Certificated not Trusted Chrome / Safari. Chain issues incomplete

mvergaray · October 1, 2021, 2:37am

Hi, I have a web running in a DigitalOcean droplet. I created a certificate for my domain and subdomains long ago, I usually renew them every 3 months. Never had an issue, apart from having to remember to stop nginx (to free port 80) and then run sudo certbot certonly --nginx -d [...], sudo certbot renew --dry-run
Now I've noticed that my certificate is no longer secure when I try to access my web from Chrome or Safari. I tried going to SSL Server Test: app.superenvios.pe (Powered by Qualys SSL Labs) in order to get a certificate report. it seems to show that there is no DNS CAA.
I don't know why would that change suddenly as I have not updated any configuration recently. I'm not too familiar with what a CAA is, so I'd appreciate any suggestions/help trying to address this issue.

My domain is: app.superenvios.pe

My web server is (include version): Nginx

The operating system my web server runs on is (include version): Ubuntu 18.04

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.31.0

schoen · October 1, 2021, 2:45am

Hi @mvergaray,

The CAA warning is an unrelated issue which isn't important here.

The message that's most likely to be important in that test is

Chain issues Incomplete

It seems your server isn't serving the intermediate certificate, which is especially important now because the old intermediate certificate that would have been used in the past has just expired.

Did you point your nginx configuration at the /etc/letsencrypt/live/app.superenvios.pe/fullchain.pem file, or did you copy this elsewhere on your system?

mvergaray · October 1, 2021, 2:49am

Hi @schoen , thanks for the replay.
This is how I have configured my sub domain in nginx. I set ssl_certificate and ssl_certificate_key. I don't remember pointing anywhere to the fullchain.pem file. What should I do there?

server {
listen 443 ssl;
listen [::]:443 ssl;

client_max_body_size 200M;
server_name app.superenvios.pe;
ssl_certificate /etc/letsencrypt/live/superenvios.pe/cert.pem;
ssl_certificate_key /etc/letsencrypt/live/superenvios.pe/privkey.pem;

location / {
    proxy_pass http://localhost:3000;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header Host $host;
    proxy_cache_bypass $http_upgrade;
}

}

schoen · October 1, 2021, 2:50am

Change cert.pem to fullchain.pem and restart nginx. It should work then.

mvergaray · October 1, 2021, 2:56am

Awesome man, spend the whole day renewing it and diving in the web for this. I appreciate your help!
Would you be willing to give me a little more of context on what's the different between both files and why would I need to change the reference suddenly?

Thank you so much!

schoen · October 1, 2021, 3:03am

I'm glad it worked for you!

Yes, there's a thing called an intermediate certificate (also called chain certificate or issuer certificate) which is used by the browser in validating certificates that web sites present. Usually intermediate certificates are supposed to be served by the web server. But most browsers also cache ones that they've seen before and attempt to use those in validation, especially if they don't receive a relevant intermediate certificate or certificates from the web site. This means that a site that doesn't provide the complete validation information will often still work on many web browsers, especially if it uses a relatively common and popular certificate authority, because those browsers will often know about the relevant intermediate certificates used by that certificate authority.

In this case, an intermediate certificate that was previously used by Let's Encrypt has just expired, which means that browsers that knew about that one before should no longer trust it. Let's Encrypt has been sending a new recommended intermediate certificate for a long time (many months!) and Certbot always saves the currently-recommended one in an appropriate place in /etc/letsencrypt/live, but if you manually set up your nginx or other web server application, you may not have referenced a file containing it—which was the case with your configuration.

In this case fullchain.pem is the combination of cert.pem (your certificate) plus chain.pem (the recommended chain of intermediate certificates). Certbot documentation always suggests using fullchain.pem instead of cert.pem, unless you're using some older software (like Apache 2.2 or certain chat applications, for example) that doesn't understand this combined format.

Claes · October 1, 2021, 7:14am

This sounds like my problem. My certificates work on my new Macbook Air and on iPhone, but not on my old iMac 24 inch with El Capitan.
I have a windows 2012 R server and I used win.acme when I updated the certificates.
The problem address is atervinnmera.se and manmade.se
I don´t know where I can find the cert.pem file so I can change it to fullchain.pem? Thanks.

system · October 31, 2021, 7:14am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.