Certificate not trusted because server chain is incorrect

Server
1

According to the site: https://www.hardenize.com/, I have a problem with my certificates. This is the error they are reporting.

Certificate not trusted because server chain is incorrect. This certificate is delivered as part of an incorrect certificate chain. The problems in the chain render the certificate invalid too.

Can anyone explain to me exactly what the problem is?

Thanks!


Gerard

2

Not without further information, such as the actual domain name involved or which software is used as webserver and ACME client.

3

Fair enough. The domain name is: seibercom.net

This is an apache24 server being used on a FreeBSD-11.1 machine. I am using the “py27-certbot-0.19.0.1” port.


Gerard

4 
Certificate chain
 0 s:/CN=seibercom.net
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 1 s:/CN=seibercom.net
   i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
 2 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   i:/O=Digital Signature Trust Co./CN=DST Root CA X3

Looks like you’re sending the leaf certificate twice.

How did you install the certificate? Manually?

5

Yes, I noticed that also. I put the info in the “httpd-ssl.conf” file. The is an excerpt of the file:

Server Certificate:

Point SSLCertificateFile at a PEM encoded certificate. If

the certificate is encrypted, then you will be prompted for a

pass phrase. Note that a kill -HUP will prompt again. Keep

in mind that if you have both an RSA and a DSA certificate you

can configure both in parallel (to also allow the use of DSA

ciphers, etc.)

Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)

require an ECC certificate which can also be configured in

parallel.

SSLCertificateFile “/usr/local/etc/letsencrypt/live/seibercom.net/cert.pem”
#SSLCertificateFile “/usr/local/etc/apache24/server-dsa.crt”
#SSLCertificateFile “/usr/local/etc/apache24/server-ecc.crt”

Server Private Key:

If the key is not combined with the certificate, use this

directive to point at the key file. Keep in mind that if

you’ve both a RSA and a DSA private key you can configure

both in parallel (to also allow the use of DSA ciphers, etc.)

ECC keys, when in use, can also be configured in parallel

SSLCertificateKeyFile “/usr/local/etc/letsencrypt/live/seibercom.net/privkey.pem”
#SSLCertificateKeyFile “/usr/local/etc/apache24/server-dsa.key”
#SSLCertificateKeyFile “/usr/local/etc/apache24/server-ecc.key”

Server Certificate Chain:

Point SSLCertificateChainFile at a file containing the

concatenation of PEM encoded CA certificates which form the

certificate chain for the server certificate. Alternatively

the referenced file can be the same as SSLCertificateFile

when the CA certificates are directly appended to the server

certificate for convenience.

SSLCertificateChainFile “/usr/local/etc/letsencrypt/live/seibercom.net/fullchain.pem”

I think I can eliminate the “cert.pem” file. Does that sound correct?


Gerard

6

Depends on your Apache version. Since 2.4.8, the SSLCertificateChainFile directive (notice the "Chain" part) is deprecated.

If you use Apache version 2.4.8 or later, you should change SSLCertificateFile (notice the lack of "Chain") to fullchain.pem instead of the current cert.pem and delete SSLCertificateChainFile.
However, if you use version 2.4.7 or older, you should use both directives (SSLCertificateFile as wel as SSLCertificateChainFile), but change fullchain.pem in SSLCertificateChainFile to chain.pem.

fullchain.pem includes cert.pem as wel as chain.pem, that's why you're sending cert.pem twice now.

7

According to “httpd -v”, I have version 2.4.29 installed.

8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.