Certificate-chain problem on subdomain

Hey all!
I got a problem with a certificate with one of my subdomains. But first, the filled out preset :wink:

My domain is: luxaround.de -> api.luxaround.de

I ran this command: certbot --apache

It produced this output:

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Which names would you like to activate HTTPS for?


1: luxaround.de
2: api.luxaround.de
3: apidoc.luxaround.de
4: backend.luxaround.de
5: www.luxaround.de


Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel):
Certificate not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry.
(ref: /etc/letsencrypt/renewal/luxaround.conf)

What would you like to do?


1: Attempt to reinstall this existing certificate
2: Renew & replace the certificate (may be subject to CA rate limits)

No matter what I choose here, the result is always "everythings fine now".

My web server is (include version): Apache 2.4.29

The operating system my web server runs on is (include version): Ubuntu 18.04.6 LTS

My hosting provider, if applicable, is: Plutex.de

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no, every change is made over ssh

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 1.20.0

The problem is:
If you look here: https://decoder.link/sslchecker/api.luxaround.de/443 you can see, that the site states, that there is a Problem with the certificate-chain. The API-domain has an additional cert-file in its config.

SSL-config for every domain except api.luxaround.de:
ServerName $domain.luxaround.de
SSLEngine on
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/luxaround/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/luxaround/privkey.pem

SSL-config for api.luxaround.de:
ServerName api.luxaround.de
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/luxaround/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/luxaround/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/luxaround/privkey.pem

If I remove the cert.pem line, the apache won't start at all, the log says "Fatal error initialising mod_ssl".
Same error occurs if I add the "Include /etc/letsencrypt/options-ssl-apache.conf" line to the api-config.

Question: How do I fix this? I am pretty new to all this config stuff and would appreciate it very much, if this community could help me out :slight_smile: If you need any additional information, I will provide it happily :smiley:

This is incorrect. Fullchain.pem also contains cert.pem, so this is double.

Compare it to the configuration you've posted just above it.

2 Likes

As I've written, I'm aware of that. But if I remove this line, the Apacheserver won't start at all, stating this in the error.log:

Failed to configure at least one certificate and key for api.luxaround.de:443
SSL Library Error: error:140A80B1:SSL routines:SSL_CTX_check_private_key:no certificate assigned

Please compare the two configurations again. If you remove the line with cert.pem, do the two configurations look identical? Hint: no.

You need to combine the two top lines, don't just delete one.

2 Likes

ServerName api.luxaround.de
SSLEngine on
Include /etc/letsencrypt/options-ssl-apache.conf
SSLCertificateFile /etc/letsencrypt/live/luxaround/cert.pem
SSLCertificateChainFile /etc/letsencrypt/live/luxaround/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/luxaround/privkey.pem

This is, what it now looks like. The Apache (re)starts without errors, but the broken certificatechain remains according to this: https://decoder.link/sslchecker/api.luxaround.de/443 Did I combine thoose two lines correct or am I beeing stupid now?

It looks exactly the same as before? I still see three SSLCertificate* lines.

2 Likes

Ok, then I don't understand what it should look like.
If I delete any of theses lines or only use two of them in any combination, apache fails to start.
Can you just post, how it should look like? Maybe then my brain goes click? :o

SSLCertificateFile /etc/letsencrypt/live/luxaround/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/luxaround/privkey.pem
2 Likes

It can be so easy, if you understand what you are doing. Thanks! It worked!
I have to learn a lot I think :o Thanks so much!

2 Likes

Apache 2.4.29 doesn't use SSLCertificateChainFile.
That was probably included by upgrading this system over many years.

1 Like

The fact it's deprecated doesn't mean it isn't being used.

In this case the end-leaf certificate was included twice:

  • Once by SSLCertificateFile with the cert.pem option and;
  • Once again by SSLCertificateChainFile by using fullchain.pem.

All the non-api subdomains were already using the correct configuration:

So I don't really understand why it was so hard to figure out the correct configuration directives
for the api subdomain :roll_eyes:

2 Likes

Wait!
You are saying that even though it is deprecated, it was still being used by Apache 2.4.29 ?

I'm late to the game so I can't see what chain was being served :frowning:

1 Like

Yes, SSLCertificateChainFile is still a valid (but deprecated) option in latest Apache 2.4.51.

It might even be available in 2.5.x looking at the documentation for "trunk": mod_ssl - Apache HTTP Server Version 2.5 :scream:

2 Likes

I'll have to make a mental note of that - LOL
Thanks :slight_smile:

[one more reason why I don't like Apache]

1 Like

@rg305 what do you like? (I think you like :beers: ), but I mean for a web-server?

1 Like

Don't get me wrong - I use Apache.
But I know what I'm doing with it and I know what it can do (and does "wrong").
I also use nginx.
I also use IIS.
But you are right... given the choice between them all...
I would choose a pint of :beer: LOL

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.