1
Serial number: fae52516100cbc09c157cdeeb04a2d7cf95c
Valid from: Thu Oct 26 08:36:56 EDT 2017 until: Wed Jan 24 07:36:56 EST 2018
Certificate fingerprints:
MD5: CB:2B:A4:F7:A3:0C:D9:95:A4:46:D9:E7:23:78:58:6E
SHA1: 57:55:93:07:36:86:91:69:1F:76:50:E2:57:72:6B:A9:80:1D:F2:4F
SHA256: 2E:77:52:D9:CB:1E:FE:9A:91:72:7E:B6:3F:BD:DE:D3:7C:DA:FD:14:50:1A:73:39:3E:19:FC:E3:D7:52:7D:0C
Signature algorithm name: SHA256withRSA
Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp.stg-int-x1.letsencrypt.org
,
accessMethod: caIssuers
accessLocation: URIName: http://cert.stg-int-x1.letsencrypt.org/
]
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: C0 CC 03 46 B9 58 20 CC 5C 72 70 F3 E1 2E CB 20 …F.X .\rp…
0010: A6 F5 68 3A …h:
]
]

#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:false
PathLen: undefined
]

#4: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [2.23.140.1.2.1]
[] ]
[CertificatePolicyId: [1.3.6.1.4.1.44947.1.1.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1A 68 74 74 70 3A 2F 2F 63 70 73 2E 6C 65 74 …http://cps.let
0010: 73 65 6E 63 72 79 70 74 2E 6F 72 67 sencrypt.org

], PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.2
qualifier: 0000: 30 81 9E 0C 81 9B 54 68 69 73 20 43 65 72 74 69 0…This Certi
0010: 66 69 63 61 74 65 20 6D 61 79 20 6F 6E 6C 79 20 ficate may only
0020: 62 65 20 72 65 6C 69 65 64 20 75 70 6F 6E 20 62 be relied upon b
0030: 79 20 52 65 6C 79 69 6E 67 20 50 61 72 74 69 65 y Relying Partie
0040: 73 20 61 6E 64 20 6F 6E 6C 79 20 69 6E 20 61 63 s and only in ac
0050: 63 6F 72 64 61 6E 63 65 20 77 69 74 68 20 74 68 cordance with th
0060: 65 20 43 65 72 74 69 66 69 63 61 74 65 20 50 6F e Certificate Po
0070: 6C 69 63 79 20 66 6F 75 6E 64 20 61 74 20 68 74 licy found at ht
0080: 74 70 73 3A 2F 2F 6C 65 74 73 65 6E 63 72 79 70 tps://letsencryp
0090: 74 2E 6F 72 67 2F 72 65 70 6F 73 69 74 6F 72 79 t.org/repository
00A0: 2F /

]] ]
]

#5: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
]

#6: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_Encipherment
]

#7: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: info.finwoks.com
]

#8: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 49 E9 BC 33 D5 D5 8C B5 AD 1D F9 CF 57 2B C3 45 I…3…W+.E
0010: D8 C8 AE 79 …y
]
]

Certificate[2]:
Owner: CN=Fake LE Intermediate X1
Issuer: CN=Fake LE Root X1
Serial number: 8be12a0e5944ed3c546431f097614fe5
Valid from: Mon May 23 18:07:59 EDT 2016 until: Fri May 23 18:07:59 EDT 2036
Certificate fingerprints:
MD5: 5E:DE:46:F8:43:26:16:E5:77:71:57:88:CC:81:50:2F
SHA1: 4E:EE:73:98:C1:A3:DA:F9:1D:A1:66:89:DB:82:43:92:7A:27:1B:9A
SHA256: A9:9C:1B:71:DA:32:AD:D9:42:97:14:F7:1E:74:0A:FD:C5:43:C4:F7:F0:12:A7:48:D2:4A:78:9B:8B:F3:D6:C7
Signature algorithm name: SHA256withRSA
Version: 3

Extensions:

#1: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: ocsp
accessLocation: URIName: http://ocsp.stg-root-x1.letsencrypt.org/
,
accessMethod: caIssuers
accessLocation: URIName: http://cert.stg-root-x1.letsencrypt.org/
]
]

#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: C1 26 74 A4 8A 44 A0 E6 FA 20 28 D8 5C 23 9A 45 .&t…D… (.#.E
0010: 88 18 79 E0 …y.
]
]

#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:0
]

#4: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]

#5: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: C0 CC 03 46 B9 58 20 CC 5C 72 70 F3 E1 2E CB 20 …F.X .\rp…
0010: A6 F5 68 3A …h:
]
]

Keep in mind that Fake LE Intermediate X1 is not the same as Let’s Encrypt Authority X1.

When you issue a certificate on Let's Encrypt staging server, your certificate is always signed by Fake LE Intermediate X1 so you receive a certificate signed by this fake CA and the intermediate CA certificate that is Fake LE Intermediate X1.

When you issue a certificate on Let's Encrypt production server, your certificate is always signed by Let’s Encrypt Authority X3 (right now, it could change in a future) so you receive a certificate signed by this CA and the intermediate CA certificate that is Let’s Encrypt Authority X3.

Let’s Encrypt Authority X1 was the production intermediate certificate for Let's Encrypt but it is not in use since 16th March 2016 that is the reason I said that if you see that the intermediate CA for your production cert signed by Let’s Encrypt Authority X3 is shown as Let’s Encrypt Authority X1 something really wrong is going on there.

Cheers,
sahsanu

Thanks Sahsanu

Little more information - I went to the letsencrrypt site for looking up certificates and found that the real certificates were issued for Let’s Encrypt Authority X3. I also found that I had been issued 5 certs over the past week. So, I will have to wait until Sunday when one will come available to run a real test. Meanwhile, does the test certificate that I received and sent in the previous reply look ok for a test cert? In other words, so far so good??

How many certificates should the real certificate chain contain? See you all next week.
Don

Yes , seems so.

Two, the certificate for Let’s Encrypt Authority X3 and the cert for your domain(s) signed by Let’s Encrypt Authority X3.

Hi @flinn314,

Why are you using a CSR here? Do you have an externally-generated private key that you specifically need to use?

We’ve had lots of threads from Tomcat users here; they usually used an existing ACME client like Certbot in standalone mode (which runs its own temporary web server instead of relying on an existing web server), which generated all of the keys and certificates for them. Then they used the certificate tools to convert these to a format that Tomcat could use. In this case, they never needed to generate a certificate at all; everything was generated for them.

I think several of the clients have a standalone (or webroot) mode, which are intended for use when you have a web server that doesn’t directly integrate with the client. In a standalone mode, your web server must not be listening on port 443 (or, if you prefer, port 80) when you run the Let’s Encrypt client. In a webroot mode, your web server must already be listening on port 80, and must be able to serve files at arbitrary paths when they’re written into a specified directory.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.